Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I3FtIOCni3.dll

Overview

General Information

Sample name:I3FtIOCni3.dll
renamed because original name is a hash value
Original sample name:c3e91ea457a6aac1ace5ace1a1e07c6b3a1d87b0.dll
Analysis ID:1578340
MD5:54429e9f729a0b1121df0392f9510b19
SHA1:c3e91ea457a6aac1ace5ace1a1e07c6b3a1d87b0
SHA256:7c5a5394a4c23a5730742e589d6b4e1ee733e22b3b92a717c573c07f3e6d3e37
Tags:dlluser-NDA0E
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected GhostRat
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7588 cmdline: loaddll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7888 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7932 cmdline: rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7952 cmdline: rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,EndWork MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2892 cmdline: rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,Runing MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1268 cmdline: rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,ServiceMain MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 1076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 708 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 4008 cmdline: rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",EndWork MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5620 cmdline: rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",Runing MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4536 cmdline: rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",ServiceMain MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 1812 cmdline: rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",Working MD5: 889B99C52A60DD49227C5E485A016679)
  • svchost.exe (PID: 8092 cmdline: C:\Windows\SysWOW64\svchost.exe -k imgsvc MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 8136 cmdline: C:\Windows\SysWOW64\svchost.exe -k imgsvc MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 8184 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 916 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6860 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4536 -ip 4536 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6184 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": "www.3322.org"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_GhostRatYara detected GhostRatJoe Security
    dump.pcapgh0stunknownhttps://github.com/jackcr/
    • 0x2ded0:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x47fc4:$a: 47 68 30 73 74 C9 00 00 00 4C 01 00 00 78 9C
    • 0x5f93d:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x6f9db:$a: 47 68 30 73 74 C7 00 00 00 4C 01 00 00 78 9C
    • 0x80fe0:$a: 47 68 30 73 74 C6 00 00 00 4C 01 00 00 78 9C
    • 0x8613c:$a: 47 68 30 73 74 C7 00 00 00 4C 01 00 00 78 9C
    • 0x87a78:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x8fc3f:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x90108:$a: 47 68 30 73 74 C7 00 00 00 4C 01 00 00 78 9C
    • 0x905d0:$a: 47 68 30 73 74 C6 00 00 00 4C 01 00 00 78 9C
    • 0x9085e:$a: 47 68 30 73 74 C7 00 00 00 4C 01 00 00 78 9C
    • 0x90aed:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x90d7d:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x9100d:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x9129d:$a: 47 68 30 73 74 C6 00 00 00 4C 01 00 00 78 9C
    • 0x9152b:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x91a67:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x92054:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C
    • 0x9251d:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmpgh0stunknownhttps://github.com/jackcr/
      • 0x0:$a: 47 68 30 73 74 C8 00 00 00 4C 01 00 00 78 9C

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe -k imgsvc, CommandLine: C:\Windows\SysWOW64\svchost.exe -k imgsvc, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe -k imgsvc, ProcessId: 8092, ProcessName: svchost.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-19T15:44:04.655226+010020169221Malware Command and Control Activity Detected192.168.2.1049705118.184.169.4880TCP
      2024-12-19T15:44:15.445150+010020169221Malware Command and Control Activity Detected192.168.2.1049711118.184.169.4880TCP
      2024-12-19T15:44:25.905795+010020169221Malware Command and Control Activity Detected192.168.2.1049716118.184.169.4880TCP
      2024-12-19T15:44:36.388107+010020169221Malware Command and Control Activity Detected192.168.2.1049721118.184.169.4880TCP
      2024-12-19T15:44:45.584804+010020169221Malware Command and Control Activity Detected192.168.2.1049726118.184.169.4880TCP
      2024-12-19T15:44:52.196651+010020169221Malware Command and Control Activity Detected192.168.2.1049728118.184.169.4880TCP
      2024-12-19T15:44:57.003296+010020169221Malware Command and Control Activity Detected192.168.2.1049730118.184.169.4880TCP
      2024-12-19T15:45:00.650936+010020169221Malware Command and Control Activity Detected192.168.2.1049731118.184.169.4880TCP
      2024-12-19T15:45:03.521798+010020169221Malware Command and Control Activity Detected192.168.2.1049732118.184.169.4880TCP
      2024-12-19T15:45:05.535255+010020169221Malware Command and Control Activity Detected192.168.2.1049733118.184.169.4880TCP
      2024-12-19T15:45:07.500120+010020169221Malware Command and Control Activity Detected192.168.2.1049734118.184.169.4880TCP
      2024-12-19T15:45:08.550324+010020169221Malware Command and Control Activity Detected192.168.2.1049735118.184.169.4880TCP
      2024-12-19T15:45:09.374412+010020169221Malware Command and Control Activity Detected192.168.2.1049736118.184.169.4880TCP
      2024-12-19T15:45:10.416958+010020169221Malware Command and Control Activity Detected192.168.2.1049737118.184.169.4880TCP
      2024-12-19T15:45:10.912324+010020169221Malware Command and Control Activity Detected192.168.2.1049738118.184.169.4880TCP
      2024-12-19T15:45:11.376595+010020169221Malware Command and Control Activity Detected192.168.2.1049739118.184.169.4880TCP
      2024-12-19T15:45:52.201020+010020169221Malware Command and Control Activity Detected192.168.2.1049741118.184.169.4880TCP
      2024-12-19T15:46:44.638463+010020169221Malware Command and Control Activity Detected192.168.2.1049742118.184.169.4880TCP
      2024-12-19T15:47:36.876470+010020169221Malware Command and Control Activity Detected192.168.2.1049743118.184.169.4880TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-19T15:44:04.655226+010020132141Malware Command and Control Activity Detected192.168.2.1049705118.184.169.4880TCP
      2024-12-19T15:44:15.445150+010020132141Malware Command and Control Activity Detected192.168.2.1049711118.184.169.4880TCP
      2024-12-19T15:44:25.905795+010020132141Malware Command and Control Activity Detected192.168.2.1049716118.184.169.4880TCP
      2024-12-19T15:44:36.388107+010020132141Malware Command and Control Activity Detected192.168.2.1049721118.184.169.4880TCP
      2024-12-19T15:44:45.584804+010020132141Malware Command and Control Activity Detected192.168.2.1049726118.184.169.4880TCP
      2024-12-19T15:44:52.196651+010020132141Malware Command and Control Activity Detected192.168.2.1049728118.184.169.4880TCP
      2024-12-19T15:44:57.003296+010020132141Malware Command and Control Activity Detected192.168.2.1049730118.184.169.4880TCP
      2024-12-19T15:45:00.650936+010020132141Malware Command and Control Activity Detected192.168.2.1049731118.184.169.4880TCP
      2024-12-19T15:45:03.521798+010020132141Malware Command and Control Activity Detected192.168.2.1049732118.184.169.4880TCP
      2024-12-19T15:45:05.535255+010020132141Malware Command and Control Activity Detected192.168.2.1049733118.184.169.4880TCP
      2024-12-19T15:45:07.500120+010020132141Malware Command and Control Activity Detected192.168.2.1049734118.184.169.4880TCP
      2024-12-19T15:45:08.550324+010020132141Malware Command and Control Activity Detected192.168.2.1049735118.184.169.4880TCP
      2024-12-19T15:45:09.374412+010020132141Malware Command and Control Activity Detected192.168.2.1049736118.184.169.4880TCP
      2024-12-19T15:45:10.416958+010020132141Malware Command and Control Activity Detected192.168.2.1049737118.184.169.4880TCP
      2024-12-19T15:45:10.912324+010020132141Malware Command and Control Activity Detected192.168.2.1049738118.184.169.4880TCP
      2024-12-19T15:45:11.376595+010020132141Malware Command and Control Activity Detected192.168.2.1049739118.184.169.4880TCP
      2024-12-19T15:45:52.201020+010020132141Malware Command and Control Activity Detected192.168.2.1049741118.184.169.4880TCP
      2024-12-19T15:46:44.638463+010020132141Malware Command and Control Activity Detected192.168.2.1049742118.184.169.4880TCP
      2024-12-19T15:47:36.876470+010020132141Malware Command and Control Activity Detected192.168.2.1049743118.184.169.4880TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: I3FtIOCni3.dllAvira: detected
      Antivirus detection for dropped file
      Source: C:\Program Files (x86)\Flbi\Pfwnulduj.jpgAvira: detection malicious, Label: BDS/Farfli.kj.2
      Found malware configuration
      Source: I3FtIOCni3.dllMalware Configuration Extractor: GhostRat {"C2 url": "www.3322.org"}
      Multi AV Scanner detection for submitted file
      Source: I3FtIOCni3.dllReversingLabs: Detection: 86%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
      Machine Learning detection for dropped file
      Source: C:\Program Files (x86)\Flbi\Pfwnulduj.jpgJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: I3FtIOCni3.dllJoe Sandbox ML: detected
      Source: I3FtIOCni3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004C40 lstrlenA,FindFirstFileA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileA,FindClose,9_2_10004C40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100045E0 LoadLibraryA,GetProcAddress,FindFirstFileA,DeleteFileA,DeleteFileA,FindNextFileA,FindClose,9_2_100045E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10007250 sprintf,sprintf,FindFirstFileA,FindNextFileA,_stricmp,_stricmp,_stricmp,sprintf,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,sprintf,FreeLibrary,FindNextFileA,FindClose,9_2_10007250
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004F30 FindFirstFileA,FindClose,FindClose,9_2_10004F30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100043D0 putchar,putchar,LocalAlloc,sprintf,putchar,FindFirstFileA,putchar,Sleep,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,9_2_100043D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004FF0 LoadLibraryA,GetProcAddress,FindFirstFileA,FindClose,CloseHandle,9_2_10004FF0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100041E0 GetLogicalDriveStringsA,LoadLibraryA,GetProcAddress,GetVolumeInformationA,lstrlenA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,FreeLibrary,9_2_100041E0

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49721 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49721 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49728 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49728 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49730 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49730 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49731 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49731 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49737 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49737 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49705 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49732 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49732 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49705 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49716 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49716 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49734 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49734 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49733 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49733 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49738 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49738 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49726 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49711 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49711 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49735 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49735 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49726 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49743 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49743 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49736 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49736 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49742 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49742 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49741 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49741 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.10:49739 -> 118.184.169.48:80
      Source: Network trafficSuricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.10:49739 -> 118.184.169.48:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 118.184.169.48 80Jump to behavior
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.3322.org
      Uses dynamic DNS services
      Source: unknownDNS query: name: www.3322.org
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: www.3322.org
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3694833369.0000023D44B3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3694799122.0000023D44B37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3695050591.0000023D44B41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3695166192.0000023D44B45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698318776.0000023D44B70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
      Source: svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
      Source: svchost.exe, 0000000D.00000002.3700833798.0000023D45066000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1669762707.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755513886.0000023D44B2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
      Source: svchost.exe, 0000000D.00000002.3700667672.0000023D45000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
      Source: svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
      Source: svchost.exe, 0000000D.00000002.3700002870.0000023D442CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.13.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
      Source: svchost.exe, 0000000D.00000003.3698760243.0000023D44B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1789776947.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638776567.0000023D44B0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873267673.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873185539.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1547031779.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638892871.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638154229.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1789833053.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1637997234.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697944471.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697781731.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697564439.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729259348.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1639924477.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698596714.0000023D44B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1816595750.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873363459.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638975790.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697602824.0000023D44B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
      Source: svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd=
      Source: svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
      Source: svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
      Source: svchost.exe, 0000000D.00000003.1669458628.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
      Source: svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdTctR
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698318776.0000023D44B70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdp
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1816637721.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
      Source: svchost.exe, 0000000D.00000002.3699889683.0000023D442C7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873185539.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1547031779.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638892871.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638154229.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1789833053.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1637997234.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697944471.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697781731.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697564439.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729259348.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1639924477.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3693879622.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698596714.0000023D44B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1816595750.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873363459.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638975790.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697602824.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755603066.0000023D44B84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873324620.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
      Source: svchost.exe, 0000000D.00000003.1669458628.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
      Source: svchost.exe, 0000000D.00000003.1669458628.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
      Source: svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdh
      Source: svchost.exe, 0000000D.00000003.1547172168.0000023D44B52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
      Source: svchost.exe, 0000000D.00000002.3701418898.0000023D450B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
      Source: svchost.exe, 0000000D.00000003.1638776567.0000023D44B0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638892871.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638154229.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1637997234.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638975790.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638204147.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638828557.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: svchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/=
      Source: svchost.exe, 0000000D.00000003.3694028145.0000023D44B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698533225.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697662365.0000023D44B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729259348.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755462361.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697216546.0000023D44B18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698318776.0000023D44B70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729220575.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80600
      Source: svchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyc
      Source: svchost.exe, 0000000D.00000003.3697662365.0000023D44B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697216546.0000023D44B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
      Source: svchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scom
      Source: svchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697897217.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697662365.0000023D44B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755603066.0000023D44B84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697216546.0000023D44B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
      Source: svchost.exe, 0000000D.00000002.3700833798.0000023D45066000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1669762707.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755513886.0000023D44B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
      Source: svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuels
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
      Source: svchost.exe, 0000000D.00000003.1697897217.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700002870.0000023D442CB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
      Source: svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
      Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/i
      Source: svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
      Source: svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501695761.0000023D44B57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwamvice
      Source: svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf.srf
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf=
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageAp
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApcfg:
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf=
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
      Source: svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppre/Inlin
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
      Source: svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecu
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
      Source: svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf0
      Source: svchost.exe, 0000000D.00000003.1502037860.0000023D44B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
      Source: svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502037860.0000023D44B27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfD
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
      Source: svchost.exe, 0000000D.00000003.1502037860.0000023D44B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
      Source: svchost.exe, 0000000D.00000002.3700002870.0000023D442CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DhF
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501917039.0000023D44B6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700833798.0000023D45058000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
      Source: svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
      Source: svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLo
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
      Source: svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806014
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
      Source: svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501695761.0000023D44B57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
      Source: svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500887916.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf%D=
      Source: svchost.exe, 0000000D.00000002.3701922919.0000023D450EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf3
      Source: svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfc
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
      Source: svchost.exe, 0000000D.00000003.1697897217.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3701418898.0000023D450B7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700002870.0000023D442CB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
      Source: svchost.exe, 0000000D.00000002.3701418898.0000023D450B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfdeviceaddcredential.srf
      Source: svchost.exe, 0000000D.00000002.3701418898.0000023D450B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfo
      Source: svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
      Source: svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf=
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
      Source: svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf=
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
      Source: svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfSt
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
      Source: svchost.exe, 0000000D.00000003.1502037860.0000023D44B27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfToken
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
      Source: svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
      Source: svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: dump.pcap, type: PCAPMatched rule: gh0st Author: https://github.com/jackcr/
      Source: 00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st Author: https://github.com/jackcr/
      Source: C:\Windows\SysWOW64\svchost.exeProcess Stats: CPU usage > 49%
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000F03E9_2_1000F03E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000F9109_2_1000F910
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000E1D09_2_1000E1D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100109F09_2_100109F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100116409_2_10011640
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000E6709_2_1000E670
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100126809_2_10012680
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000F28D9_2_1000F28D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000D3309_2_1000D330
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10010F709_2_10010F70
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10002BC09_2_10002BC0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10012DA0 appears 39 times
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268
      Source: I3FtIOCni3.dllBinary or memory string: OriginalFilenameHWSignature.dll vs I3FtIOCni3.dll
      Source: I3FtIOCni3.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
      Source: dump.pcap, type: PCAPMatched rule: gh0st author = https://github.com/jackcr/
      Source: 00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: gh0st author = https://github.com/jackcr/
      Source: classification engineClassification label: mal100.troj.evad.winDLL@34/18@3/1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,9_2_1000B920
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100041E0 GetLogicalDriveStringsA,LoadLibraryA,GetProcAddress,GetVolumeInformationA,lstrlenA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,FreeLibrary,9_2_100041E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,9_2_1000B790
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100066B0 putchar,putchar,putchar,CreateToolhelp32Snapshot,putchar,putchar,Process32First,putchar,lstrcmpiA,lstrcmpiA,putchar,Process32Next,lstrcmpiA,putchar,CloseHandle,putchar,9_2_100066B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B790 OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,9_2_1000B790
      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Program Files (x86)\FlbiJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:916:64:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6860:64:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1268
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4536
      Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\59834039-ef76-412c-bf5e-fe9cfabd5d20Jump to behavior
      Source: I3FtIOCni3.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1
      Source: I3FtIOCni3.dllReversingLabs: Detection: 86%
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll"
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,EndWork
      Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k imgsvc
      Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k imgsvc
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,Runing
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,ServiceMain
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 708
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",EndWork
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",Runing
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",ServiceMain
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",Working
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4536 -ip 4536
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 736
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1Jump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,EndWorkJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,RuningJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,ServiceMainJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",EndWorkJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",RuningJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",ServiceMainJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",WorkingJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 708Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4536 -ip 4536Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 736Jump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: msvcp60.dllJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: avicap32.dllJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: msvfw32.dllJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvcp60.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: avicap32.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msvfw32.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
      Source: I3FtIOCni3.dllStatic file information: File size 5636643 > 1048576
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000C5F0 LoadLibraryA,GetProcAddress,putchar,_fputchar,GetModuleFileNameA,putchar,ExpandEnvironmentStringsA,_stricmp,RegOpenKeyExA,??2@YAPAXI@Z,SetEvent,GetTickCount,srand,DeleteFileA,SetFileAttributesA,CopyFileA,9_2_1000C5F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10012A80 push eax; ret 9_2_10012AAE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_008ED082 pushad ; retf 16_2_008ED0E5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_008EAC29 push edx; ret 16_2_008EAC2A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_008EAC49 push edx; iretd 16_2_008EAC4A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_008EAC69 push edx; retf 16_2_008EAC6A
      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Program Files (x86)\Flbi\Pfwnulduj.jpgJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Program Files (x86)\Flbi\Pfwnulduj.jpgJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B8E0 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,9_2_1000B8E0
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Contains functionality to detect sleep reduction / modifications
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000AB009_2_1000AB00
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B3109_2_1000B310
      Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Program Files (x86)\Flbi\Pfwnulduj.jpgJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_9-5204
      Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.0 %
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000B3109_2_1000B310
      Source: C:\Windows\System32\svchost.exe TID: 6508Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004C40 lstrlenA,FindFirstFileA,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,??2@YAPAXI@Z,??3@YAXPAX@Z,FindNextFileA,FindClose,9_2_10004C40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100045E0 LoadLibraryA,GetProcAddress,FindFirstFileA,DeleteFileA,DeleteFileA,FindNextFileA,FindClose,9_2_100045E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10007250 sprintf,sprintf,FindFirstFileA,FindNextFileA,_stricmp,_stricmp,_stricmp,sprintf,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,sprintf,FreeLibrary,FindNextFileA,FindClose,9_2_10007250
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004F30 FindFirstFileA,FindClose,FindClose,9_2_10004F30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100043D0 putchar,putchar,LocalAlloc,sprintf,putchar,FindFirstFileA,putchar,Sleep,LocalReAlloc,lstrlenA,FindNextFileA,LocalFree,FindClose,9_2_100043D0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10004FF0 LoadLibraryA,GetProcAddress,FindFirstFileA,FindClose,CloseHandle,9_2_10004FF0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100041E0 GetLogicalDriveStringsA,LoadLibraryA,GetProcAddress,GetVolumeInformationA,lstrlenA,lstrlenA,lstrlenA,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlenA,FreeLibrary,9_2_100041E0
      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
      Source: Amcache.hve.12.drBinary or memory string: VMware
      Source: svchost.exe, 0000000D.00000002.3701922919.0000023D450EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UAC7aIYlgfoguj6G3dYIc0TqeMuHgiHXuBtrZtaZTHfi10TNTFNrFBfPe7UfFOsKdunpmluO2+imXJGUxZUqm32LlKcLbfc5rpywzqSR5WjPzYAaIvqu5Y6Cl/s6m189MEW9Cfwv/sHbeGvpvBQd4FmmDNd/U/LCP3PESluzBb/2sjR8HW4AKC3/s9AXPzN4McOZ5fwMZGOooYEJzer774dKQ2H17p9yW2hC7Tb780YOYks0kUwQveWMKgyyh7H3c9yqPKDlnJKShDsL3Wr3hRnuI3MgyHRzzPjHQBXtmc97y3UmjLXne8cyXTgRBTiIyGxDjGekk3vHNcqENxvuxg==
      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
      Source: svchost.exe, 0000000D.00000002.3702188009.0000023D45129000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod><Reference URI="#RST0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>x1dexvML1H2TSmybLErItf/TxHV7Bw/h2oLBn0bfBSM=</DigestValue></Reference><Reference URI="#PPAuthInfo"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>Tx8BpSjzGPEQowbwxPPI0O4KyVczc0uuwai0Yce34gE=</DigestValue></Reference><Reference URI="#Timestamp"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>34t7tQx5YBE02au8eSZAR45Oy+GQvsASz3o2iHCDd94=</DigestValue></Reference></SignedInfo><SignatureValue>UAC7aIYlgfoguj6G3dYIc0TqeMuHgiHXuBtrZtaZTHfi10TNTFNrFBfPe7UfFOsKdunpmluO2+imXJGUxZUqm32LlKcLbfc5rpywzqSR5WjPzYAaIvqu5Y6Cl/s6m189MEW9Cfwv/sHbeGvpvBQd4FmmDNd/U/LCP3PESluzBb/2sjR8HW4AKC3/s9AXPzN4McOZ5fwMZGOooYEJzer774dKQ2H17p9yW2hC7Tb780YOYks0kUwQveWMKgyyh7H3c9yqPKDlnJKShDsL3Wr3hRnuI3MgyHRzzPjHQBXtmc97y3UmjLXne8cyXTgRBTiIyGxDjGekk3vHNcqENxvuxg==</SignatureValue></Signature>
      Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: svchost.exe, 0000000D.00000003.1728533085.0000023D442B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D442B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699518503.0000023D4422B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.12.drBinary or memory string: vmci.sys
      Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
      Source: Amcache.hve.12.drBinary or memory string: VMware20,1
      Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: svchost.exe, 0000000D.00000002.3702188009.0000023D45129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1798767631.0000023D450DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <wsu:Timestamp wsu:Id="Timestamp"><wsu:Created>2024-12-19T14:44:38Z</wsu:Created><wsu:Expires>2024-12-19T14:49:38Z</wsu:Expires></wsu:Timestamp><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod><Reference URI="#RST0"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>x1dexvML1H2TSmybLErItf/TxHV7Bw/h2oLBn0bfBSM=</DigestValue></Reference><Reference URI="#PPAuthInfo"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>Tx8BpSjzGPEQowbwxPPI0O4KyVczc0uuwai0Yce34gE=</DigestValue></Reference><Reference URI="#Timestamp"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>34t7tQx5YBE02au8eSZAR45Oy+GQvsASz3o2iHCDd94=</DigestValue></Reference></SignedInfo><SignatureValue>UAC7aIYlgfoguj6G3dYIc0TqeMuHgiHXuBtrZtaZTHfi10TNTFNrFBfPe7UfFOsKdunpmluO2+imXJGUxZUqm32LlKcLbfc5rpywzqSR5WjPzYAaIvqu5Y6Cl/s6m189MEW9Cfwv/sHbeGvpvBQd4FmmDNd/U/LCP3PESluzBb/2sjR8HW4AKC3/s9AXPzN4McOZ5fwMZGOooYEJzer774dKQ2H17p9yW2hC7Tb780YOYks0kUwQveWMKgyyh7H3c9yqPKDlnJKShDsL3Wr3hRnuI3MgyHRzzPjHQBXtmc97y3UmjLXne8cyXTgRBTiIyGxDjGekk3vHNcqENxvuxg==</SignatureValue></Signature>
      Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000C5F0 LoadLibraryA,GetProcAddress,putchar,_fputchar,GetModuleFileNameA,putchar,ExpandEnvironmentStringsA,_stricmp,RegOpenKeyExA,??2@YAPAXI@Z,SetEvent,GetTickCount,srand,DeleteFileA,SetFileAttributesA,CopyFileA,9_2_1000C5F0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10003840 putchar,putchar,putchar,putchar,putchar,putchar,putchar,GetProcessHeap,HeapAlloc,putchar,Sleep,putchar,GetTickCount,putchar,putchar,putchar,9_2_10003840

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 118.184.169.48 80Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 708Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4536 -ip 4536Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 736Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100029B0 GetLocalTime,rand,GetTickCount,rand,GetTickCount,9_2_100029B0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1000AFA0 OpenEventA,Sleep,GetVersionExA,RegCreateKeyExA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,RegQueryValueExA,RegCloseKey,LoadLibraryA,GetProcAddress,GlobalMemoryStatus,9_2_1000AFA0
      Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected GhostRat
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: 00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected GhostRat
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: 00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Service Execution      		2
      Windows Service      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Native API      		1
      DLL Side-Loading      		2
      Windows Service      		21
      Virtualization/Sandbox Evasion      		LSASS Memory141
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)111
      Process Injection      		1
      Access Token Manipulation      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive21
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		111
      Process Injection      		NTDS2
      Process Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets2
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain Credentials4
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Rundll32      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578340 Sample: I3FtIOCni3.dll Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 42 www.3322.org 2->42 44 members.3322.net 2->44 46 bg.microsoft.map.fastly.net 2->46 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 8 other signatures 2->58 8 loaddll32.exe 4 2->8         started        10 svchost.exe 2->10         started        14 svchost.exe 14 2->14         started        16 2 other processes 2->16 signatures3 56 Uses dynamic DNS services 42->56 process4 dnsIp5 18 cmd.exe 1 8->18         started        20 rundll32.exe 2 1 8->20         started        22 rundll32.exe 3 8->22         started        28 6 other processes 8->28 48 members.3322.net 118.184.169.48, 49705, 49711, 49716 CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba China 10->48 60 System process connects to network (likely due to code injection or exploit) 10->60 24 WerFault.exe 2 14->24         started        26 WerFault.exe 2 14->26         started        signatures6 process7 process8 30 rundll32.exe 2 4 18->30         started        34 WerFault.exe 16 20->34         started        36 WerFault.exe 20 16 22->36         started        file9 38 C:\Program Files (x86)\Flbi\Pfwnulduj.jpg, PE32 30->38 dropped 40 C:\...\Pfwnulduj.jpg:Zone.Identifier, ASCII 30->40 dropped 62 Contains functionality to detect sleep reduction / modifications 30->62 signatures10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      I3FtIOCni3.dll87%ReversingLabsWin32.Backdoor.Farfli
      I3FtIOCni3.dll100%AviraBDS/Farfli.kj.2
      I3FtIOCni3.dll100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\Flbi\Pfwnulduj.jpg100%AviraBDS/Farfli.kj.2
      C:\Program Files (x86)\Flbi\Pfwnulduj.jpg100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalse
        		high
        members.3322.net
        		118.184.169.48
        		truefalse
          		high
          www.3322.org
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.3322.orgfalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd=svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:svchost.exe, 0000000D.00000003.1547172168.0000023D44B52000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2004/09/policy=80600svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://account.live.com/msangcwamvicesvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 0000000D.00000003.1669458628.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 0000000D.00000003.1638776567.0000023D44B0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638892871.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638154229.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1637997234.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638975790.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638204147.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638828557.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697897217.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697662365.0000023D44B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755603066.0000023D44B84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697216546.0000023D44B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://Passport.NET/STSsvchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3694833369.0000023D44B3A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3694799122.0000023D44B37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3695050591.0000023D44B41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3695166192.0000023D44B45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698318776.0000023D44B70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2004/09/policycsvchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://docs.oasis-open.org/wss/2svchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdhsvchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf=svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAsvchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://account.live.com/isvchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Issuelssvchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 0000000D.00000003.1669458628.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAsvchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://Passport.NET/tbsvchost.exe, 0000000D.00000002.3700833798.0000023D45066000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1669762707.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755513886.0000023D44B2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000000D.00000002.3699889683.0000023D442C7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873185539.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1547031779.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638892871.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638154229.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1789833053.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1637997234.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697944471.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697781731.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697564439.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729259348.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1639924477.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3693879622.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698596714.0000023D44B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1816595750.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873363459.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638975790.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697602824.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755603066.0000023D44B84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873324620.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 0000000D.00000003.1502037860.0000023D44B27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://signup.live.com/signup.aspxsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://Passport.NET/tb_svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://login.microsoftonline.com/MSARST2.srf=svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfStsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697662365.0000023D44B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729259348.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755462361.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697216546.0000023D44B18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698318776.0000023D44B70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729220575.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000000D.00000003.3694028145.0000023D44B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698533225.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 0000000D.00000003.1669458628.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://account.live.com/msangcwamsvchost.exe, 0000000D.00000003.1501637248.0000023D44B3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501766032.0000023D44B40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700445906.0000023D4430B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698797899.0000023D44309000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501695761.0000023D44B57000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdpsvchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698318776.0000023D44B70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698733402.0000023D44B72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.ver)svchost.exe, 0000000D.00000002.3700002870.0000023D442CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.microsoftonline.com/ppsecure/devicechangecredential.srfTokensvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://passport.net/tbsvchost.exe, 0000000D.00000002.3701418898.0000023D450B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://upx.sf.netAmcache.hve.12.drfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuesvchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 0000000D.00000003.1873390801.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698706794.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1816637721.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000000D.00000002.3700833798.0000023D45066000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1669762707.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1755513886.0000023D44B2A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdTctRsvchost.exe, 0000000D.00000003.1697733194.0000023D44B76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1698063178.0000023D44B78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1502447379.0000023D44B56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500939690.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1500744030.0000023D44B29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000000D.00000003.3697662365.0000023D44B19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697216546.0000023D44B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000000D.00000002.3699567261.0000023D44240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/scomsvchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/soap/envelope/=svchost.exe, 0000000D.00000003.3693982296.0000023D44B63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698652540.0000023D44B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000000D.00000003.1697897217.0000023D44B5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700002870.0000023D442CB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1790032896.0000023D44B6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697589254.0000023D44B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://Passport.NET/tb:ppsvchost.exe, 0000000D.00000002.3700667672.0000023D45000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3700788115.0000023D45031000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfREsvchost.exe, 0000000D.00000003.1500854339.0000023D44B10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501559359.0000023D44B4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1501822815.0000023D44B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsvchost.exe, 0000000D.00000003.3698760243.0000023D44B7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1789776947.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638776567.0000023D44B0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873267673.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873185539.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1547031779.0000023D44B52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3699611365.0000023D4425F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638892871.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638154229.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1789833053.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1637997234.0000023D44B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697944471.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697781731.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1697564439.0000023D44B07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1729259348.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1639924477.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3698596714.0000023D44B7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1816595750.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1873363459.0000023D44B09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.1638975790.0000023D44B0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.3697602824.0000023D44B09000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      118.184.169.48
                                                                                                                                                      		members.3322.netChina
                                                                                                                                                      		23650CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovincebafalse

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                      Analysis ID:1578340
                                                                                                                                                      Start date and time:2024-12-19 15:42:52 +01:00
                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 8m 41s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:full
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                      Number of analysed new started processes analysed:24
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Sample name:I3FtIOCni3.dll
                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                      Original Sample Name:c3e91ea457a6aac1ace5ace1a1e07c6b3a1d87b0.dll
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.evad.winDLL@34/18@3/1
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 50%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      • Number of executed functions: 11
                                                                                                                                                      • Number of non-executed functions: 113
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Found application associated with file extension: .dll
                                                                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 40.126.53.19, 40.126.53.12, 20.190.181.0, 40.126.53.17, 20.231.128.66, 40.126.53.10, 20.190.181.4, 20.190.181.1, 199.232.214.172, 20.189.173.22, 20.109.210.53
                                                                                                                                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 4536 because there are no executed function
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • VT rate limit hit for: I3FtIOCni3.dll

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      09:44:09API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                                                                                      09:44:37API Interceptor273x Sleep call for process: svchost.exe modified
                                                                                                                                                      09:44:42API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      118.184.169.48exe1.bin.bak.exeGet hashmaliciousBlackMoon, DoublePulsar, ETERNALBLUE, GhostRatBrowse
                                                                                                                                                      • 118.184.169.48/dyndns/getip
                                                                                                                                                      exe3.bin.bak.exeGet hashmaliciousBlackMoon, DoublePulsar, ETERNALBLUEBrowse
                                                                                                                                                      • 118.184.169.48/dyndns/getip
                                                                                                                                                      38iGnQnL33.exeGet hashmaliciousBlackMoon, DoublePulsar, ETERNALBLUE, GhostRatBrowse
                                                                                                                                                      • 118.184.169.48/dyndns/getip

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      members.3322.netexe1.bin.bak.exeGet hashmaliciousBlackMoon, DoublePulsar, ETERNALBLUE, GhostRatBrowse
                                                                                                                                                      • 118.184.169.48
                                                                                                                                                      exe3.bin.bak.exeGet hashmaliciousBlackMoon, DoublePulsar, ETERNALBLUEBrowse
                                                                                                                                                      • 118.184.169.48
                                                                                                                                                      38iGnQnL33.exeGet hashmaliciousBlackMoon, DoublePulsar, ETERNALBLUE, GhostRatBrowse
                                                                                                                                                      • 118.184.169.48
                                                                                                                                                      bg.microsoft.map.fastly.net26B1sczZ88.dllGet hashmaliciousVirutBrowse
                                                                                                                                                      • 199.232.210.172
                                                                                                                                                      UV0zBp62hW.dllGet hashmaliciousVirutBrowse
                                                                                                                                                      • 199.232.210.172
                                                                                                                                                      Gioia Faggioli-End Of Year-Bonus.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 199.232.214.172
                                                                                                                                                      https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdfGet hashmaliciousPDFPhishBrowse
                                                                                                                                                      • 199.232.214.172
                                                                                                                                                      jhsdgfjkh236.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                      • 199.232.214.172
                                                                                                                                                      RECOUVREMENT -FACTURER1184521.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 199.232.210.172
                                                                                                                                                      QhR8Zp6fZs.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                      • 199.232.214.172
                                                                                                                                                      LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                      • 199.232.210.172
                                                                                                                                                      YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                                                                                                                                      • 199.232.214.172
                                                                                                                                                      gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 199.232.210.172

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovincebaarm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                      • 221.231.64.1
                                                                                                                                                      loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 221.228.242.55
                                                                                                                                                      b3astmode.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 61.177.20.255
                                                                                                                                                      loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 121.229.221.158
                                                                                                                                                      la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 221.229.214.191
                                                                                                                                                      Owari.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 222.186.152.0
                                                                                                                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 103.220.173.35
                                                                                                                                                      xobftuootu.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 103.36.235.97
                                                                                                                                                      la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 118.184.242.35
                                                                                                                                                      la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                      • 221.228.254.22

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Net-Temp.ini

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):16384
                                                                                                                                                      Entropy (8bit):3.127502359285371
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:n/tnBfntQIrJU3z++G4jXKIK7nKHKVKn5K6NKZK7fQKVKn5K6NKZKDB7KlKKKZKf:/LFlri3zxU++bjVecaXb
                                                                                                                                                      MD5:0E3401C8F76460C281CC22D2FB5F4334
                                                                                                                                                      SHA1:4466D15F4A09B7A3D0C418E5B451585822AE86C3
                                                                                                                                                      SHA-256:346D7662D4A2C0EE165196C809BEDB1780CB66FD7C14E879098E5EE2DB827DDB
                                                                                                                                                      SHA-512:7D22C4575DF4F7690E75A3E1459B4DD12787376BA33EC800BD87E5232FA40DF08081E7A8B7ED2959FE4E6F4814775C94ECD09C0770DEF29B9765E17ED24DD137
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:regf........I._v$R.................. ....0......................................................................3"..jc...+...E..3"..jc...+...E......4"..jc...+...E..rmtm....................................................................................................................................................................................................................................................................................................................................................&...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Program Files (x86)\Flbi\Pfwnulduj.jpg

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):13233699
                                                                                                                                                      Entropy (8bit):7.981225590879728
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24576:HRdusFeDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDA:xdb
                                                                                                                                                      MD5:4D8F6EC2D730F9F497BADFDA3AAED6A6
                                                                                                                                                      SHA1:007C29B58796FBB3F77D8F8509CDD08993E75AB2
                                                                                                                                                      SHA-256:6A772F2317E262FAFF3C4DBEB0291D4F18A875D8B1B24F8498D99DFCF73FAFF9
                                                                                                                                                      SHA-512:3158218AAED5B7B26BE747675585A8EACD1256216B2EB39766B1D9551D9DC41014178CCBBD448873732E5C5D8B1334A4CCAF5F557FF1C4CE3484E0115C84454E
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......dd.{ ..( ..( ..([..("..(O..(!..(...(#..(O..($..(O..($..(...(,..(...(#..( ..(...(...(6..(...(!..(...(!..(Rich ..(................PE..L...u..N...........!.....&...z.......+.......@......................................................................0k..|....`..P.......p............................................................................@.......W.......................text... $.......&.................. ..`.rdata...+...@...,...*..............@..@.data...d/...p...&...V..............@....rsrc...p............|..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Program Files (x86)\Flbi\Pfwnulduj.jpg:Zone.Identifier

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):26
                                                                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                      Malicious:true
                                                                                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5cf5e224613134a37ddf2607be84f14f88d626b_7522e4b5_7fd0e812-01ef-43bb-9efc-1be670e0e269\Report.wer

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):65536
                                                                                                                                                      Entropy (8bit):0.8915940275323175
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:isVmiBO790BU/wjeTyPzuiFeZ24IO8dci:9VmiY7+BU/wjeGzuiFeY4IO8dci
                                                                                                                                                      MD5:0F49E1D3C75857DFE7AD644428F87104
                                                                                                                                                      SHA1:C6CBDA82423F783771F193A98B28F43589285519
                                                                                                                                                      SHA-256:19106B4D62981DB13EA2FF443F71DE5243CA8CF0052A21A9D93E161FBEBAA7A1
                                                                                                                                                      SHA-512:8CE491BBA790B14D44AC00415DCC73F3A0B65F23740E595D8F711FD59D37A5E6E4B47452468BB2862135B948F8B86405A5CD004C1D500D3D9CA667FCCD290EE8
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.0.4.7.3.4.2.2.9.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.0.4.8.0.1.4.1.5.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.d.0.e.8.1.2.-.0.1.e.f.-.4.3.b.b.-.9.e.f.c.-.1.b.e.6.7.0.e.0.e.2.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.3.c.d.4.2.d.-.3.1.e.d.-.4.c.c.f.-.8.0.d.1.-.d.3.d.0.6.c.b.4.5.2.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.4.-.0.0.0.1.-.0.0.1.3.-.f.6.d.a.-.2.1.7.4.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5cf5e224613134a37ddf2607be84f14f88d626b_7522e4b5_c84dc2c5-1ca2-4c7f-80db-e4fbe8304a0d\Report.wer

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):65536
                                                                                                                                                      Entropy (8bit):0.8916953442192562
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:NTfijOw90BU/wjeTyPzuiFeZ24IO8dci:Zfiqw+BU/wjeGzuiFeY4IO8dci
                                                                                                                                                      MD5:55C44ED5833B3E10B9C0624A616F3041
                                                                                                                                                      SHA1:1A90F6C78D714437EF1A6A39C395711E10B2E7FB
                                                                                                                                                      SHA-256:71958FF76F4A1173CB03ABF3ED41C7C08F88B7197CD7C88C836097AEB76864FD
                                                                                                                                                      SHA-512:0BEF3248EA029A0402E5163FBA7C44BA8C4834D58A56419058A5002723F8FE6EDCAE773146AD5D893C76A1DD5426C7384393BAD6026ACDCC15798F70AC19BC2A
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.3.0.5.0.0.1.3.4.6.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.3.0.5.0.5.1.3.4.6.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.4.d.c.2.c.5.-.1.c.a.2.-.4.c.7.f.-.8.0.d.b.-.e.4.f.b.e.8.3.0.4.a.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.0.4.b.f.b.0.-.f.f.7.0.-.4.e.9.7.-.8.c.f.8.-.d.c.f.6.2.5.3.4.d.4.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.b.8.-.0.0.0.1.-.0.0.1.3.-.5.4.2.4.-.3.6.7.6.2.4.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5678.tmp.dmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:44:07 2024, 0x1205a4 type
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):43102
                                                                                                                                                      Entropy (8bit):2.0170189294436596
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:faksal154hEtlCBfXO5H4dhLbsULeXDmijDMmUn4JeW:SksqW2tlo25HghL7qxDMgeW
                                                                                                                                                      MD5:EE4EB300D226D2C0E099D372AB95DD3E
                                                                                                                                                      SHA1:895EDFAA75DDB5EEBE4765D855A772F27B69705A
                                                                                                                                                      SHA-256:D64BE320554D5DC08D50A63F726178710F9D18829370BE2626A1535BC471AE19
                                                                                                                                                      SHA-512:7FCA6DE697903CC53A12F1BFF388F256CF19FB183F7801D4A6158FB72CF3D2383AAC91C8E3037671BD712FA884FFF173FA90094C3A871D23ED769BED0B2C3D14
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:MDMP..a..... .......71dg.........................................*..........T.......8...........T...............V.......................l...............................................................................eJ..............GenuineIntel............T...........51dg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER57B2.tmp.WERInternalMetadata.xml

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):8274
                                                                                                                                                      Entropy (8bit):3.689944497388941
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:R6l7wVeJgh6InH6Ywt61DgmfTrYprX89bbbxsffMBjm:R6lXJW6InH6Y66hgmfTr9bbqff+6
                                                                                                                                                      MD5:C7C27D8D6DBF705D37697FD72DFC03CC
                                                                                                                                                      SHA1:3ECA574CF61D778D2176F5FCA90E78D674D5F433
                                                                                                                                                      SHA-256:96A74774D57E3BD8708B9A1AF092D72988223338A6302629F90337C1ACB9B2C1
                                                                                                                                                      SHA-512:782E10491C0ED57A9C742070EA8910D467AA86A738115B837088170CA279041D89E6ADB0617AEC3A35942CB3E045C2CC850D5F7082FBE3EAAA98E00511972B86
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.6.8.<./.P.i.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER57F1.tmp.xml

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4654
                                                                                                                                                      Entropy (8bit):4.46111699166647
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:cvIwWl8zsMiJg77aI9XcWpW8VYfYm8M4JCdPqFUe+q8/AxGScSld:uIjfMwI71V7VnJceZJ3ld
                                                                                                                                                      MD5:50F8CDF5230BE6E8C8FD3D1C22FFD09F
                                                                                                                                                      SHA1:C558C1F4E5432B1FDC25E946A5246F99658E6A30
                                                                                                                                                      SHA-256:AD805D1E8F0213EBB8A0053247E9C315C9BC31D46E4BD80F030E87ADD795C528
                                                                                                                                                      SHA-512:7FC2D3B36846965B4BCAA4705FE983D878097572A49A477593395754ECB382344F86FD91BECD2281EC82B7058C0AB57A51803A79ED224677559D6FDCC6AC8C05
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER57FF.tmp.csv

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):87674
                                                                                                                                                      Entropy (8bit):3.0334902842452998
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:2HGtE5wDefPuJ629f0YL9sPIPLv967voMZGBhzqG:2mtIwsW6SZL9swTvI7voMZGBhzqG
                                                                                                                                                      MD5:D8B2DCBB530758A8B5E8EA555D522DC3
                                                                                                                                                      SHA1:C69CA6F330817138021FC60CF009748CC4EA404A
                                                                                                                                                      SHA-256:44B239D86F911952B3111450851E459E805FFE1C6F648FFF4CB9B84502B53F19
                                                                                                                                                      SHA-512:11B05B7346247C66F83FDC8268436D1C6A5C76DA06A494DFCE036FDE89FB4DAC998CC0D7EDDDC6B418E1303594907970310C36C843908C7B17A31D5B3121462B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER58CB.tmp.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):13340
                                                                                                                                                      Entropy (8bit):2.6864920778654757
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:TiZYWzFyk647EYtY5W9HwYEZ+3tnBiGEJXpwjRGZa0cgu8TMRKoQI8q3:2ZDz06NfIa0Ju8TMRKon8q3
                                                                                                                                                      MD5:AE15AD528A584A8090D69E5EB90E0BD8
                                                                                                                                                      SHA1:D62F4442ADCD86C61A3DE240466B34C2ED97BE42
                                                                                                                                                      SHA-256:81CECF973EEF697DF2186F6FEB236F350EACD547F3AD7E227A223378C7DDFF29
                                                                                                                                                      SHA-512:8E20F6A10E017A11199D298ADD34F173576F7E1860ADE7913ABF797AE35697CEE06E87242438D5E0F18A89B8D30BD8EC60A044F3B7F5169FCFC7ADEDE7932A33
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER60E8.tmp.dmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Dec 19 14:44:10 2024, 0x1205a4 type
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):45602
                                                                                                                                                      Entropy (8bit):1.943857414417643
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:icYkal154QEtlsuXO5H4dWtDN8vfvKOFhq3RxlXeaPhKxYYAaRCU:DYkqW/tl05HgW9NKf3vgluaPhw1Rd
                                                                                                                                                      MD5:6544C523C4BAC47FC7176F60A51E0C40
                                                                                                                                                      SHA1:3D9B0F4AAA9B6CDC7EE7A2A621A2D112C9EA0D18
                                                                                                                                                      SHA-256:2D58835338AF181211CEAB42C72AB7B21BA319A83ACEC6C6DED105D2513B1FD8
                                                                                                                                                      SHA-512:AD6F97384672F8904D62413CCFCDC650BAC9A41D9EF7938185FFACF6AB376DF0E8B6EB533B207479D7D0B73CE6D2DC09AEF0E59E5792F2A6C63A43470F009601
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:MDMP..a..... .......:1dg.........................................*..........T.......8...........T...............*.......................l...............................................................................eJ..............GenuineIntel............T...........91dg.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6166.tmp.WERInternalMetadata.xml

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):8264
                                                                                                                                                      Entropy (8bit):3.6923827051578924
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:R6l7wVeJRe6InU6YQq6sRgmfTrYprM89bR/sfAUAbm:R6lXJ46InU6Y16sRgmfTrERkfAUx
                                                                                                                                                      MD5:FCAFD234C97CFD3F9EB92F5F970B34C6
                                                                                                                                                      SHA1:4DD2DCBCC6694EFDDFF9D93690C22EF224FEC15C
                                                                                                                                                      SHA-256:691E8D77BE2A136CBD56851DC20F222840E01AD58AEA92F896921206AF933A55
                                                                                                                                                      SHA-512:71A1973A348A7E13B9FF8A5EBF4E435BA65EA973AC4422746CD997E3006FFED03F97DB7BF9B46F269F9FD7B7AE3EC9F447BA203688923ED3BD19AC9BB8B80664
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.3.6.<./.P.i.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER61A6.tmp.xml

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4654
                                                                                                                                                      Entropy (8bit):4.462906306201785
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:cvIwWl8zsMiJg77aI9XcWpW8VYLoYm8M4JCdPqFF+q8/AFGScSid:uIjfMwI71V7VEFJ9dJ3id
                                                                                                                                                      MD5:FE69E8E6DDA73BFF82BC1CF11466BC3B
                                                                                                                                                      SHA1:ED1C941258516D038C23F5E6CF4390C2B5F074C5
                                                                                                                                                      SHA-256:2BF97A6AB8F324EA04BD391703D71115709499052C647A622229F26EF5F4AF4B
                                                                                                                                                      SHA-512:6BCFA9071F60884F92C73EEE63F3EB35B5937EF04FC7659E660DB61E01349B5CAE2E3429162EF6CBFCDCDF69CC8A2C936A716A41F1BB5AE998D45E29E065F8A6
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638266" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6204.tmp.csv

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):88530
                                                                                                                                                      Entropy (8bit):3.0331597764141236
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:768:G5YQgWewDTfsos629f0MR9szL/W967boMZGBhz9rG9g0:G2QgBwEZ6S9R9s3+I7boMZGBhz9S9g0
                                                                                                                                                      MD5:589986E1236CE208F45D1D6258B997F5
                                                                                                                                                      SHA1:A5BE4E893D9549BC20E20F7B2B105752C351C722
                                                                                                                                                      SHA-256:E7A7D8D91290E27E6602A452980B18AB207974D2D957B792AF64A2ACF222A120
                                                                                                                                                      SHA-512:2AFFC03567E5DACB8A3ABE9B28D9AE7D60F9D928D4DDD4F0F8A72D827E9DE961E89B6894EBEF387DC909A8A4AB41E20EB4E7E76AA1FE3B5012B65A4B8C9333E5
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6282.tmp.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):13340
                                                                                                                                                      Entropy (8bit):2.6863816908738323
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:TiZYWG1kU4XYqYwEWvSHaYEZnptnBiYECXew0FeapcgpMoKo4ITvq3:2ZDpNflFYUapJpMoKofDq3
                                                                                                                                                      MD5:61C9E3A25ECD6F243344B48DC9398BDE
                                                                                                                                                      SHA1:991F792EE3B8B855EC64800908638CCBBF9DF92A
                                                                                                                                                      SHA-256:C809B368DE0B7F043A27100DAA5C95020EFF52A76F7E76CBC0E916AD99211C20
                                                                                                                                                      SHA-512:C4178E6EEAB076DF2EE0FF298712D397720989BCCC0E335230355904D4AE74AEA4FF23F88472CF32467C35F226063A704EFE968B57CD66C0FECAE64FF984618C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4761
                                                                                                                                                      Entropy (8bit):7.945585251880973
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                                      MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                                      SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                                      SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                                      SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:modified
                                                                                                                                                      Size (bytes):340
                                                                                                                                                      Entropy (8bit):3.245971802347617
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6:kKfo8q5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:no8dLkPlE99SCQl2DUeXJlOA
                                                                                                                                                      MD5:3BEA5B4929D870BDEB70143D9ACEF603
                                                                                                                                                      SHA1:6ADB5D15A3C260289F26601FEC2F5251918224C5
                                                                                                                                                      SHA-256:E42BEE90A9FF617A0414C86FD5292345B32D98594F82A60A28B5A94582A6D931
                                                                                                                                                      SHA-512:9B467682151384F6C8BCF6C168DE187978EB592A58E961347C85BD3DF419A02B954ED1CE5B454702453269F936786684ACF6240E44BCD2EDAD10BD8897A0B5D2
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:p...... ........{..w$R..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1835008
                                                                                                                                                      Entropy (8bit):4.296114990286747
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:6144:541fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+VwmBMZJh1Vj/:u1/YCW2AoQ0NiTwwMHrVT
                                                                                                                                                      MD5:C8D18E285E18F759B4D4D8632036A864
                                                                                                                                                      SHA1:961BECB77ADEBDA4FFFD7DBC8F5D5B2828817836
                                                                                                                                                      SHA-256:9C09279E0F78DB367C8AC4D4FFAD2D4B8800CB24E4403627769574B220E63931
                                                                                                                                                      SHA-512:CD4E15AABE2C5C827D87F02ECA27A0D6626DCD76E6AFFD90B5A3C45019CEEC55AEADAB75139B86ADB89AAB263C6E6CEE8D40BC33A5C36F430986EE1CE29C8C4E
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.?.t$R..............................................................................................................................................................................................................................................................................................................................................Pg.@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                      Entropy (8bit):7.964939213257691
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
                                                                                                                                                      • Windows Screen Saver (13104/52) 1.29%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                      File name:I3FtIOCni3.dll
                                                                                                                                                      File size:5'636'643 bytes
                                                                                                                                                      MD5:54429e9f729a0b1121df0392f9510b19
                                                                                                                                                      SHA1:c3e91ea457a6aac1ace5ace1a1e07c6b3a1d87b0
                                                                                                                                                      SHA256:7c5a5394a4c23a5730742e589d6b4e1ee733e22b3b92a717c573c07f3e6d3e37
                                                                                                                                                      SHA512:412a926fbc713fef9061f413d0649166f320da8b13874209c339197390c9ab2d8e8b7f3cb36c24476d9626d35fb8b4a55783db54caf9500530821a88c97539f1
                                                                                                                                                      SSDEEP:12288:Hf5dpkswSJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJl:HRdusFF
                                                                                                                                                      TLSH:7A469DD59CB19432C8F157E9B022AAE12033D6FCA932FB6FE59906D951FCC95060B9C3
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......dd.{ ..( ..( ..([..("..(O..(!..(...(#..(O..($..(O..($..(...(,..(...(#..( ..(...(...(6..(...(!..(...(!..(Rich ..(...............

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:7ae282899bbab082

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x10012baa
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x10000000
                                                                                                                                                      Subsystem:windows cui
                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                                                                                                      DLL Characteristics:
                                                                                                                                                      Time Stamp:0x4E030475 [Thu Jun 23 09:16:37 2011 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:6db0b852a0f78ce52a5de071e0915858

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      push ebp
                                                                                                                                                      mov ebp, esp
                                                                                                                                                      push ebx
                                                                                                                                                      mov ebx, dword ptr [ebp+08h]
                                                                                                                                                      push esi
                                                                                                                                                      mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                      push edi
                                                                                                                                                      mov edi, dword ptr [ebp+10h]
                                                                                                                                                      test esi, esi
                                                                                                                                                      jne 00007FB3E8FD6DBBh
                                                                                                                                                      cmp dword ptr [10019F40h], 00000000h
                                                                                                                                                      jmp 00007FB3E8FD6DD8h
                                                                                                                                                      cmp esi, 01h
                                                                                                                                                      je 00007FB3E8FD6DB7h
                                                                                                                                                      cmp esi, 02h
                                                                                                                                                      jne 00007FB3E8FD6DD4h
                                                                                                                                                      mov eax, dword ptr [10019F60h]
                                                                                                                                                      test eax, eax
                                                                                                                                                      je 00007FB3E8FD6DBBh
                                                                                                                                                      push edi
                                                                                                                                                      push esi
                                                                                                                                                      push ebx
                                                                                                                                                      call eax
                                                                                                                                                      test eax, eax
                                                                                                                                                      je 00007FB3E8FD6DBEh
                                                                                                                                                      push edi
                                                                                                                                                      push esi
                                                                                                                                                      push ebx
                                                                                                                                                      call 00007FB3E8FD6CCAh
                                                                                                                                                      test eax, eax
                                                                                                                                                      jne 00007FB3E8FD6DB6h
                                                                                                                                                      xor eax, eax
                                                                                                                                                      jmp 00007FB3E8FD6E00h
                                                                                                                                                      push edi
                                                                                                                                                      push esi
                                                                                                                                                      push ebx
                                                                                                                                                      call 00007FB3E8FD07ABh
                                                                                                                                                      cmp esi, 01h
                                                                                                                                                      mov dword ptr [ebp+0Ch], eax
                                                                                                                                                      jne 00007FB3E8FD6DBEh
                                                                                                                                                      test eax, eax
                                                                                                                                                      jne 00007FB3E8FD6DE9h
                                                                                                                                                      push edi
                                                                                                                                                      push eax
                                                                                                                                                      push ebx
                                                                                                                                                      call 00007FB3E8FD6CA6h
                                                                                                                                                      test esi, esi
                                                                                                                                                      je 00007FB3E8FD6DB7h
                                                                                                                                                      cmp esi, 03h
                                                                                                                                                      jne 00007FB3E8FD6DD8h
                                                                                                                                                      push edi
                                                                                                                                                      push esi
                                                                                                                                                      push ebx
                                                                                                                                                      call 00007FB3E8FD6C95h
                                                                                                                                                      test eax, eax
                                                                                                                                                      jne 00007FB3E8FD6DB5h
                                                                                                                                                      and dword ptr [ebp+0Ch], eax
                                                                                                                                                      cmp dword ptr [ebp+0Ch], 00000000h
                                                                                                                                                      je 00007FB3E8FD6DC3h
                                                                                                                                                      mov eax, dword ptr [10019F60h]
                                                                                                                                                      test eax, eax
                                                                                                                                                      je 00007FB3E8FD6DBAh
                                                                                                                                                      push edi
                                                                                                                                                      push esi
                                                                                                                                                      push ebx
                                                                                                                                                      call eax
                                                                                                                                                      mov dword ptr [ebp+0Ch], eax
                                                                                                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                      pop edi
                                                                                                                                                      pop esi
                                                                                                                                                      pop ebx
                                                                                                                                                      pop ebp
                                                                                                                                                      retn 000Ch
                                                                                                                                                      int3
                                                                                                                                                      jmp dword ptr [1001416Ch]
                                                                                                                                                      jmp dword ptr [10014170h]
                                                                                                                                                      jmp dword ptr [10014174h]
                                                                                                                                                      int3
                                                                                                                                                      int3
                                                                                                                                                      int3
                                                                                                                                                      int3
                                                                                                                                                      int3
                                                                                                                                                      int3
                                                                                                                                                      push ecx
                                                                                                                                                      push edx
                                                                                                                                                      push 10019488h
                                                                                                                                                      jmp 00007FB3E8FD6DB5h
                                                                                                                                                      push 10015800h

                                                                                                                                                      Rich Headers

                                                                                                                                                      Programming Language:
                                                                                                                                                      • [ C ] VS98 (6.0) build 8168
                                                                                                                                                      • [C++] VS98 (6.0) build 8168
                                                                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                                                      • [LNK] VS98 (6.0) imp/exp build 8168

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x16b300x7c.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x160100x50.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x770.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1b0000x11f8.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x140000x1b8.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x157800xc0.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x10000x124200x12600ed5578fa4a5dc8cacd56ceececca5b33False0.526280824829932data6.49282133886987IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rdata0x140000x2bac0x2c008087166a06747b0772bc63ddf3b60560False0.37633167613636365data5.203297336022892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .data0x170000x2f640x2600b1b763669a000dcd833889619cf1b598False0.31866776315789475data4.45191741812338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                      .rsrc0x1a0000x7700x80085f3ef3c2583c5076cbb01f484801b3cFalse0.44775390625data4.039037099290175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x1b0000x14400x1600386c06798d7592d64fb87cb1044560d7False0.6779119318181818data6.048611824415304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                      RT_BITMAP0x1a6f80x74Device independent bitmap graphic, 4 x 3 x 4, image size 12ChineseChina0.5086206896551724
                                                                                                                                                      RT_MENU0x1a6e00x12dataChineseChina1.3888888888888888
                                                                                                                                                      RT_VERSION0x1a3480x394OpenPGP Secret KeyChineseChina0.49344978165938863
                                                                                                                                                      RT_MANIFEST0x1a1300x215XML 1.0 document, ASCII text, with very long lines (533), with no line terminatorsChineseChina0.575984990619137

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      KERNEL32.dllGetProcAddress, LoadLibraryA, FreeLibrary, CloseHandle, TerminateThread, Sleep, WaitForSingleObject, SetEvent, ResumeThread, DeleteCriticalSection, VirtualFree, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, GetLastError, ResetEvent, InterlockedExchange, CancelIo, GetTickCount, GetLocalTime, GetCurrentProcessId, HeapAlloc, GetProcessHeap, DeleteFileA, CreateDirectoryA, GetFileAttributesA, lstrcpyA, lstrlenA, GetDriveTypeA, GetDiskFreeSpaceExA, GetVolumeInformationA, GetLogicalDriveStringsA, FindClose, LocalFree, FindNextFileA, LocalReAlloc, FindFirstFileA, LocalAlloc, GetFileSize, ReadFile, SetFilePointer, MoveFileA, CreateProcessA, Process32Next, lstrcmpiA, Process32First, CreateToolhelp32Snapshot, GetModuleHandleA, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, GlobalSize, GetStartupInfoA, WaitForMultipleObjects, LocalSize, TerminateProcess, GlobalMemoryStatus, GetVersionExA, OpenEventA, SetErrorMode, GetCurrentProcess, GetWindowsDirectoryA, SetFileAttributesA, CopyFileA, ExpandEnvironmentStringsA, GetModuleFileNameA, CreateFileA, RaiseException
                                                                                                                                                      MSVCRT.dllstrncpy, free, malloc, _except_handler3, strrchr, _beginthreadex, atoi, wcstombs, sprintf, srand, calloc, ??1type_info@@UAE@XZ, _initterm, _adjust_fdiv, rand, _CxxThrowException, strstr, _ftol, ceil, putchar, memmove, __CxxFrameHandler, puts, _access, ??3@YAXPAX@Z, ??2@YAPAXI@Z, _strrev, _stricmp
                                                                                                                                                      MSVCP60.dll?_Xran@std@@YAXXZ, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

                                                                                                                                                      Exports

                                                                                                                                                      NameOrdinalAddress
                                                                                                                                                      EndWork10x1000b5e0
                                                                                                                                                      Runing20x1000b5e0
                                                                                                                                                      ServiceMain30x1000b600
                                                                                                                                                      Working40x1000b5e0

                                                                                                                                                      Possible Origin

                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                      ChineseChina

                                                                                                                                                      Network Behavior

                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                      2024-12-19T15:44:04.655226+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049705118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:04.655226+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049705118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:15.445150+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049711118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:15.445150+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049711118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:25.905795+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049716118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:25.905795+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049716118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:36.388107+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049721118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:36.388107+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049721118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:45.584804+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049726118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:45.584804+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049726118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:52.196651+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049728118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:52.196651+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049728118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:57.003296+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049730118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:44:57.003296+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049730118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:00.650936+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049731118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:00.650936+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049731118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:03.521798+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049732118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:03.521798+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049732118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:05.535255+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049733118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:05.535255+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049733118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:07.500120+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049734118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:07.500120+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049734118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:08.550324+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049735118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:08.550324+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049735118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:09.374412+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049736118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:09.374412+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049736118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:10.416958+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049737118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:10.416958+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049737118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:10.912324+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049738118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:10.912324+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049738118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:11.376595+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049739118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:11.376595+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049739118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:52.201020+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049741118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:45:52.201020+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049741118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:46:44.638463+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049742118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:46:44.638463+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049742118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:47:36.876470+01002013214ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server1192.168.2.1049743118.184.169.4880TCP
                                                                                                                                                      2024-12-19T15:47:36.876470+01002016922ET MALWARE Backdoor family PCRat/Gh0st CnC traffic1192.168.2.1049743118.184.169.4880TCP

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Dec 19, 2024 15:44:04.505340099 CET4970580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:04.625196934 CET8049705118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:04.625314951 CET4970580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:04.655225992 CET4970580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:04.774745941 CET8049705118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:06.200011015 CET8049705118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:06.200025082 CET8049705118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:06.200088024 CET4970580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:06.209244013 CET4970580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:06.209314108 CET4970580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:06.328886986 CET8049705118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:15.225385904 CET4971180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:15.430073977 CET8049711118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:15.430165052 CET4971180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:15.445149899 CET4971180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:15.565284967 CET8049711118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:17.027765036 CET8049711118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:17.027918100 CET8049711118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:17.028080940 CET4971180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:17.029967070 CET4971180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:17.030052900 CET4971180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:17.149631977 CET8049711118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:25.779366016 CET4971680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:25.899008989 CET8049716118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:25.899158955 CET4971680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:25.905795097 CET4971680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:26.025324106 CET8049716118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:28.033689022 CET8049716118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:28.033945084 CET8049716118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:28.034276009 CET4971680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:28.034456968 CET4971680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:28.034552097 CET4971680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:28.154092073 CET8049716118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:36.249114990 CET4972180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:36.369031906 CET8049721118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:36.369256020 CET4972180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:36.388107061 CET4972180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:36.507802010 CET8049721118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:37.940938950 CET8049721118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:37.941447020 CET8049721118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:37.941489935 CET4972180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:37.941620111 CET4972180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:37.941708088 CET4972180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:38.061199903 CET8049721118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:45.458384037 CET4972680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:45.577975035 CET8049726118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:45.578113079 CET4972680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:45.584804058 CET4972680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:45.704751015 CET8049726118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:50.151158094 CET8049726118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:50.151537895 CET8049726118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:50.151595116 CET4972680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:50.152445078 CET4972680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:50.152507067 CET4972680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:50.272521019 CET8049726118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:52.050107956 CET4972880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:52.169749975 CET8049728118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:52.169838905 CET4972880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:52.196650982 CET4972880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:52.316401005 CET8049728118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:53.728612900 CET8049728118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:53.729008913 CET4972880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:53.732878923 CET8049728118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:53.732927084 CET4972880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:53.733000040 CET4972880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:53.848879099 CET8049728118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:53.852524042 CET8049728118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:56.874636889 CET4973080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:56.994349957 CET8049730118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:56.994442940 CET4973080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:57.003295898 CET4973080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:57.123214006 CET8049730118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:58.534293890 CET8049730118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:58.534327984 CET8049730118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:58.534426928 CET4973080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:58.575385094 CET4973080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:58.575472116 CET4973080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:44:58.695195913 CET8049730118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:00.523394108 CET4973180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:00.643359900 CET8049731118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:00.644208908 CET4973180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:00.650935888 CET4973180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:00.770785093 CET8049731118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:02.231400013 CET8049731118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:02.231518030 CET8049731118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:02.231599092 CET4973180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:02.309900999 CET4973180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:02.309958935 CET4973180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:02.430356979 CET8049731118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:03.389807940 CET4973280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:03.509635925 CET8049732118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:03.509824038 CET4973280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:03.521797895 CET4973280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:03.641328096 CET8049732118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:05.052277088 CET8049732118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:05.052519083 CET8049732118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:05.052573919 CET4973280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:05.052834034 CET4973280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:05.052942991 CET4973280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:05.199980974 CET8049732118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:05.405895948 CET4973380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:05.525774002 CET8049733118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:05.525949955 CET4973380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:05.535254955 CET4973380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:05.655039072 CET8049733118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:06.826291084 CET4973380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:06.909331083 CET4973480192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:07.029042959 CET8049734118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:07.029197931 CET4973480192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:07.500119925 CET4973480192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:07.620878935 CET8049734118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:08.419202089 CET4973480192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:08.421206951 CET4973580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:08.541338921 CET8049735118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:08.541486025 CET4973580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:08.550323963 CET4973580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:08.672130108 CET8049735118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:09.231730938 CET4973580192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:09.233522892 CET4973680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:09.353956938 CET8049736118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:09.354151964 CET4973680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:09.374412060 CET4973680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:09.495155096 CET8049736118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:10.289232969 CET4973680192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.291565895 CET4973780192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.411183119 CET8049737118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:10.411293983 CET4973780192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.416958094 CET4973780192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.536724091 CET8049737118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:10.778661013 CET4973780192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.781425953 CET4973880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.901057959 CET8049738118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:10.901160002 CET4973880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:10.912323952 CET4973880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.032241106 CET8049738118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:11.247324944 CET4973880192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.249034882 CET4973980192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.368833065 CET8049739118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:11.369905949 CET4973980192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.376595020 CET4973980192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.497236013 CET8049739118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:11.653624058 CET4973980192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.654637098 CET4974080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:11.775027990 CET8049740118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:11.777986050 CET4974080192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:52.053299904 CET4974180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:52.173511982 CET8049741118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:52.173598051 CET4974180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:52.201020002 CET4974180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:52.320920944 CET8049741118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:53.680025101 CET8049741118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:53.680461884 CET4974180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:53.680684090 CET8049741118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:53.680749893 CET4974180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:53.681103945 CET4974180192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:45:53.800523043 CET8049741118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:45:53.800561905 CET8049741118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:46:44.467894077 CET4974280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:46:44.588202953 CET8049742118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:46:44.588320017 CET4974280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:46:44.638463020 CET4974280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:46:44.758323908 CET8049742118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:46:46.111130953 CET8049742118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:46:46.111157894 CET8049742118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:46:46.111231089 CET4974280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:46:46.138207912 CET4974280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:46:46.138257980 CET4974280192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:46:46.258122921 CET8049742118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:47:36.748925924 CET4974380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:47:36.869959116 CET8049743118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:47:36.870121002 CET4974380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:47:36.876470089 CET4974380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:47:36.996378899 CET8049743118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:47:38.435687065 CET8049743118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:47:38.435708046 CET8049743118.184.169.48192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:47:38.435894012 CET4974380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:47:38.437139988 CET4974380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:47:38.437467098 CET4974380192.168.2.10118.184.169.48
                                                                                                                                                      Dec 19, 2024 15:47:38.556803942 CET8049743118.184.169.48192.168.2.10

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Dec 19, 2024 15:44:02.323858976 CET5907253192.168.2.101.1.1.1
                                                                                                                                                      Dec 19, 2024 15:44:03.310125113 CET5907253192.168.2.101.1.1.1
                                                                                                                                                      Dec 19, 2024 15:44:04.328394890 CET5907253192.168.2.101.1.1.1
                                                                                                                                                      Dec 19, 2024 15:44:04.501286030 CET53590721.1.1.1192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:04.501341105 CET53590721.1.1.1192.168.2.10
                                                                                                                                                      Dec 19, 2024 15:44:04.502656937 CET53590721.1.1.1192.168.2.10

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                      Dec 19, 2024 15:44:02.323858976 CET192.168.2.101.1.1.10xeec6Standard query (0)www.3322.orgA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:03.310125113 CET192.168.2.101.1.1.10xeec6Standard query (0)www.3322.orgA (IP address)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:04.328394890 CET192.168.2.101.1.1.10xeec6Standard query (0)www.3322.orgA (IP address)IN (0x0001)false

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                      Dec 19, 2024 15:44:04.501286030 CET1.1.1.1192.168.2.100xeec6No error (0)www.3322.orgmembers.3322.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:04.501286030 CET1.1.1.1192.168.2.100xeec6No error (0)members.3322.net118.184.169.48A (IP address)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:04.501341105 CET1.1.1.1192.168.2.100xeec6No error (0)www.3322.orgmembers.3322.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:04.501341105 CET1.1.1.1192.168.2.100xeec6No error (0)members.3322.net118.184.169.48A (IP address)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:04.502656937 CET1.1.1.1192.168.2.100xeec6No error (0)www.3322.orgmembers.3322.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:04.502656937 CET1.1.1.1192.168.2.100xeec6No error (0)members.3322.net118.184.169.48A (IP address)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:11.274564981 CET1.1.1.1192.168.2.100xac57No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                      Dec 19, 2024 15:44:11.274564981 CET1.1.1.1192.168.2.100xac57No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      0192.168.2.1049705118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:04.655225992 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO O5$(.02$8`20436;d`I-K,I%x]zW\'gfa:%\hT+d4
                                                                                                                                                      Dec 19, 2024 15:44:06.200011015 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:06.209244013 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      1192.168.2.1049711118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:15.445149899 CET201OUTData Raw: 47 68 30 73 74 c9 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f 79
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOy3Fkr9H>&$,IP\`d}Hp00Xe`hiflKvtxHjQnf^bI*!o:9h5I@,G+z\) N4i
                                                                                                                                                      Dec 19, 2024 15:44:17.027765036 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:17.029967070 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      2192.168.2.1049716118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:25.905795097 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f b9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO3Fkr9H>&$,IP\`d}Hp00Xe`hiflKvP!Ey%K/jtr"LP'q ?7 B<4d
                                                                                                                                                      Dec 19, 2024 15:44:28.033689022 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:28.034456968 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      3192.168.2.1049721118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:36.388107061 CET199OUTData Raw: 47 68 30 73 74 c7 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOr|LHnX~^6;``8 CRr3KR)^^6@DN=Z7JA~o@6l5
                                                                                                                                                      Dec 19, 2024 15:44:37.940938950 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:37.941620111 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      4192.168.2.1049726118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:45.584804058 CET198OUTData Raw: 47 68 30 73 74 c6 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO O5$(.02$8`20436;TBo}5urF9j&8yVzM)Po@6n5>
                                                                                                                                                      Dec 19, 2024 15:44:50.151158094 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:50.152445078 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      5192.168.2.1049728118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:52.196650982 CET199OUTData Raw: 47 68 30 73 74 c7 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOr|LHnX~^6;``8CRr3KR)^^6@DN=Z7JA~o@65
                                                                                                                                                      Dec 19, 2024 15:44:53.728612900 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:53.729008913 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      6192.168.2.1049730118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:44:57.003295898 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f 39
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO93Fkr9H>&$,IP\`d}Hp00Xe`hiflKv_HjQnf^bI*!o:9h5I@G+z\) P47
                                                                                                                                                      Dec 19, 2024 15:44:58.534293890 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:44:58.575385094 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      7192.168.2.1049731118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:00.650935888 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f 39
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO93Fkr9H>&$,IP\`d}Hp00Xe`hiflKvP!Ey%K/jtr"LP'qq ?7 4
                                                                                                                                                      Dec 19, 2024 15:45:02.231400013 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:45:02.309900999 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      8192.168.2.1049732118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:03.521797895 CET199OUTData Raw: 47 68 30 73 74 c7 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOr|LHnX~^6;``8 CRr3KR)^^6@DN=Z7JA~o@6l5
                                                                                                                                                      Dec 19, 2024 15:45:05.052277088 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:45:05.052834034 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      9192.168.2.1049733118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:05.535254955 CET198OUTData Raw: 47 68 30 73 74 c6 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO O5$(.02$8`20436;TBo}5urF9j&8yVzMPo@65


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      10192.168.2.1049734118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:07.500119925 CET199OUTData Raw: 47 68 30 73 74 c7 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO O5$(.02$8`20436;5$(73/$u[_M{7nsQA$ ``^~S=T5


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      11192.168.2.1049735118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:08.550323963 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f b9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO3Fkr9H>&$,IP\`d}Hp00Xe`hiflKv!Ey%K/jtr"LP'qq ?7 4@


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      12192.168.2.1049736118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:09.374412060 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f b9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO3Fkr9H>&$,IP\`d}Hp00Xe`hiflKvP!Ey%K/jtr"LP'qq ?7 %(4`


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      13192.168.2.1049737118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:10.416958094 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f 39
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO93Fkr9H>&$,IP\`d}Hp00Xe`hiflKv!Ey%K/jtr"LP'qq ?7 4


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      14192.168.2.1049738118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:10.912323952 CET198OUTData Raw: 47 68 30 73 74 c6 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f 79
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOy\moA`f_`V0qZqHjQnf^bI*!o:9h5I@G+z\iT|5


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      15192.168.2.1049739118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:11.376595020 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f b9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXO3Fkr9H>&$,IP\`d}Hp00Xe`hiflKv!Ey%K/jtr"LP'qq ?7 P41


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      16192.168.2.1049741118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:45:52.201020002 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOfr|LHnX~^6;``8TBo}5urF9j&8yVzMRA5
                                                                                                                                                      Dec 19, 2024 15:45:53.680025101 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:45:53.680461884 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      17192.168.2.1049742118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:46:44.638463020 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f 79
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOy3Fkr9H>&$,IP\`d}Hp00Xe`hiflKvP!Ey%K/jtr"LP'q ?7 ul4
                                                                                                                                                      Dec 19, 2024 15:46:46.111130953 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:46:46.138207912 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                      18192.168.2.1049743118.184.169.48808136C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                      Dec 19, 2024 15:47:36.876470089 CET200OUTData Raw: 47 68 30 73 74 c8 00 00 00 4c 01 00 00 78 9c 4b 63 5e c8 34 87 81 81 81 8b 01 02 52 bd 18 18 98 40 0c 83 8d 4c 01 51 8f 99 02 e2 53 ca 41 fc 63 40 9a 11 48 b3 00 b1 c2 dd ac d2 86 8b 59 a5 50 2d 60 b1 8b 2d c9 e5 1c d1 8f 21 5a 81 58 e0 81 4f f9
                                                                                                                                                      Data Ascii: Gh0stLxKc^4R@LQSAc@HYP-`-!ZXOfr|LHnX~^6;``8 CRr3KR)^^6@DNb=Z7JA~o@65l
                                                                                                                                                      Dec 19, 2024 15:47:38.435687065 CET207INHTTP/1.1 400 Bad request
                                                                                                                                                      Content-length: 90
                                                                                                                                                      Cache-Control: no-cache
                                                                                                                                                      Connection: close
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 72 65 71 75 65 73 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 6e 20 69 6e 76 61 6c 69 64 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                      Data Ascii: <html><body><h1>400 Bad request</h1>Your browser sent an invalid request.</body></html>
                                                                                                                                                      Dec 19, 2024 15:47:38.437139988 CET6OUTData Raw: 47 68 30 73 74
                                                                                                                                                      Data Ascii: Gh0st


                                                                                                                                                      Statistics

                                                                                                                                                      CPU Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      Memory Usage

                                                                                                                                                      Click to jump to process

                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:0
                                                                                                                                                      Start time:09:43:58
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll"
                                                                                                                                                      Imagebase:0xb70000
                                                                                                                                                      File size:126'464 bytes
                                                                                                                                                      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:2
                                                                                                                                                      Start time:09:43:59
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      Imagebase:0x7ff620390000
                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:3
                                                                                                                                                      Start time:09:43:59
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1
                                                                                                                                                      Imagebase:0xd70000
                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:4
                                                                                                                                                      Start time:09:43:59
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",#1
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:5
                                                                                                                                                      Start time:09:43:59
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,EndWork
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:6
                                                                                                                                                      Start time:09:44:00
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\svchost.exe -k imgsvc
                                                                                                                                                      Imagebase:0x700000
                                                                                                                                                      File size:46'504 bytes
                                                                                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:7
                                                                                                                                                      Start time:09:44:01
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\svchost.exe -k imgsvc
                                                                                                                                                      Imagebase:0x700000
                                                                                                                                                      File size:46'504 bytes
                                                                                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: gh0st, Description: unknown, Source: 00000007.00000003.1475834964.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, Author: https://github.com/jackcr/
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:false

                                                                                                                                                      General

                                                                                                                                                      Target ID:8
                                                                                                                                                      Start time:09:44:02
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,Runing
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:9
                                                                                                                                                      Start time:09:44:05
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\I3FtIOCni3.dll,ServiceMain
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:10
                                                                                                                                                      Start time:09:44:06
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                      Imagebase:0x7ff7df220000
                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:11
                                                                                                                                                      Start time:09:44:06
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1268 -ip 1268
                                                                                                                                                      Imagebase:0xbf0000
                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:12
                                                                                                                                                      Start time:09:44:07
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 708
                                                                                                                                                      Imagebase:0xbf0000
                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:13
                                                                                                                                                      Start time:09:44:08
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                      Imagebase:0x7ff7df220000
                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:14
                                                                                                                                                      Start time:09:44:09
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",EndWork
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:15
                                                                                                                                                      Start time:09:44:09
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",Runing
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:16
                                                                                                                                                      Start time:09:44:09
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",ServiceMain
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:17
                                                                                                                                                      Start time:09:44:09
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\I3FtIOCni3.dll",Working
                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:18
                                                                                                                                                      Start time:09:44:09
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4536 -ip 4536
                                                                                                                                                      Imagebase:0xbf0000
                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      General

                                                                                                                                                      Target ID:19
                                                                                                                                                      Start time:09:44:09
                                                                                                                                                      Start date:19/12/2024
                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 736
                                                                                                                                                      Imagebase:0xbf0000
                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Has exited:true

                                                                                                                                                      Disassembly

                                                                                                                                                      Reset < >

                                                                                                                                                        Execution Graph

                                                                                                                                                        Execution Coverage:3.8%
                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                        Signature Coverage:14%
                                                                                                                                                        Total number of Nodes:1491
                                                                                                                                                        Total number of Limit Nodes:5
                                                                                                                                                        execution_graph 4887 10006000 4892 10006020 4887->4892 4890 10006018 4891 1000600f ??3@YAXPAX 4891->4890 4893 10006062 4892->4893 4894 10006036 4892->4894 4898 10006af0 CloseHandle 4893->4898 4895 10006044 TerminateThread CloseHandle 4894->4895 4895->4893 4895->4895 4897 10006008 4897->4890 4897->4891 4898->4897 4899 1000b600 GetStockObject RegisterClassA strncpy wcstombs 4900 1000b690 4899->4900 4907 10009c10 LoadLibraryA GetProcAddress 4900->4907 4902 1000b6b8 CloseHandle 4903 10009c10 5 API calls 4902->4903 4904 1000b6d2 4903->4904 4909 1000b310 4904->4909 4908 10009ccb _beginthreadex WaitForSingleObject CloseHandle 4907->4908 4908->4902 4910 1000b32f 4909->4910 4937 1000b1a0 4910->4937 4912 1000b338 GetTickCount 4913 1000b34f SetErrorMode 4912->4913 4952 10001e50 4913->4952 4915 1000b3c3 GetTickCount 4966 10002100 4915->4966 4917 1000b38d OpenEventA 4919 1000b3a1 Sleep 4917->4919 4921 1000b363 4917->4921 4918 1000b3f1 GetTickCount 4985 1000afa0 GetVersionExA RegCreateKeyExA LoadLibraryA GetProcAddress RegQueryValueExA 4918->4985 4919->4917 4919->4921 4921->4915 4921->4917 4921->4918 4925 1000b46a Sleep 4921->4925 4926 1000b4a0 GetTickCount 4921->4926 4927 10006020 3 API calls 4921->4927 4928 1000b4a6 OpenEventA WaitForSingleObject Sleep 4921->4928 4930 1000b4d7 Sleep 4921->4930 4963 10002630 putchar 4921->4963 4996 10005f80 4921->4996 4923 1000b3bc CloseHandle 4923->4915 4925->4921 4926->4928 4927->4921 4928->4921 4929 1000b4e0 4928->4929 4931 10002630 9 API calls 4929->4931 4930->4921 4932 1000b4e9 CloseHandle 4931->4932 4933 10006020 3 API calls 4932->4933 4934 1000b504 4933->4934 5005 10002000 puts Sleep WaitForSingleObject puts 4934->5005 4938 1000b1b9 4937->4938 4939 1000b2f6 4938->4939 4940 1000b1ca LoadLibraryA GetProcAddress 4938->4940 4939->4912 4941 1000b1f4 4940->4941 4942 1000b209 GetProcAddress 4941->4942 4943 1000b1fe 4941->4943 4944 1000b224 4942->4944 4943->4912 4945 1000b235 GetProcAddress 4944->4945 4946 1000b22a 4944->4946 4947 1000b279 GetProcAddress 4945->4947 4946->4912 4948 1000b286 strstr 4947->4948 4950 1000b2b1 strncpy atoi FreeLibrary 4948->4950 4951 1000b2a6 4948->4951 4950->4939 4951->4912 5019 10001a00 LoadLibraryA GetProcAddress 4952->5019 4954 10001e7d 4955 10001a00 3 API calls 4954->4955 4956 10001e8e 4955->4956 4957 10001a00 3 API calls 4956->4957 4958 10001e9e 4957->4958 4959 10001a00 3 API calls 4958->4959 4960 10001eae LoadLibraryA GetProcAddress 4959->4960 4961 10001f61 putchar 4960->4961 4962 10001f75 putchar 4961->4962 4962->4921 4964 1000266e putchar CancelIo putchar InterlockedExchange putchar 4963->4964 4965 100026ac putchar SetEvent putchar 4964->4965 4965->4923 4967 10002630 9 API calls 4966->4967 4968 1000210e puts ResetEvent puts 4967->4968 4969 10002148 Sleep 4968->4969 4970 1000216b putchar 4969->4970 4971 1000215f 4969->4971 4972 10002183 putchar 4970->4972 4971->4921 4973 10002190 4972->4973 4974 1000219c puts 4972->4974 4973->4921 4975 100021b8 Sleep GetLastError LoadLibraryA GetProcAddress 4974->4975 4976 100021ff 4975->4976 4977 10002210 GetLastError putchar 4976->4977 4978 10002204 4976->4978 4979 10002239 4977->4979 4978->4921 4980 10002289 4979->4980 4981 1000223d putchar 4979->4981 4982 10009c10 5 API calls 4980->4982 4983 10002282 putchar 4981->4983 4984 100022a5 4982->4984 4983->4980 4984->4921 4986 1000b090 RegCloseKey 4985->4986 4987 1000b09d LoadLibraryA GetProcAddress 4985->4987 4986->4987 4989 1000b11c 4987->4989 5021 1000aee0 4989->5021 4991 1000b12e GlobalMemoryStatus 5023 1000af40 LoadLibraryA GetProcAddress 4991->5023 4993 1000b15c 5026 100026e0 4993->5026 4995 1000b187 4995->4921 5094 10006a00 LoadLibraryA GetProcAddress 4996->5094 4998 10005f8e 4999 10005fa2 lstrcpyA 4998->4999 5000 10005fa9 4998->5000 4999->5000 5001 10005fb1 lstrcpyA 5000->5001 5002 10005fbb 5000->5002 5001->5002 5003 10005fc3 lstrcpyA 5002->5003 5004 10005fcb 5002->5004 5003->5004 5004->4921 5006 10002070 5005->5006 5007 10002077 puts CloseHandle 5005->5007 5008 10002630 9 API calls 5006->5008 5009 10002098 CloseHandle puts 5007->5009 5008->5007 5010 100020b4 5009->5010 5096 10001a60 5010->5096 5012 100020c1 5013 10001a60 2 API calls 5012->5013 5014 100020ce 5013->5014 5015 10001a60 2 API calls 5014->5015 5016 100020db 5015->5016 5017 10001a60 2 API calls 5016->5017 5018 100020eb Sleep 5017->5018 5018->4904 5020 10001a34 FreeLibrary 5019->5020 5020->4954 5022 1000af05 RegQueryValueExA RegCloseKey 5021->5022 5022->4991 5024 1000af69 FreeLibrary 5023->5024 5024->4993 5056 10001e10 EnterCriticalSection 5026->5056 5028 100026f7 5029 10002703 _ftol ??2@YAPAXI 5028->5029 5030 10002834 5028->5030 5032 10002741 5029->5032 5033 10002737 5029->5033 5031 10001a90 10 API calls 5030->5031 5034 10002844 5031->5034 5037 10002773 5032->5037 5038 1000275d ??3@YAXPAX 5032->5038 5033->4995 5035 10001e10 12 API calls 5034->5035 5036 1000284e 5035->5036 5039 10001a90 10 API calls 5036->5039 5059 10001a90 EnterCriticalSection 5037->5059 5038->4995 5044 10002808 5039->5044 5041 1000278e 5042 10001a90 10 API calls 5041->5042 5043 1000279c 5042->5043 5045 10001a90 10 API calls 5043->5045 5065 10002860 5044->5065 5046 100027aa 5045->5046 5047 10001a90 10 API calls 5046->5047 5048 100027b7 ??3@YAXPAX ??2@YAPAXI 5047->5048 5050 10001e10 12 API calls 5048->5050 5052 100027ee 5050->5052 5053 10001a90 10 API calls 5052->5053 5054 100027fb 5053->5054 5054->5044 5055 100027ff ??3@YAXPAX 5054->5055 5055->5044 5071 10001cf0 puts 5056->5071 5058 10001e30 LeaveCriticalSection 5058->5028 5060 10001aab 5059->5060 5083 10001c00 5060->5083 5062 10001ab9 5063 10001ace LeaveCriticalSection 5062->5063 5064 10001abe LeaveCriticalSection 5062->5064 5063->5041 5064->5041 5067 1000282a 5065->5067 5069 10002889 5065->5069 5066 10002897 puts 5068 100028ba Sleep 5066->5068 5067->4995 5068->5069 5069->5066 5069->5067 5070 100028d9 Sleep Sleep 5069->5070 5070->5067 5070->5069 5072 10001d10 5071->5072 5073 10001d24 Sleep ceil _ftol puts 5072->5073 5074 10001d18 5072->5074 5075 10001d69 5073->5075 5074->5058 5076 10001d79 putchar VirtualAlloc putchar 5075->5076 5077 10001d6d 5075->5077 5081 10001bf0 5076->5081 5077->5058 5080 10001dcf VirtualFree 5080->5058 5082 10001bf7 putchar 5081->5082 5082->5080 5084 10001c0e 5083->5084 5085 10001c22 ceil _ftol putchar VirtualAlloc 5084->5085 5086 10001c16 5084->5086 5087 10001c82 putchar 5085->5087 5088 10001c75 5085->5088 5086->5062 5089 10001bf0 5087->5089 5088->5062 5090 10001c90 putchar 5089->5090 5091 10001cb5 5090->5091 5092 10001ccd 5091->5092 5093 10001cbf VirtualFree 5091->5093 5092->5062 5093->5092 5095 10006ab1 5094->5095 5095->4998 5097 10001a70 VirtualFree 5096->5097 5098 10001a7e DeleteCriticalSection 5096->5098 5097->5098 5098->5012 6111 1000ab00 6112 1000ab23 6111->6112 6113 1000ab14 GetTickCount 6111->6113 6129 1000aba0 6112->6129 6113->6112 6115 1000ab2e 6116 1000ab34 6115->6116 6117 1000ab49 6115->6117 6120 10002630 9 API calls 6116->6120 6148 1000a910 ??2@YAPAXI 6117->6148 6122 1000ab41 6120->6122 6123 1000ab8b 6124 1000ab63 GetTickCount 6125 1000ab72 Sleep 6124->6125 6126 1000ab76 GetTickCount 6124->6126 6125->6126 6154 1000a960 6126->6154 6128 1000ab55 6128->6123 6128->6124 6130 1000abc5 6129->6130 6131 1000abc9 6130->6131 6132 1000abda ??2@YAPAXI 6130->6132 6131->6115 6133 1000abf2 6132->6133 6134 1000abf9 6132->6134 6163 1000a1f0 LoadLibraryA GetProcAddress LoadLibraryA 6133->6163 6144 1000ac16 6134->6144 6169 1000a5c0 6134->6169 6137 1000ac2d 6139 1000a5c0 2 API calls 6137->6139 6140 1000ac59 6137->6140 6138 1000a5c0 2 API calls 6138->6140 6139->6144 6141 1000aca8 ??2@YAPAXI 6140->6141 6142 1000ac61 6140->6142 6145 1000ace4 GetProcAddress 6140->6145 6146 1000ad54 GetProcAddress 6140->6146 6147 1000ad89 GetProcAddress 6140->6147 6141->6140 6143 1000acb8 LoadLibraryA 6141->6143 6142->6115 6143->6140 6144->6138 6144->6140 6145->6140 6146->6140 6147->6140 6149 1000a924 6148->6149 6150 1000a94e 6148->6150 6151 10006b20 32 API calls 6149->6151 6153 10006b90 WaitForSingleObject Sleep 6150->6153 6152 1000a943 ??3@YAXPAX 6151->6152 6152->6150 6153->6128 6177 1000a580 6154->6177 6157 1000aa8f 6157->6128 6158 1000aa24 6158->6157 6159 10006b20 32 API calls 6158->6159 6161 1000aa86 ??3@YAXPAX 6159->6161 6160 1000a992 6160->6157 6160->6158 6162 1000aa02 GetProcAddress 6160->6162 6161->6157 6162->6158 6165 1000a2b0 6163->6165 6164 1000a341 6164->6134 6165->6164 6166 1000a2cd GetProcAddress 6165->6166 6167 1000a2f5 putchar LoadLibraryA GetProcAddress 6166->6167 6168 1000a330 putchar FreeLibrary 6167->6168 6168->6164 6172 1000a5ce 6169->6172 6170 1000a5d2 6170->6137 6171 1000a69c ??2@YAPAXI 6175 1000a6af 6171->6175 6172->6170 6172->6171 6173 1000a733 ??2@YAPAXI 6176 1000a74b 6173->6176 6174 1000a727 6174->6137 6175->6173 6175->6174 6176->6137 6178 1000a58d WaitForSingleObject 6177->6178 6180 1000a5b7 ??2@YAPAXI 6178->6180 6180->6157 6180->6160 5099 10013000 ??3@YAXPAX 6181 10013100 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE 5100 1000ce04 5101 1000cdf0 5100->5101 5103 10012da0 5101->5103 5104 10012dfe 5103->5104 5105 10012e43 LoadLibraryA 5104->5105 5106 10012e93 InterlockedExchange 5104->5106 5108 10012eb5 5104->5108 5118 10012f11 5104->5118 5105->5106 5107 10012e52 GetLastError 5105->5107 5112 10012ea1 5106->5112 5113 10012ec7 FreeLibrary 5106->5113 5110 10012e72 RaiseException 5107->5110 5111 10012e64 5107->5111 5109 10012f25 GetProcAddress 5108->5109 5108->5118 5115 10012f35 GetLastError 5109->5115 5109->5118 5110->5118 5111->5106 5111->5110 5112->5108 5114 10012ea7 LocalAlloc 5112->5114 5113->5108 5114->5108 5116 10012f47 5115->5116 5117 10012f55 RaiseException 5116->5117 5116->5118 5117->5118 5118->5101 5119 10009410 GetProcAddress 5120 1000943c Sleep 5119->5120 5124 10009460 5120->5124 5121 1000946c LocalAlloc ReadFile 5125 10006b20 5121->5125 5124->5120 5124->5121 5126 100026e0 32 API calls 5125->5126 5127 10006b59 LocalFree 5126->5127 5127->5124 5128 10005810 5129 10001e50 7 API calls 5128->5129 5130 10005834 5129->5130 5131 10002100 29 API calls 5130->5131 5132 10005853 5131->5132 5133 10005885 5132->5133 5134 10005857 5132->5134 5143 10006bc0 5133->5143 5135 10002000 19 API calls 5134->5135 5137 1000586b 5135->5137 5140 100058a4 5141 10002000 19 API calls 5140->5141 5142 100058c9 5141->5142 5144 10006a00 2 API calls 5143->5144 5145 10006be9 CreateDirectoryA puts 5144->5145 5147 10006b20 32 API calls 5145->5147 5148 10006c6e 5147->5148 5154 10006b90 WaitForSingleObject Sleep 5148->5154 5150 10006c75 5151 10009c10 5 API calls 5150->5151 5152 10005893 5151->5152 5153 100023d0 WaitForSingleObject 5152->5153 5153->5140 5154->5150 5155 1000a410 5156 1000a420 GetProcAddress 5155->5156 5160 10007620 LoadLibraryA GetProcAddress 5161 1000764f FreeLibrary 5160->5161 5163 1000ae20 5164 1000ae30 GetProcAddress 5163->5164 5165 1000ae8e 5163->5165 5168 1000ae52 GetProcAddress 5164->5168 5166 1000ae95 ??3@YAXPAX 5165->5166 5167 1000ae9e 5165->5167 5166->5167 5169 1000ae63 GetProcAddress 5168->5169 5170 1000ae71 GetProcAddress 5169->5170 5171 1000ae82 FreeLibrary 5170->5171 5171->5165 6191 10009320 LoadLibraryA GetProcAddress 6192 100093d2 putchar 6191->6192 6193 100093b9 6191->6193 6195 100093f3 putchar 6192->6195 6193->6192 6194 100093c2 6193->6194 6198 10006bb0 SetEvent 6194->6198 6197 100093c9 6198->6197 6206 10007930 6207 10007975 6206->6207 6208 10007967 6206->6208 6208->6207 6209 10007ab1 6208->6209 6210 100079d2 6208->6210 6211 10007a97 6208->6211 6212 10007988 6208->6212 6213 100079a8 6208->6213 6214 100079ea putchar 6208->6214 6215 10007a6d 6208->6215 6216 1000796e 6208->6216 6254 10008020 6209->6254 6236 10009ed0 LoadLibraryA GetProcAddress 6210->6236 6247 10008090 6211->6247 6222 100077f0 28 API calls 6212->6222 6235 10008900 InterlockedExchange 6213->6235 6220 100079fe 6214->6220 6223 10008c50 InterlockedExchange 6215->6223 6234 10006bb0 SetEvent 6216->6234 6243 10007e40 6220->6243 6228 10007995 6222->6228 6229 10007a84 6223->6229 6230 100079bf 6233 10007a1e 6234->6207 6235->6230 6237 10009eed _strrev 6236->6237 6260 10009e80 6237->6260 6240 10009f38 6242 100079d7 6240->6242 6265 10009e00 LoadLibraryA GetProcAddress 6240->6265 6244 10007e58 6243->6244 6246 10007a0c putchar 6243->6246 6245 10009d20 3 API calls 6244->6245 6245->6246 6246->6233 6248 100080a0 6247->6248 6249 100080c1 GlobalSize GlobalLock ??2@YAPAXI GlobalUnlock 6248->6249 6251 10007a9e 6248->6251 6250 1000810b 6249->6250 6252 10006b20 32 API calls 6250->6252 6253 10008116 ??3@YAXPAX 6252->6253 6253->6251 6255 10008028 6254->6255 6256 10007abf 6255->6256 6257 10008034 GlobalAlloc 6255->6257 6257->6256 6258 1000804a GlobalLock GlobalUnlock 6257->6258 6259 10008078 GlobalFree 6258->6259 6259->6256 6262 10009e92 6260->6262 6261 10009ea7 6261->6240 6262->6261 6263 10009e00 2 API calls 6262->6263 6264 10009eaf 6263->6264 6264->6240 6266 10009e21 6265->6266 6266->6242 5175 10003630 putchar 5176 10003693 putchar 5175->5176 5178 100036a6 5176->5178 5177 100036c5 putchar 5177->5178 5178->5177 5179 100036fb putchar 5178->5179 5180 10003709 putchar Sleep 5179->5180 5180->5177 5181 10003727 5180->5181 6283 1000c130 _strrev 6284 1000c18b 6283->6284 6285 100066b0 13 API calls 6284->6285 6286 1000c223 putchar 6284->6286 6285->6284 6286->6284 6287 1000c930 CreateFileA 6288 1000c970 ReadFile CloseHandle DeleteFileA strstr 6287->6288 6289 1000c95e 6287->6289 6290 1000ca06 6288->6290 6291 1000ca18 strncpy 6288->6291 6292 1000ca80 DeleteFileA DeleteFileA Sleep 6291->6292 6292->6292 6293 1000ca9b 6292->6293 6294 10005730 6295 10001e50 7 API calls 6294->6295 6296 10005754 6295->6296 6297 10002100 29 API calls 6296->6297 6298 10005773 6297->6298 6299 100057a5 6298->6299 6300 10005777 6298->6300 6311 10008e10 6299->6311 6302 10002000 19 API calls 6300->6302 6303 1000578b 6302->6303 6306 100057c4 6338 100091d0 putchar GetProcAddress 6306->6338 6309 10002000 19 API calls 6310 100057e9 6309->6310 6312 10006a00 2 API calls 6311->6312 6313 10008e42 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 6312->6313 6314 10008fab 6313->6314 6315 10008fd0 6314->6315 6316 10008faf 6314->6316 6320 10008fe4 6315->6320 6321 10009005 putchar GetStartupInfoA putchar putchar 6315->6321 6317 10008fbb CloseHandle 6316->6317 6318 10008fbe 6316->6318 6317->6318 6319 10008fc8 CloseHandle 6318->6319 6336 100057b3 6318->6336 6319->6336 6322 10008ff0 CloseHandle 6320->6322 6323 10008ff3 6320->6323 6325 1000908c putchar putchar GetProcAddress 6321->6325 6322->6323 6324 10008ffd CloseHandle 6323->6324 6323->6336 6324->6336 6326 10009101 6325->6326 6327 10009105 putchar CloseHandle CloseHandle CloseHandle CloseHandle 6326->6327 6328 1000912b 6326->6328 6327->6336 6329 10006b20 32 API calls 6328->6329 6330 1000914c 6329->6330 6349 10006b90 WaitForSingleObject Sleep 6330->6349 6332 10009153 6333 10009c10 5 API calls 6332->6333 6334 10009168 6333->6334 6335 10009c10 5 API calls 6334->6335 6335->6336 6337 100023d0 WaitForSingleObject 6336->6337 6337->6306 6339 10009228 putchar GetProcAddress 6338->6339 6340 10009245 putchar 6339->6340 6341 10009254 putchar WaitForSingleObject putchar 6340->6341 6342 10009279 GetProcAddress 6341->6342 6343 10009290 GetProcAddress 6342->6343 6345 100092c6 FreeLibrary 6343->6345 6350 10006af0 CloseHandle 6345->6350 6348 100057d5 6348->6309 6349->6332 6350->6348 6267 10005d30 6268 10005d53 malloc strrchr 6267->6268 6269 10005d4a 6267->6269 6271 10005d93 6268->6271 6272 10005d88 6268->6272 6273 10009f80 11 API calls 6271->6273 6274 10005d9a 6273->6274 6275 10005da1 6274->6275 6276 10005dac CreateProcessA 6274->6276 6277 10003530 LoadLibraryA GetProcAddress GetProcAddress GetProcAddress 6278 10003590 puts 6277->6278 6279 10003604 puts FreeLibrary Sleep 6277->6279 6280 100035ab puts 6278->6280 6281 100035cc puts 6280->6281 6282 100035d9 puts Sleep puts 6281->6282 6282->6278 6282->6279 5185 10003840 putchar 5186 10003883 putchar 5185->5186 5187 10003895 putchar 5186->5187 5188 100039aa 5186->5188 5189 100038b4 5187->5189 5189->5188 5190 100038bd putchar 5189->5190 5198 10002960 5190->5198 5194 1000392d putchar Sleep putchar GetTickCount putchar 5196 1000391f 5194->5196 5195 1000396c putchar 5195->5196 5196->5188 5196->5194 5196->5195 5197 1000399a putchar 5196->5197 5197->5188 5197->5194 5199 1000296c putchar putchar GetProcessHeap HeapAlloc 5198->5199 5200 100037a0 GetCurrentProcessId 5199->5200 5201 100037eb 5200->5201 5203 1000380c 5201->5203 5204 100029b0 GetLocalTime 5201->5204 5203->5196 5205 10002a02 rand GetTickCount 5204->5205 5206 100029cd 5204->5206 5205->5201 5206->5205 5207 100029d2 rand GetTickCount 5206->5207 5207->5201 5208 1000a840 5213 1000a860 InterlockedExchange WaitForSingleObject CloseHandle 5208->5213 5211 1000a858 5212 1000a84f ??3@YAXPAX 5212->5211 5216 10006af0 CloseHandle 5213->5216 5215 1000a848 5215->5211 5215->5212 5216->5215 5217 1000fa40 calloc 5218 10001a40 5219 10001a60 2 API calls 5218->5219 5220 10001a48 5219->5220 5221 10001a58 5220->5221 5222 10001a4f ??3@YAXPAX 5220->5222 5222->5221 6360 10004147 6361 1000414e free 6360->6361 6362 10004157 6361->6362 5226 10005650 5227 10001e50 7 API calls 5226->5227 5228 10005674 5227->5228 5229 10002100 29 API calls 5228->5229 5230 10005693 5229->5230 5231 100056c5 5230->5231 5232 10005697 5230->5232 5243 10003d10 5231->5243 5234 10002000 19 API calls 5232->5234 5235 100056ab 5234->5235 5238 100056e7 5249 10003db0 5238->5249 5241 10002000 19 API calls 5242 1000570f 5241->5242 5244 10006a00 2 API calls 5243->5244 5245 10003d37 ??2@YAPAXI 5244->5245 5257 100041e0 GetLogicalDriveStringsA LoadLibraryA GetProcAddress 5245->5257 5248 100023d0 WaitForSingleObject 5248->5238 5250 10003dea ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ??3@YAXPAX 5249->5250 5254 10003e1c 5249->5254 5250->5250 5250->5254 5251 10003e72 ??3@YAXPAX 5273 10006af0 CloseHandle 5251->5273 5253 10003e95 5253->5241 5254->5251 5267 100055f0 5254->5267 5258 1000439e FreeLibrary 5257->5258 5266 10004257 5257->5266 5259 10006b20 32 API calls 5258->5259 5261 10003d78 5259->5261 5260 1000425b GetVolumeInformationA 5262 1000429a lstrlenA lstrlenA 5260->5262 5261->5248 5262->5266 5263 100042c8 GetDiskFreeSpaceExA 5263->5266 5264 10004311 GetDriveTypeA lstrlenA 5265 1000439a 5264->5265 5264->5266 5265->5258 5266->5260 5266->5263 5266->5264 5268 10005608 5267->5268 5269 100055fa 5267->5269 5271 10005634 ??3@YAXPAX 5268->5271 5272 10003e5e ??3@YAXPAX 5268->5272 5269->5268 5270 1000560e ??3@YAXPAX 5269->5270 5270->5268 5271->5272 5272->5251 5272->5254 5273->5253 5274 10007250 sprintf FindFirstFileA 5275 100072c4 5274->5275 5276 100072d5 FindNextFileA 5274->5276 5277 1000746f FindClose 5276->5277 5285 1000733a 5276->5285 5278 10007456 FindNextFileA 5281 1000746e 5278->5281 5278->5285 5279 10007346 _stricmp 5279->5278 5280 10007363 _stricmp 5279->5280 5280->5278 5282 1000737a sprintf GetModuleHandleA 5280->5282 5281->5277 5283 100073c0 LoadLibraryA 5282->5283 5282->5285 5283->5285 5284 100073de GetProcAddress 5284->5285 5285->5278 5285->5279 5285->5284 5286 100073f2 FreeLibrary 5285->5286 5287 10007405 sprintf 5285->5287 5289 10006b20 32 API calls 5285->5289 5286->5278 5287->5285 5288 10007429 FreeLibrary 5287->5288 5288->5285 5289->5278 6374 1000a350 6379 1000a490 6374->6379 6376 1000a358 6377 1000a368 6376->6377 6378 1000a35f ??3@YAXPAX 6376->6378 6378->6377 6380 1000a502 CloseHandle FreeLibrary 6379->6380 6381 1000a4b0 6379->6381 6380->6376 6382 1000a4f2 6381->6382 6383 1000a4e9 ??3@YAXPAX 6381->6383 6382->6380 6384 1000a4f9 ??3@YAXPAX 6382->6384 6383->6382 6384->6380 5293 10002a55 5294 10002a9b 5293->5294 5295 10002a7b 5293->5295 5296 10002a8a Sleep 5295->5296 5297 10002aad 5295->5297 5296->5294 5296->5295 5301 1000fa60 free 5305 10001665 GetProcAddress 5307 1000168b 5305->5307 5306 100016a9 SetEvent WaitForSingleObject 5306->5307 5307->5306 5308 1000170a 5307->5308 5408 10006070 5409 1000607a 5408->5409 5410 10006208 5409->5410 5411 100060a2 InterlockedExchange 5409->5411 5412 100060bd 5409->5412 5413 100061f0 5409->5413 5414 10006191 5409->5414 5415 10006233 RegCreateKeyExA RegSetValueExA RegCloseKey 5409->5415 5416 10006295 5409->5416 5417 100061d8 5409->5417 5418 10006219 5409->5418 5428 1000629c 5409->5428 5425 10009c10 5 API calls 5412->5425 5421 10005e90 3 API calls 5413->5421 5419 10009c10 5 API calls 5414->5419 5442 10005e00 strrchr 5416->5442 5433 10005e90 5417->5433 5437 100099c0 5418->5437 5427 100061a7 Sleep 5419->5427 5431 100061f9 5421->5431 5432 10006168 5425->5432 5428->5410 5449 10006570 7 API calls 5428->5449 5429 100061e1 5430 100062ae 5434 10005ea7 5433->5434 5435 10005eaf LoadLibraryA GetProcAddress 5433->5435 5434->5429 5436 10005ef5 FreeLibrary 5435->5436 5436->5429 5438 1000b920 4 API calls 5437->5438 5439 100099ca 5438->5439 5440 1000b920 4 API calls 5439->5440 5441 10006224 5440->5441 5443 10005e22 5442->5443 5444 10005e1a 5442->5444 5445 10009f80 11 API calls 5443->5445 5444->5428 5446 10005e29 5445->5446 5447 10005e30 5446->5447 5448 10005e36 CreateProcessA 5446->5448 5447->5428 5448->5428 5450 10006651 putchar CloseServiceHandle putchar CloseServiceHandle 5449->5450 5454 1000b540 5450->5454 5453 1000668c 5453->5430 5455 10006676 Sleep 5454->5455 5455->5453 5309 10007c70 5318 10007b10 5309->5318 5311 10007c99 5324 10006b90 WaitForSingleObject Sleep 5311->5324 5313 10007ca0 5325 10007b90 5313->5325 5315 10007cc4 5316 10007ca7 5316->5315 5333 10007c00 5316->5333 5341 10008c80 5318->5341 5321 10007b4f 5322 10006b20 32 API calls 5321->5322 5323 10007b71 VirtualFree 5322->5323 5323->5311 5324->5313 5343 10008ad0 GetProcAddress 5325->5343 5327 10007ba6 5328 10007bf5 5327->5328 5329 10007bb7 ??2@YAPAXI 5327->5329 5328->5316 5329->5328 5330 10007bc9 5329->5330 5331 10006b20 32 API calls 5330->5331 5332 10007bec ??3@YAXPAX 5331->5332 5332->5328 5345 10008600 5333->5345 5335 10007c1a 5336 10007c68 5335->5336 5337 10007c28 ??2@YAPAXI 5335->5337 5336->5316 5337->5336 5338 10007c3a 5337->5338 5339 10006b20 32 API calls 5338->5339 5340 10007c5e ??3@YAXPAX 5339->5340 5340->5336 5342 10007b28 VirtualAlloc 5341->5342 5342->5321 5344 10008b02 5343->5344 5344->5327 5346 10008617 5345->5346 5347 100087da 5345->5347 5346->5347 5364 10008cb0 5346->5364 5347->5335 5349 10008625 5350 10008683 LoadLibraryA GetProcAddress 5349->5350 5351 100086b3 5349->5351 5354 100086a7 FreeLibrary 5350->5354 5352 10008729 5351->5352 5353 100086d9 5351->5353 5362 1000874d 5352->5362 5371 100087f0 GetProcAddress 5352->5371 5367 10008cf0 GetProcAddress 5353->5367 5354->5351 5357 100086f6 5357->5335 5358 10008777 GetTickCount 5360 100087c3 GetTickCount InterlockedExchange 5358->5360 5361 100087ac 5358->5361 5359 100087f0 5 API calls 5359->5362 5360->5335 5363 100087b2 Sleep GetTickCount 5361->5363 5362->5358 5362->5359 5363->5360 5363->5363 5376 10009d20 LoadLibraryA GetProcAddress 5364->5376 5368 10008d15 Sleep 5367->5368 5370 10008d50 5367->5370 5368->5370 5370->5357 5372 10008827 5371->5372 5373 100088ed 5372->5373 5380 10008b10 GetProcAddress 5372->5380 5373->5362 5377 10009d4b lstrcmpiA 5376->5377 5379 10008cb9 5377->5379 5379->5349 5381 10008b83 GetProcAddress 5380->5381 5382 10008ba4 GetProcAddress 5381->5382 5383 10008bd4 5382->5383 5384 10008c0f GetProcAddress 5383->5384 5385 100088e3 5384->5385 5385->5362 5386 10005c70 5387 10005c93 malloc strrchr 5386->5387 5388 10005c8a 5386->5388 5390 10005cd3 5387->5390 5391 10005cc8 5387->5391 5396 10009f80 6 API calls 5390->5396 5393 10005cda 5394 10005ce1 5393->5394 5395 10005cec CreateProcessA 5393->5395 5397 1000a0d8 5396->5397 5398 1000a0eb GetProcAddress 5397->5398 5399 1000a0de 5397->5399 5400 1000a109 5398->5400 5399->5393 5401 1000a120 GetProcAddress 5400->5401 5402 1000a113 5400->5402 5405 1000a14a 5401->5405 5402->5393 5403 1000a1c3 GetProcAddress 5404 1000a1d0 FreeLibrary 5403->5404 5404->5393 5405->5403 5407 1000a1b4 CloseHandle 5405->5407 5407->5403 5459 10007670 LoadLibraryA GetProcAddress 5460 100076a2 FreeLibrary 5459->5460 5462 100076c8 5460->5462 5463 100076bf ??3@YAXPAX 5460->5463 5463->5462 5464 10006e70 5465 10006ebb 5464->5465 5467 10006efd 5464->5467 5468 10006ec1 5465->5468 5469 10006ed5 5465->5469 5466 100071a1 _strrev sprintf 5470 10007205 5466->5470 5467->5466 5471 10006f10 strncpy GetModuleHandleA 5467->5471 5472 10006fea 5467->5472 5500 10006bb0 SetEvent 5468->5500 5469->5466 5474 10006edd 5469->5474 5501 10006ce0 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 5470->5501 5479 10006f95 sprintf 5471->5479 5480 10006f47 GetProcAddress 5471->5480 5475 100070b1 5472->5475 5476 10006ff2 strncpy sprintf LoadLibraryA 5472->5476 5477 10009c10 5 API calls 5474->5477 5475->5466 5486 100070b9 strncpy sprintf GetModuleHandleA 5475->5486 5482 10007065 GetProcAddress 5476->5482 5483 10007238 5476->5483 5484 10006eed 5477->5484 5490 10006fdd 5479->5490 5480->5483 5485 10006f5b 5480->5485 5481 10006ec8 5482->5483 5487 10007079 5482->5487 5491 10006b20 32 API calls 5485->5491 5488 10007142 GetProcAddress 5486->5488 5489 10007127 LoadLibraryA 5486->5489 5492 10006b20 32 API calls 5487->5492 5488->5483 5494 10007156 5488->5494 5493 10006f8a 5491->5493 5495 100070a4 5492->5495 5493->5479 5496 10006f8e FreeLibrary 5493->5496 5497 10006b20 32 API calls 5494->5497 5496->5479 5498 10007185 5497->5498 5498->5483 5499 1000718d FreeLibrary 5498->5499 5500->5481 5502 10006e15 5501->5502 5503 10006e26 SetFilePointer 5502->5503 5504 10006e1c 5502->5504 5505 10006e39 CloseHandle 5503->5505 5504->5483 5505->5483 6392 10001170 6397 10001190 21 API calls 6392->6397 6394 10001178 6395 10001188 6394->6395 6396 1000117f ??3@YAXPAX 6394->6396 6396->6395 6400 100012d2 6397->6400 6401 10001293 TerminateThread 6397->6401 6398 1000130a ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 6398->6398 6399 10001336 CloseHandle CloseHandle CloseHandle FreeLibrary 6398->6399 6399->6394 6400->6398 6401->6400 6403 10006770 6404 100067b1 strstr 6403->6404 6405 100067c9 6404->6405 6406 10006373 puts 6411 100067f0 6406->6411 6408 100063ba 6409 100063dd 6408->6409 6410 10006b20 32 API calls 6408->6410 6410->6409 6412 100067fd 6411->6412 6413 1000688f 6411->6413 6412->6413 6414 1000680f LoadLibraryA GetProcAddress 6412->6414 6413->6408 6415 10006861 6414->6415 6416 10006875 Sleep 6415->6416 6417 10006887 6415->6417 6416->6415 6416->6417 6417->6408 6421 1000a380 6422 1000a38c 6421->6422 6423 1000a3d3 6422->6423 6424 1000a3a4 SetEvent 6422->6424 5514 10003290 5528 10012a80 5514->5528 5517 100032da strncpy puts 5519 100033c7 Sleep 5517->5519 5518 100032ca 5525 100033e0 5519->5525 5520 10003419 puts sprintf 5521 10003475 Sleep 5520->5521 5520->5525 5522 10003485 Sleep puts 5521->5522 5522->5525 5523 100034a8 puts 5523->5525 5524 10003514 5525->5520 5525->5521 5525->5523 5525->5524 5526 100034d2 Sleep puts 5525->5526 5527 100034e7 putchar Sleep putchar 5526->5527 5527->5525 5529 1000329a strstr 5528->5529 5529->5517 5529->5518 6428 10003d90 6429 10003db0 7 API calls 6428->6429 6430 10003d98 6429->6430 6431 10003da8 6430->6431 6432 10003d9f ??3@YAXPAX 6430->6432 6432->6431 6433 10005b90 6434 10001e50 7 API calls 6433->6434 6435 10005bb4 6434->6435 6436 10002100 29 API calls 6435->6436 6437 10005bd3 6436->6437 6438 10005c05 6437->6438 6439 10005bd7 6437->6439 6448 10009570 6438->6448 6440 10002000 19 API calls 6439->6440 6442 10005beb 6440->6442 6445 10005c24 6446 10002000 19 API calls 6445->6446 6447 10005c49 6446->6447 6449 10006a00 2 API calls 6448->6449 6450 10009597 6449->6450 6454 10009640 6450->6454 6453 100023d0 WaitForSingleObject 6453->6445 6461 10009720 LoadLibraryA GetProcAddress putchar 6454->6461 6456 10009649 6457 10005c13 6456->6457 6458 1000964f LocalSize 6456->6458 6457->6453 6459 10006b20 32 API calls 6458->6459 6460 1000965f LocalFree 6459->6460 6460->6457 6462 1000b920 4 API calls 6461->6462 6463 1000978a putchar CreateToolhelp32Snapshot putchar 6462->6463 6464 100097b8 9 API calls 6463->6464 6465 100097ab 6463->6465 6466 10009830 putchar 6464->6466 6467 1000998a LocalReAlloc 6464->6467 6465->6456 6470 10009847 putchar 6466->6470 6468 1000b920 4 API calls 6467->6468 6469 100099a0 CloseHandle 6468->6469 6469->6456 6471 10009973 Process32Next 6470->6471 6472 1000985c 6470->6472 6471->6466 6471->6467 6472->6471 6473 1000986e putchar 6472->6473 6474 10009886 putchar 6473->6474 6475 100098a4 putchar lstrlenA lstrlenA LocalSize 6474->6475 6476 100098ea lstrlenA lstrlenA lstrlenA lstrlenA 6475->6476 6477 100098de LocalReAlloc 6475->6477 6476->6471 6477->6476 6478 10009b90 SetEvent 6479 10009bd2 6478->6479 6480 10009bd9 6478->6480 6481 10009e80 2 API calls 6479->6481 6481->6480 5536 1000649c 5537 10002630 9 API calls 5536->5537 5538 100064a4 5537->5538 5539 1000a8a0 5540 1000a8b0 5539->5540 5541 1000a8f1 5539->5541 5542 1000a8e4 5540->5542 5543 1000a8d5 InterlockedExchange 5540->5543 5544 1000a8b7 5540->5544 5545 1000a8bf 5540->5545 5551 1000aaa0 InterlockedExchange WaitForSingleObject InterlockedExchange 5542->5551 5550 10006bb0 SetEvent 5544->5550 5545->5541 5547 1000a8c6 InterlockedExchange 5545->5547 5549 1000a8bc 5550->5549 5552 10009c10 5 API calls 5551->5552 5553 1000aae7 5552->5553 5553->5541 5554 100068a0 ??2@YAPAXI 5555 100069a9 ??3@YAXPAX 5554->5555 5559 100068e0 5554->5559 5556 10009c10 5 API calls 5557 1000691f CloseHandle 5556->5557 5557->5559 5558 10009c10 5 API calls 5560 10006947 CloseHandle 5558->5560 5559->5556 5559->5558 5561 1000697d Sleep 5559->5561 5562 10005e90 LoadLibraryA GetProcAddress FreeLibrary 5559->5562 5560->5559 5561->5555 5561->5559 5562->5559 6485 100019a0 6486 100019ad 6485->6486 6487 100019be 6485->6487 6486->6487 6488 100019b6 6486->6488 6494 100013d0 6487->6494 6493 10006bb0 SetEvent 6488->6493 6491 100019c8 6492 100019bb 6493->6492 6495 100013e9 GetProcAddress 6494->6495 6496 100013db 6494->6496 6498 10001409 6495->6498 6501 10001590 GetProcAddress 6496->6501 6498->6491 6499 100013e0 6499->6495 6500 100013e4 6499->6500 6500->6491 6502 100015aa 6501->6502 6503 100015ae 6502->6503 6504 100015d9 GetProcAddress 6502->6504 6503->6499 6505 10001602 6504->6505 6506 10001606 6505->6506 6507 1000160e GetProcAddress 6505->6507 6506->6499 6508 10001627 6507->6508 6508->6499 6509 1000b5a0 6510 1000b5ba 6509->6510 6511 1000b5a7 6509->6511 6511->6510 6512 1000b5b1 TerminateThread 6511->6512 6512->6510 4785 10012baa 4786 10012bbd 4785->4786 4790 10012bc6 4785->4790 4794 10012bee 4786->4794 4795 1000c5f0 4786->4795 4790->4786 4790->4794 4817 10012aff 4790->4817 4791 10012c0e 4793 10012aff 3 API calls 4791->4793 4791->4794 4792 10012aff 3 API calls 4792->4791 4793->4794 4796 1000c607 LoadLibraryA GetProcAddress 4795->4796 4797 1000c91a 4795->4797 4824 1000c230 4796->4824 4797->4791 4797->4792 4797->4794 4800 1000c79b RegOpenKeyExA 4800->4797 4801 1000c7bf ??2@YAPAXI 4800->4801 4802 1000c83e SetEvent 4801->4802 4826 1000b700 4802->4826 4805 1000c86d 4831 1000b790 OpenSCManagerA 4805->4831 4807 1000c8d4 4836 1000ba60 GetWindowsDirectoryA DeleteFileA 4807->4836 4809 1000c8dc 4845 1000bc60 GetWindowsDirectoryA 4809->4845 4811 1000c8e1 SetFileAttributesA CopyFileA 4864 1000bf20 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress CreateFileA 4811->4864 4815 1000c915 4871 1000b820 6 API calls 4815->4871 4818 10012b07 4817->4818 4819 10012b3d 4818->4819 4820 10012b67 4818->4820 4821 10012b28 malloc 4818->4821 4819->4786 4820->4819 4823 10012b94 free 4820->4823 4821->4819 4822 10012b41 _initterm 4821->4822 4822->4819 4823->4819 4825 1000c5b1 _fputchar GetModuleFileNameA putchar ExpandEnvironmentStringsA _stricmp 4824->4825 4825->4797 4825->4800 4827 1000b735 4826->4827 4830 1000b77e GetTickCount srand 4826->4830 4828 1000b742 strncpy _access 4827->4828 4827->4830 4828->4827 4829 1000b760 CreateDirectoryA 4828->4829 4829->4827 4830->4805 4832 1000b7a9 4831->4832 4833 1000b7ab CreateServiceA 4831->4833 4832->4807 4834 1000b7e2 4833->4834 4835 1000b7e4 LockServiceDatabase ChangeServiceConfig2A UnlockServiceDatabase 4833->4835 4834->4807 4835->4807 4872 1000b980 4836->4872 4838 1000bb40 rand sprintf 4877 1000b9e0 4838->4877 4840 1000bb85 6 API calls 4841 1000b980 7 API calls 4840->4841 4842 1000bc2c 4841->4842 4843 1000b9e0 7 API calls 4842->4843 4844 1000bc41 DeleteFileA 4843->4844 4844->4809 4846 1000b980 7 API calls 4845->4846 4847 1000bcfa rand sprintf 4846->4847 4848 1000b9e0 7 API calls 4847->4848 4849 1000bd3e RegOpenKeyExA 4848->4849 4850 1000bf15 4849->4850 4851 1000bd65 RegQueryValueExA 4849->4851 4850->4811 4852 1000bdc9 4851->4852 4853 1000be6d 4851->4853 4854 1000be28 4852->4854 4857 1000bdee _stricmp 4852->4857 4855 1000bea9 RegSetValueExA RegCloseKey DeleteFileA 4853->4855 4858 1000be4a 4854->4858 4859 1000be4b sprintf 4854->4859 4856 1000b980 7 API calls 4855->4856 4860 1000bef3 4856->4860 4857->4852 4861 1000be57 RegCloseKey 4857->4861 4858->4859 4859->4855 4862 1000b9e0 7 API calls 4860->4862 4861->4811 4863 1000bf08 DeleteFileA 4862->4863 4863->4850 4865 1000c11a 4864->4865 4866 1000c06a SetFilePointer rand 4864->4866 4870 1000b8e0 OpenSCManagerA OpenServiceA StartServiceA CloseServiceHandle CloseServiceHandle 4865->4870 4867 1000c0f8 CloseHandle SetFileAttributesA 4866->4867 4868 1000c0aa 4866->4868 4867->4865 4868->4867 4869 1000c0c0 rand 4868->4869 4869->4868 4869->4869 4870->4815 4871->4797 4884 1000b920 GetCurrentProcess OpenProcessToken 4872->4884 4875 1000b9b2 RegSaveKeyA RegCloseKey 4875->4838 4876 1000b9ae 4876->4838 4878 1000b920 4 API calls 4877->4878 4879 1000b9f5 RegCreateKeyExA 4878->4879 4880 1000ba23 4879->4880 4881 1000ba29 RegRestoreKeyA 4879->4881 4880->4840 4882 1000ba45 RegCloseKey 4881->4882 4883 1000ba3f 4881->4883 4882->4840 4883->4840 4885 1000b975 RegOpenKeyExA 4884->4885 4886 1000b93b LookupPrivilegeValueA AdjustTokenPrivileges 4884->4886 4885->4875 4885->4876 4886->4885 5569 10012aaf ??1type_info@@UAE 5570 10012ac5 5569->5570 5571 10012abe ??3@YAXPAX 5569->5571 5571->5570 5572 100084b0 5577 100084d0 5572->5577 5574 100084b8 5575 100084c8 5574->5575 5576 100084bf ??3@YAXPAX 5574->5576 5576->5575 5578 1000850f GetProcAddress 5577->5578 5579 1000852b GetProcAddress 5578->5579 5581 10008556 5579->5581 5582 10008575 6 API calls 5581->5582 5583 1000856c ??3@YAXPAX 5581->5583 5584 100085d4 FreeLibrary 5582->5584 5583->5582 5584->5574 5586 10006cb0 5587 10006cb8 5586->5587 5588 10006cc8 5587->5588 5589 10006cbf ??3@YAXPAX 5587->5589 5589->5588 5590 100064b0 puts 5591 100064be 5590->5591 5592 10003eb0 5593 10003fa1 5592->5593 5594 10003ec8 5592->5594 5594->5593 5595 10003f20 5594->5595 5596 10003f64 5594->5596 5597 10003f86 5594->5597 5598 10003f4a 5594->5598 5599 10003f2e 5594->5599 5600 10003ecf 5594->5600 5601 10003f12 5594->5601 5602 10003f72 5594->5602 5603 10003f56 5594->5603 5604 10003f96 5594->5604 5605 10003efb 5594->5605 5606 10003f3c 5594->5606 5607 10003edd Sleep 5594->5607 5673 10004920 LoadLibraryA GetProcAddress 5595->5673 5707 10004f30 5596->5707 5722 10004180 LoadLibraryA GetProcAddress 5597->5722 5694 10004e70 5598->5694 5686 10005370 5599->5686 5636 100043d0 6 API calls 5600->5636 5658 10004b20 lstrlenA 5601->5658 5717 100051a0 LoadLibraryA GetProcAddress LoadLibraryA GetProcAddress 5602->5717 5704 10005350 5603->5704 5613 10004180 3 API calls 5604->5613 5650 100045e0 LoadLibraryA GetProcAddress 5605->5650 5691 10005390 lstrlenA MoveFileA 5606->5691 5625 10003eed 5607->5625 5613->5593 5622 10003f6d 5623 10003ed8 5647 10004b10 5625->5647 5626 10003f91 5627 10003f04 5633 10004b10 32 API calls 5627->5633 5629 10003f29 5635 10003f0d 5633->5635 5637 10004474 5636->5637 5643 10004494 5636->5643 5638 10006b20 32 API calls 5637->5638 5640 10004487 5638->5640 5639 100044ac Sleep LocalReAlloc 5639->5643 5640->5623 5641 1000459a FindNextFileA 5642 100045b2 5641->5642 5641->5643 5644 10006b20 32 API calls 5642->5644 5643->5639 5643->5641 5646 10004542 lstrlenA 5643->5646 5645 100045bd LocalFree FindClose 5644->5645 5645->5623 5646->5641 5648 10006b20 32 API calls 5647->5648 5649 10003ef6 5648->5649 5651 100046d9 FindFirstFileA 5650->5651 5652 100046f6 5651->5652 5657 10004705 5651->5657 5652->5627 5653 1000475b FindNextFileA 5654 1000476b FindClose 5653->5654 5653->5657 5656 10004777 5654->5656 5655 1000474e DeleteFileA 5655->5653 5656->5627 5657->5653 5657->5655 5659 10004b70 ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI 5658->5659 5660 10004b4f 5658->5660 5736 10005420 ??2@YAPAXI 5659->5736 5724 10004c40 lstrlenA 5660->5724 5665 10004b64 5668 10004e70 37 API calls 5665->5668 5666 10004bf4 5752 10004790 LoadLibraryA GetProcAddress 5666->5752 5671 10003f1b 5668->5671 5669 10004bcb 5669->5666 5672 10004bfa ??3@YAXPAX 5669->5672 5672->5666 5674 100049c1 5673->5674 5675 100049d3 5673->5675 5758 10004aa0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ??3@YAXPAX 5674->5758 5678 100049f2 5675->5678 5679 100049fd SetFilePointer LocalAlloc ReadFile CloseHandle 5675->5679 5677 100049c8 5677->5629 5678->5629 5680 10004a57 5679->5680 5681 10004a78 5679->5681 5683 10006b20 32 API calls 5680->5683 5682 10004aa0 42 API calls 5681->5682 5684 10004a7f LocalFree 5682->5684 5685 10004a63 LocalFree 5683->5685 5684->5629 5685->5629 5765 10003fe0 5686->5765 5688 1000537d 5689 10004b10 32 API calls 5688->5689 5690 10003f37 5689->5690 5692 10004b10 32 API calls 5691->5692 5693 10003f45 5692->5693 5695 10004f1a 5694->5695 5700 10004e80 5694->5700 5696 10004b10 32 API calls 5695->5696 5697 10003f51 5696->5697 5698 10004eb1 ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD 5698->5700 5701 10004ebf ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD 5698->5701 5699 10004ef3 ??3@YAXPAX 5699->5695 5699->5700 5700->5695 5700->5698 5700->5699 5777 10005460 ??3@YAXPAX 5700->5777 5701->5700 5702 10004ed0 ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD 5701->5702 5702->5699 5778 10004ff0 LoadLibraryA GetProcAddress 5704->5778 5706 10003f5f 5708 10003fe0 11 API calls 5707->5708 5709 10004f8a FindFirstFileA 5708->5709 5710 10004fcc 5709->5710 5711 10004f9d 5709->5711 5712 10004ff0 37 API calls 5710->5712 5711->5710 5714 10004faf 5711->5714 5713 10004fd3 FindClose 5712->5713 5713->5622 5715 10004b10 32 API calls 5714->5715 5716 10004fb8 FindClose 5715->5716 5716->5622 5718 100052eb SetFilePointer 5717->5718 5719 10005314 CloseHandle 5718->5719 5720 10006b20 32 API calls 5719->5720 5721 10003f81 5720->5721 5723 100041cd FreeLibrary 5722->5723 5723->5626 5725 10004c87 FindFirstFileA 5724->5725 5727 10004b57 5725->5727 5734 10004cdb 5725->5734 5727->5665 5727->5666 5728 10004e2b FindNextFileA 5729 10004e43 FindClose 5728->5729 5728->5734 5729->5727 5730 10004d29 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 5732 10004d8a ??2@YAPAXI 5730->5732 5730->5734 5731 10004c40 8 API calls 5731->5734 5732->5734 5733 10005470 8 API calls 5733->5734 5734->5728 5734->5730 5734->5731 5734->5732 5734->5733 5735 10004e05 ??3@YAXPAX 5734->5735 5735->5734 5737 10004bb5 5736->5737 5738 10005470 5737->5738 5739 100054a0 5738->5739 5744 100055a2 5738->5744 5740 100054c9 5739->5740 5746 10005539 5739->5746 5741 100054d5 ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5740->5741 5742 100054cf ?_Xran@std@ 5740->5742 5745 100054e6 5741->5745 5742->5741 5743 10005593 ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 5743->5744 5744->5669 5747 100054ec memmove ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N 5745->5747 5748 1000551e ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 5745->5748 5746->5743 5749 10005553 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N 5746->5749 5747->5748 5750 10005515 ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI 5747->5750 5748->5669 5751 10005564 5749->5751 5750->5748 5751->5669 5753 10004872 5752->5753 5754 10004885 GetFileSize CloseHandle lstrlenA LocalAlloc lstrlenA 5753->5754 5755 10004879 5753->5755 5756 10006b20 32 API calls 5754->5756 5755->5671 5757 100048fc LocalFree 5756->5757 5757->5671 5759 10004ae5 5758->5759 5760 10004ad9 5758->5760 5762 10004790 40 API calls 5759->5762 5761 10004b10 32 API calls 5760->5761 5763 10004ae2 5761->5763 5764 10004afe 5762->5764 5763->5677 5764->5677 5766 10004015 lstrlenA malloc 5765->5766 5767 10004157 5766->5767 5768 1000403a lstrcpyA 5766->5768 5767->5688 5769 1000404c 5768->5769 5770 1000411b free 5769->5770 5772 100040c6 GetFileAttributesA 5769->5772 5775 10004107 5769->5775 5770->5688 5771 1000414e free 5770->5771 5771->5767 5772->5769 5773 100040d8 Sleep CreateDirectoryA 5772->5773 5773->5769 5774 100040e9 Sleep GetLastError 5773->5774 5774->5769 5776 100040f9 Sleep 5774->5776 5775->5771 5776->5771 5777->5699 5779 10005097 FindFirstFileA 5778->5779 5782 100050df FindClose 5779->5782 5783 10005155 5782->5783 5784 10005173 CloseHandle 5783->5784 5785 1000515a 5783->5785 5786 10006b20 32 API calls 5784->5786 5785->5706 5787 10005188 5786->5787 5787->5706 5788 10005ab0 5789 10001e50 7 API calls 5788->5789 5790 10005ad4 5789->5790 5791 10002100 29 API calls 5790->5791 5792 10005af3 5791->5792 5793 10005b25 5792->5793 5794 10005af7 5792->5794 5805 10001730 5793->5805 5795 10002000 19 API calls 5794->5795 5797 10005b0b 5795->5797 5800 10005b44 5817 100017e0 WaitForSingleObject 5800->5817 5803 10002000 19 API calls 5804 10005b69 5803->5804 5806 10006a00 2 API calls 5805->5806 5807 10001757 5806->5807 5821 10001850 LoadLibraryA GetProcAddress 5807->5821 5809 1000176c 5810 10006b20 32 API calls 5809->5810 5815 1000179f 5809->5815 5811 10001783 5810->5811 5828 10006b90 WaitForSingleObject Sleep 5811->5828 5813 1000178a 5814 10009c10 5 API calls 5813->5814 5814->5815 5816 100023d0 WaitForSingleObject 5815->5816 5816->5800 5818 10001825 5817->5818 5833 10006af0 CloseHandle 5818->5833 5820 1000183a 5820->5803 5822 10001882 5821->5822 5823 10001886 5822->5823 5824 100018b3 ??2@YAPAXI 5822->5824 5823->5809 5825 100018d4 5824->5825 5826 100018cd 5824->5826 5825->5809 5829 10001000 LoadLibraryA GetProcAddress LoadLibraryA 5826->5829 5828->5813 5830 100010ba 5829->5830 5831 100010e4 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 5830->5831 5831->5831 5832 10001118 5831->5832 5832->5825 5833->5820 6516 100091b0 6517 100091d0 12 API calls 6516->6517 6518 100091b8 6517->6518 6519 100091c8 6518->6519 6520 100091bf ??3@YAXPAX 6518->6520 6520->6519 5840 100062ba 5843 10002bc0 5840->5843 5842 100062dd 5844 10002bfa 5843->5844 5845 10009c10 5 API calls 5844->5845 5846 10002c39 CloseHandle 5845->5846 5847 10002c57 5846->5847 5848 1000309d Sleep 5846->5848 5849 10002d82 5847->5849 5850 10002cf4 5847->5850 5851 10002c66 5847->5851 5852 10002f46 5847->5852 5853 10002eb8 5847->5853 5854 10002d3b 5847->5854 5855 10002cad 5847->5855 5856 10002e1d 5847->5856 5857 10002f8d 5847->5857 5858 10002eff 5847->5858 5848->5842 5849->5848 5864 10002d93 5849->5864 5850->5848 5882 10002d03 5850->5882 5851->5848 5865 10002c75 5851->5865 5852->5848 5866 10002f55 5852->5866 5853->5848 5859 10002ec7 5853->5859 5854->5848 5860 10002d4a 5854->5860 5855->5848 5861 10002cbc 5855->5861 5856->5848 5862 10002e2e 5856->5862 5894 10002ac0 RegOpenKeyExA 5857->5894 5858->5848 5881 10002f0e 5858->5881 5867 10009c10 5 API calls 5859->5867 5884 10002eeb Sleep 5859->5884 5868 10009c10 5 API calls 5860->5868 5885 10002d6e Sleep 5860->5885 5869 10009c10 5 API calls 5861->5869 5886 10002ce0 Sleep 5861->5886 5877 100029b0 5 API calls 5862->5877 5878 10009c10 5 API calls 5862->5878 5890 10002ea4 Sleep 5862->5890 5879 100029b0 5 API calls 5864->5879 5880 10009c10 5 API calls 5864->5880 5889 10002e09 Sleep 5864->5889 5873 10009c10 5 API calls 5865->5873 5874 10009c10 5 API calls 5866->5874 5883 10002f79 Sleep 5866->5883 5867->5859 5868->5860 5869->5861 5871 10009c10 5 API calls 5871->5881 5872 10009c10 5 API calls 5872->5882 5875 10002c85 CloseHandle 5873->5875 5874->5866 5875->5865 5876 10002c99 Sleep 5875->5876 5876->5842 5877->5862 5878->5862 5879->5864 5880->5864 5881->5871 5887 10002f32 Sleep 5881->5887 5882->5872 5888 10002d27 Sleep 5882->5888 5883->5842 5884->5842 5885->5842 5886->5842 5887->5842 5888->5842 5889->5842 5890->5842 5891 10009c10 LoadLibraryA GetProcAddress _beginthreadex WaitForSingleObject CloseHandle 5892 10002fa5 5891->5892 5892->5891 5893 10002fe1 Sleep 5892->5893 5893->5842 5895 10002b34 RegQueryValueExA RegCloseKey 5894->5895 5896 10002b68 strstr 5894->5896 5895->5896 5897 10002ba7 5896->5897 5898 10002b81 strstr 5896->5898 5897->5848 5897->5892 5898->5897 5899 10002b94 strstr 5898->5899 5899->5897 5900 100022c0 5901 100022ca 5900->5901 5902 100022fc putchar 5901->5902 5906 1000233d putchar 5901->5906 5908 1000239c 5901->5908 5910 100023f0 5901->5910 5903 1000232b putchar 5902->5903 5903->5901 5904 100023ac 5903->5904 5905 10002630 9 API calls 5904->5905 5905->5908 5907 10002370 putchar 5906->5907 5907->5901 5907->5904 5911 10002424 5910->5911 5912 1000243c 5910->5912 5913 10002630 9 API calls 5911->5913 5914 10002483 5912->5914 5917 10002452 5912->5917 5916 10002429 5913->5916 5915 10001a90 10 API calls 5914->5915 5930 10002492 5915->5930 5916->5901 5918 100026e0 32 API calls 5917->5918 5919 10002470 5918->5919 5919->5901 5920 100024c9 _CxxThrowException 5920->5930 5921 10001b10 17 API calls 5921->5930 5923 10002533 ??2@YAPAXI ??2@YAPAXI 5924 100025f5 _CxxThrowException 5923->5924 5923->5930 5925 10001e10 12 API calls 5924->5925 5926 10002615 5925->5926 5927 100026e0 32 API calls 5926->5927 5928 10002620 5927->5928 5928->5901 5929 100025e0 _CxxThrowException 5929->5924 5930->5916 5930->5920 5930->5921 5930->5924 5930->5929 5931 10001e10 12 API calls 5930->5931 5932 10001a90 10 API calls 5930->5932 5933 100025c6 ??3@YAXPAX ??3@YAXPAX 5930->5933 5934 10001b10 Sleep EnterCriticalSection 5930->5934 5931->5930 5932->5930 5933->5930 5935 10001b33 5934->5935 5936 10001b3b LeaveCriticalSection 5935->5936 5937 10001b4b 5935->5937 5936->5923 5938 10001bb1 5937->5938 5939 10001b63 Sleep 5937->5939 5942 10001cf0 10 API calls 5938->5942 5945 10001be0 5939->5945 5941 10001b8f memmove Sleep 5941->5938 5943 10001bc0 LeaveCriticalSection 5942->5943 5943->5923 5945->5941 6528 100039c0 6537 10003a10 6528->6537 6529 10003a1b 6530 10003b19 putchar 6531 100029b0 5 API calls 6530->6531 6532 10003b2f Sleep sprintf putchar 6531->6532 6533 10003b8d 6532->6533 6534 10003ba4 rand 6533->6534 6535 10003bc8 rand 6533->6535 6534->6533 6536 10003bdf rand rand 6535->6536 6536->6537 6537->6529 6537->6530 6538 100017c0 6539 100017e0 2 API calls 6538->6539 6540 100017c8 6539->6540 6541 100017d8 6540->6541 6542 100017cf ??3@YAXPAX 6540->6542 6542->6541 6543 100053c0 6544 10005403 ??3@YAXPAX 6543->6544 6545 100053cf 6543->6545 6546 100053d0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N ??3@YAXPAX 6545->6546 6546->6546 6547 10005402 6546->6547 6547->6544 5947 1000cac2 5948 1000cace 5947->5948 5949 10012da0 9 API calls 5948->5949 5949->5948 6548 1000cdc4 6549 1000cdd0 6548->6549 6550 10012da0 9 API calls 6549->6550 6551 1000cdda 6550->6551 5957 10006ad0 5962 10006af0 CloseHandle 5957->5962 5959 10006ad8 5960 10006ae8 5959->5960 5961 10006adf ??3@YAXPAX 5959->5961 5961->5960 5962->5959 6556 100059d0 6557 10001e50 7 API calls 6556->6557 6558 100059f4 6557->6558 6559 10002100 29 API calls 6558->6559 6560 10005a13 6559->6560 6561 10005a45 6560->6561 6562 10005a17 6560->6562 6573 1000a7c0 6561->6573 6563 10002000 19 API calls 6562->6563 6565 10005a2b 6563->6565 6568 10005a64 6569 1000a860 4 API calls 6568->6569 6570 10005a75 6569->6570 6571 10002000 19 API calls 6570->6571 6572 10005a89 6571->6572 6574 10006a00 2 API calls 6573->6574 6575 1000a7e7 6574->6575 6576 10009c10 5 API calls 6575->6576 6577 10005a53 6576->6577 6578 100023d0 WaitForSingleObject 6577->6578 6578->6568 6579 100019d5 6580 100019f5 6579->6580 6581 100019d9 6579->6581 6583 100019ee 6581->6583 6584 10001900 6581->6584 6593 10001370 6584->6593 6586 1000191f 6587 10001925 6586->6587 6588 1000192e ??2@YAPAXI 6586->6588 6587->6581 6589 1000197e ??3@YAXPAX 6588->6589 6590 1000195f 6588->6590 6589->6581 6591 10006b20 32 API calls 6590->6591 6592 10001969 ??3@YAXPAX 6591->6592 6592->6581 6594 1000137b 6593->6594 6597 10001380 6593->6597 6599 10001460 GetProcAddress 6594->6599 6596 1000139a SetEvent WaitForSingleObject 6596->6586 6597->6596 6598 10001384 6597->6598 6598->6586 6600 1000147e 6599->6600 6601 10001482 6600->6601 6602 1000148c GetProcAddress LoadLibraryA GetProcAddress 6600->6602 6601->6597 6603 100014ca 6602->6603 6604 100014f6 GetProcAddress 6603->6604 6605 100014ec 6603->6605 6606 10001513 GetProcAddress 6604->6606 6605->6597 6608 10001565 ResumeThread GetProcAddress 6606->6608 6609 10001581 6608->6609 6609->6597 5967 100030dc 5968 10003150 5967->5968 5969 100031da puts 5968->5969 5971 1000321e puts 5968->5971 5972 10003277 5968->5972 5973 10003248 puts 5968->5973 5970 100031f0 Sleep Sleep 5969->5970 5970->5968 5971->5968 5974 10003259 Sleep 5973->5974 5974->5968 4783 1000a3e0 4784 1000a3f0 LoadLibraryA 4783->4784 5978 10007ce0 LoadLibraryA GetProcAddress 5988 10007d0c 5978->5988 5979 10007e11 putchar 5980 1000cb6c 5979->5980 5981 10007e1f putchar FreeLibrary 5980->5981 5982 10007d69 putchar 5984 10007d7a putchar 5982->5984 5983 10007dca putchar 5983->5988 5984->5988 5985 10007d50 Sleep 5985->5988 5986 10007ddc putchar 5986->5988 5988->5979 5988->5982 5988->5983 5988->5985 5988->5986 5989 100077f0 28 API calls 5988->5989 5990 10007e0c 5988->5990 5991 100077f0 WaitForSingleObject CloseHandle 5988->5991 5989->5988 5990->5979 5992 1000782d 5991->5992 5993 10007868 5992->5993 5994 1000783c ??2@YAPAXI 5992->5994 5997 10007872 ??2@YAPAXI 5993->5997 5998 10007899 ??2@YAPAXI 5993->5998 5995 10007859 5994->5995 5996 10007866 5994->5996 6010 10008190 5995->6010 6030 10008900 InterlockedExchange 5996->6030 5997->5996 6000 1000788a 5997->6000 5998->5996 6001 100078b1 5998->6001 6003 10008190 16 API calls 6000->6003 6004 10008190 16 API calls 6001->6004 6003->5996 6004->5996 6005 100078e0 6031 10008c50 6005->6031 6007 100078ef 6008 10009c10 5 API calls 6007->6008 6009 1000790b 6008->6009 6009->5985 6011 1000824b LoadLibraryA 6010->6011 6013 1000828c 6011->6013 6014 10008cb0 3 API calls 6013->6014 6015 100082ae GetTickCount 6014->6015 6017 100082ff GetProcAddress 6015->6017 6019 10008334 6017->6019 6034 10008920 6019->6034 6022 10008920 7 API calls 6023 10008387 6022->6023 6024 10008920 7 API calls 6023->6024 6025 1000839b GetProcAddress 6024->6025 6026 100083bf GetProcAddress 6025->6026 6028 1000840d ??2@YAPAXI 6026->6028 6028->5996 6030->6005 6032 10008c62 InterlockedExchange 6031->6032 6033 10008c5d 6031->6033 6032->6007 6033->6032 6035 10008931 ??2@YAPAXI 6034->6035 6037 100089ac putchar 6035->6037 6042 10008371 6035->6042 6038 100089c1 putchar putchar GetProcAddress 6037->6038 6039 100089e8 GetProcAddress 6038->6039 6040 10008a05 GetProcAddress 6039->6040 6040->6042 6042->6022 6043 100094e0 putchar WaitForMultipleObjects putchar GetProcAddress GetProcAddress 6044 1000954a 6043->6044 6045 10002630 9 API calls 6044->6045 6046 1000955a 6045->6046 6047 100076e0 6052 10007700 6 API calls 6047->6052 6050 100076f8 6051 100076ef ??3@YAXPAX 6051->6050 6053 10007778 6052->6053 6054 1000777e LoadLibraryA GetProcAddress 6052->6054 6053->6054 6055 100077af FreeLibrary 6054->6055 6059 10006af0 CloseHandle 6055->6059 6058 100076e8 6058->6050 6058->6051 6059->6058 6610 10001fe0 6611 10002000 19 API calls 6610->6611 6612 10001fe8 6611->6612 6613 10001ff8 6612->6613 6614 10001fef ??3@YAXPAX 6612->6614 6614->6613 6619 100063e9 putchar 6620 10009c10 5 API calls 6619->6620 6621 1000642c CloseHandle putchar Sleep 6620->6621 6066 100058f0 6067 10001e50 7 API calls 6066->6067 6068 10005914 6067->6068 6069 10002100 29 API calls 6068->6069 6070 10005933 6069->6070 6071 10005965 6070->6071 6072 10005937 6070->6072 6083 10007490 6071->6083 6073 10002000 19 API calls 6072->6073 6075 1000594b 6073->6075 6078 10005987 6079 10007700 10 API calls 6078->6079 6080 1000599b 6079->6080 6081 10002000 19 API calls 6080->6081 6082 100059af 6081->6082 6084 10006a00 2 API calls 6083->6084 6085 100074bc ??2@YAPAXI 6084->6085 6087 100075a4 6085->6087 6088 100075b1 6085->6088 6089 10008190 16 API calls 6087->6089 6090 10009c10 5 API calls 6088->6090 6089->6088 6091 100075e2 6090->6091 6092 10009c10 5 API calls 6091->6092 6093 10005976 6092->6093 6094 100023d0 WaitForSingleObject 6093->6094 6094->6078 6622 100099f0 putchar putchar 6623 10009a36 putchar 6622->6623 6624 10009a44 6623->6624 6625 10009b03 6624->6625 6626 10009a4c lstrlenA 6624->6626 6626->6625 6627 10009a61 putchar 6626->6627 6628 10009a78 7 API calls 6627->6628 6629 10009a6c LocalAlloc 6627->6629 6630 10009ac9 putchar lstrlenA putchar 6628->6630 6629->6628 6630->6625 6631 100095f0 6632 10009d20 3 API calls 6631->6632 6633 100095f8 6632->6633 6634 10009605 6633->6634 6635 1000962b 6633->6635 6637 10009620 6634->6637 6638 10009608 6634->6638 6636 10009640 69 API calls 6635->6636 6639 10009632 6636->6639 6653 10009670 6637->6653 6638->6639 6644 100096a0 LoadLibraryA GetProcAddress 6638->6644 6645 100096fc Sleep 6644->6645 6646 100096ce TerminateProcess CloseHandle 6644->6646 6647 10009640 69 API calls 6645->6647 6650 100096f8 6646->6650 6649 1000970b 6647->6649 6651 10009670 41 API calls 6649->6651 6650->6645 6652 1000961c 6651->6652 6660 10009b20 6 API calls 6653->6660 6655 10009679 6656 10009627 6655->6656 6657 1000967f LocalSize 6655->6657 6658 10006b20 32 API calls 6657->6658 6659 1000968f LocalFree 6658->6659 6659->6656 6661 10009b71 putchar 6660->6661 6661->6655 6095 1000caf4 6096 1000cace 6095->6096 6096->6095 6097 10012da0 9 API calls 6096->6097 6097->6096 6101 100062ff puts 6106 100066b0 7 API calls 6101->6106 6103 10006344 6104 10006367 6103->6104 6105 10006b20 32 API calls 6103->6105 6105->6104 6107 10006718 putchar Process32Next 6106->6107 6108 1000673a putchar CloseHandle putchar 6106->6108 6107->6108 6110 1000672e lstrcmpiA 6107->6110 6108->6103 6110->6107 6110->6108

                                                                                                                                                        Executed Functions

                                                                                                                                                        Function 1000C5F0 Relevance: 79.0, APIs: 15, Strings: 30, Instructions: 248libraryfileregistryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000C68F
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000C696
                                                                                                                                                        • _fputchar.MSVCRT(00000030,Rsvxcj Otuftnsa Qwj,0000037A), ref: 1000C6B5
                                                                                                                                                        • GetModuleFileNameA.KERNEL32(?,C:\Users\user\Desktop\I3FtIOCni3.dll,00000104,?,?,?), ref: 1000C6CC
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?), ref: 1000C6D4
                                                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(C:\Program Files (x86)\Flbi\Pfwnulduj.jpg,?,00000104,?,?,?,?), ref: 1000C6FD
                                                                                                                                                        • _stricmp.MSVCRT ref: 1000C78A
                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,?,C:\Users\user\Desktop\I3FtIOCni3.dll,C:\Program Files (x86)\Flbi\Pfwnulduj.jpg,?,?,?,?), ref: 1000C7B1
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?), ref: 1000C7E2
                                                                                                                                                        • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 1000C83F
                                                                                                                                                          • Part of subcall function 1000B700: strncpy.MSVCRT ref: 1000B749
                                                                                                                                                          • Part of subcall function 1000B700: _access.MSVCRT ref: 1000B752
                                                                                                                                                          • Part of subcall function 1000B700: CreateDirectoryA.KERNEL32(?,00000000), ref: 1000B767
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000C852
                                                                                                                                                        • srand.MSVCRT ref: 1000C859
                                                                                                                                                        • DeleteFileA.KERNELBASE(C:\Program Files (x86)\Flbi\Pfwnulduj.jpg,?,?,?,?,?,?,?,?,?), ref: 1000C867
                                                                                                                                                          • Part of subcall function 1000B790: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,1000C8D4,?,?,?,?,?,?,?,?,?,?), ref: 1000B79A
                                                                                                                                                          • Part of subcall function 1000BA60: GetWindowsDirectoryA.KERNEL32(?,00000104,?,chost.exe -k imgsvc,00000000), ref: 1000BAE9
                                                                                                                                                          • Part of subcall function 1000BA60: DeleteFileA.KERNELBASE(?), ref: 1000BB2C
                                                                                                                                                          • Part of subcall function 1000BA60: rand.MSVCRT ref: 1000BB54
                                                                                                                                                          • Part of subcall function 1000BA60: sprintf.MSVCRT ref: 1000BB71
                                                                                                                                                          • Part of subcall function 1000BA60: DeleteFileA.KERNELBASE(?), ref: 1000BB8D
                                                                                                                                                          • Part of subcall function 1000BC60: GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1000BC92
                                                                                                                                                          • Part of subcall function 1000BC60: rand.MSVCRT ref: 1000BD0F
                                                                                                                                                          • Part of subcall function 1000BC60: sprintf.MSVCRT ref: 1000BD26
                                                                                                                                                          • Part of subcall function 1000BC60: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,?,?,?,?,?,chost.exe -k imgsvc,00000000), ref: 1000BD57
                                                                                                                                                          • Part of subcall function 1000BC60: RegQueryValueExA.KERNELBASE(?,imgsvc,00000000,00000007,?,?), ref: 1000BDBB
                                                                                                                                                        • SetFileAttributesA.KERNELBASE(C:\Program Files (x86)\Flbi\Pfwnulduj.jpg,00001000,?,?,?,?,?,?,?,?,?,?), ref: 1000C8EB
                                                                                                                                                        • CopyFileA.KERNEL32(C:\Users\user\Desktop\I3FtIOCni3.dll,C:\Program Files (x86)\Flbi\Pfwnulduj.jpg,00000000), ref: 1000C8FD
                                                                                                                                                          • Part of subcall function 1000BF20: LoadLibraryA.KERNEL32 ref: 1000BFB4
                                                                                                                                                          • Part of subcall function 1000BF20: GetProcAddress.KERNEL32(00000000), ref: 1000BFBD
                                                                                                                                                          • Part of subcall function 1000BF20: LoadLibraryA.KERNEL32 ref: 1000C03A
                                                                                                                                                          • Part of subcall function 1000BF20: GetProcAddress.KERNEL32(00000000), ref: 1000C03D
                                                                                                                                                          • Part of subcall function 1000BF20: CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000C05D
                                                                                                                                                          • Part of subcall function 1000BF20: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000C071
                                                                                                                                                          • Part of subcall function 1000BF20: rand.MSVCRT ref: 1000C094
                                                                                                                                                          • Part of subcall function 1000B8E0: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,chost.exe -k imgsvc,1000C915), ref: 1000B8EB
                                                                                                                                                          • Part of subcall function 1000B8E0: OpenServiceA.ADVAPI32(00000000,Rsvxcj Otuftnsa Qwj,000F003F,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B8FE
                                                                                                                                                          • Part of subcall function 1000B8E0: StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B90B
                                                                                                                                                          • Part of subcall function 1000B8E0: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B918
                                                                                                                                                          • Part of subcall function 1000B8E0: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B91B
                                                                                                                                                          • Part of subcall function 1000B820: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,chost.exe -k imgsvc), ref: 1000B82F
                                                                                                                                                          • Part of subcall function 1000B820: OpenServiceA.ADVAPI32(00000000,Rsvxcj Otuftnsa Qwj,000F003F,?,?,?,?,?,?,?,?,?,?,?,1000C91A), ref: 1000B842
                                                                                                                                                          • Part of subcall function 1000B820: LockServiceDatabase.ADVAPI32 ref: 1000B8A5
                                                                                                                                                          • Part of subcall function 1000B820: ChangeServiceConfig2A.ADVAPI32(00000000,00000002,?), ref: 1000B8B3
                                                                                                                                                          • Part of subcall function 1000B820: CloseServiceHandle.ADVAPI32(00000000), ref: 1000B8BA
                                                                                                                                                          • Part of subcall function 1000B820: UnlockServiceDatabase.ADVAPI32(00000000), ref: 1000B8C1
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Service$File$Open$AddressCloseDeleteDirectoryHandleLibraryLoadManagerProcrand$CreateDatabaseWindowssprintf$??2@AttributesChangeConfig2CopyCountEnvironmentEventExpandLockModuleNamePointerQueryStartStringsTickUnlockValue_access_fputchar_stricmpputcharsrandstrncpy
                                                                                                                                                        • String ID: %SystemRoot%\System32\sv$.$0$2$3$3$6$A$A$C$C:\Program Files (x86)\Flbi\Pfwnulduj.jpg$C:\Users\user\Desktop\I3FtIOCni3.dll$E$E$F$Glabl$O$R$Rsvxcj Otuftnsa Qwj$T$W$`1Mw$a$a$chost.exe -k imgsvc$d$e__Wait$f$k$v
                                                                                                                                                        • API String ID: 1580536013-3965645343
                                                                                                                                                        • Opcode ID: 9d0bdbd1b15356e2c3dc17c26916b7589367e7643008e892bdfae161a1a4dd9f
                                                                                                                                                        • Instruction ID: 35eb12ba51045ac74af9636568a462686046c497cae12f73baf3ac749d1c94fa
                                                                                                                                                        • Opcode Fuzzy Hash: 9d0bdbd1b15356e2c3dc17c26916b7589367e7643008e892bdfae161a1a4dd9f
                                                                                                                                                        • Instruction Fuzzy Hash: 8981163110C3C49AE315C7788C4975FBED1ABA6354F480A5DF6DA8B2D2CAB5CA48C367
                                                                                                                                                        Function 1000B790 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 48serviceCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,1000C8D4,?,?,?,?,?,?,?,?,?,?), ref: 1000B79A
                                                                                                                                                        • CreateServiceA.ADVAPI32(00000000,Rsvxcj Otuftnsa Qwj,Xlkkij Eenfguqw Umoowivy Ajdk,000F01FF,00000110,00000002,00000000,1000C8D4,00000000,00000000,00000000,00000000,00000000,?,1000C8D4,?), ref: 1000B7D3
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateManagerOpenService
                                                                                                                                                        • String ID: Rsvxcj Otuftnsa Qwj$Xlkkij Eenfguqw Umoowivy Ajdk$chost.exe -k imgsvc
                                                                                                                                                        • API String ID: 2847155433-2293152018
                                                                                                                                                        • Opcode ID: d187f0aabdf50f1bf84800c4208ccc90fc259b3ea27080280db3ed70df226d00
                                                                                                                                                        • Instruction ID: 8a96599aea986ab7ca75d0b8e41b003405eda18944056e29ceeff39f30badff4
                                                                                                                                                        • Opcode Fuzzy Hash: d187f0aabdf50f1bf84800c4208ccc90fc259b3ea27080280db3ed70df226d00
                                                                                                                                                        • Instruction Fuzzy Hash: F70131716853107BF714CB20CC89F9A7BE4FB84B41F10811AF61A9A6D0DBB0D940D751
                                                                                                                                                        Function 1000B920 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000000,?,1000BB40,?,?), ref: 1000B92A
                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 1000B931
                                                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1000B947
                                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE ref: 1000B96F
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2349140579-0
                                                                                                                                                        • Opcode ID: 42e912ed82a637a020f3b2e03a9e4bbb864f70a4eb5de5ce7c2cc2d0dfb629bd
                                                                                                                                                        • Instruction ID: 856e7731698e8eaaf44f84bf22a40c6906dbd141dd1999a8ca5af6f0a8b26d76
                                                                                                                                                        • Opcode Fuzzy Hash: 42e912ed82a637a020f3b2e03a9e4bbb864f70a4eb5de5ce7c2cc2d0dfb629bd
                                                                                                                                                        • Instruction Fuzzy Hash: 01F0F8B4248301BFF304DF94CC8AF6B7BA8EB84B44F41851CF656861E1DAB0E508CB66
                                                                                                                                                        Function 1000BF20 Relevance: 75.4, APIs: 10, Strings: 33, Instructions: 147libraryloaderfileCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000BFB4
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000BFBD
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000C03A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000C03D
                                                                                                                                                        • CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000C05D
                                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000C071
                                                                                                                                                        • rand.MSVCRT ref: 1000C094
                                                                                                                                                        • rand.MSVCRT ref: 1000C0C0
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1000C0F9
                                                                                                                                                        • SetFileAttributesA.KERNEL32(?,00000004), ref: 1000C114
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: File$AddressLibraryLoadProcrand$AttributesCloseCreateHandlePointer
                                                                                                                                                        • String ID: .$.23l$2$2$3$3$A$C$F$F$W$a$chost.exe -k imgsvc$d$i$i$i$k$k$l$l$l$l$l$l$n$n$r$r$r$r$t$t
                                                                                                                                                        • API String ID: 3502045851-2303784666
                                                                                                                                                        • Opcode ID: a93a193c1373a079530e5dd756668d144d6214f8bc7be53a281aa6332654bc51
                                                                                                                                                        • Instruction ID: 4ca7f71812de74c6518d7e5015f297a9f482c742ccde020fda388762a1b20cad
                                                                                                                                                        • Opcode Fuzzy Hash: a93a193c1373a079530e5dd756668d144d6214f8bc7be53a281aa6332654bc51
                                                                                                                                                        • Instruction Fuzzy Hash: CB517A6014C3C0DAE312C7688888B5FBFD65BE6748F48495DF2C45B292C6FA8608C77B
                                                                                                                                                        Function 1000BC60 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 218registryfileCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1000BC92
                                                                                                                                                          • Part of subcall function 1000B980: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,00000000), ref: 1000B9A4
                                                                                                                                                        • rand.MSVCRT ref: 1000BD0F
                                                                                                                                                        • sprintf.MSVCRT ref: 1000BD26
                                                                                                                                                          • Part of subcall function 1000B9E0: RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?,SeRestorePrivilege,?), ref: 1000BA19
                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,?,?,?,?,?,chost.exe -k imgsvc,00000000), ref: 1000BD57
                                                                                                                                                        • RegQueryValueExA.KERNELBASE(?,imgsvc,00000000,00000007,?,?), ref: 1000BDBB
                                                                                                                                                        • _stricmp.MSVCRT(?,Rsvxcj Otuftnsa Qwj), ref: 1000BDF4
                                                                                                                                                        • sprintf.MSVCRT ref: 1000BE4C
                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,chost.exe -k imgsvc,00000000), ref: 1000BE5C
                                                                                                                                                        • RegSetValueExA.ADVAPI32(?,imgsvc,00000000,00000007,?), ref: 1000BEC0
                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 1000BECB
                                                                                                                                                        • DeleteFileA.KERNEL32(?), ref: 1000BEDF
                                                                                                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,chost.exe -k imgsvc,00000000), ref: 1000BF13
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseDeleteFileOpenValuesprintf$CreateDirectoryQueryWindows_stricmprand
                                                                                                                                                        • String ID: Net-Temp.ini$Rsvxcj Otuftnsa Qwj$SOFTWARE\%d$SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost$`1Mw$chost.exe -k imgsvc$imgsvc
                                                                                                                                                        • API String ID: 4100340901-2530400822
                                                                                                                                                        • Opcode ID: 2f14cf8838a2f7cb8313d0b45078fb8fd1a3b5e6fe232d5f9f515a18caea3c77
                                                                                                                                                        • Instruction ID: 93622fedf11d1c0094470e84b2ee0f52ba57859fe3a4a7f081c05dd590726278
                                                                                                                                                        • Opcode Fuzzy Hash: 2f14cf8838a2f7cb8313d0b45078fb8fd1a3b5e6fe232d5f9f515a18caea3c77
                                                                                                                                                        • Instruction Fuzzy Hash: 2361E1322083456BE724CA64CC44BEBB7E9FBC8350F004A2DF659972D1DF74AA088792
                                                                                                                                                        Function 1000BA60 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 160registryfilestringCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104,?,chost.exe -k imgsvc,00000000), ref: 1000BAE9
                                                                                                                                                        • DeleteFileA.KERNELBASE(?), ref: 1000BB2C
                                                                                                                                                          • Part of subcall function 1000B980: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,00000000), ref: 1000B9A4
                                                                                                                                                        • rand.MSVCRT ref: 1000BB54
                                                                                                                                                        • sprintf.MSVCRT ref: 1000BB71
                                                                                                                                                          • Part of subcall function 1000B9E0: RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?,SeRestorePrivilege,?), ref: 1000BA19
                                                                                                                                                        • DeleteFileA.KERNELBASE(?), ref: 1000BB8D
                                                                                                                                                        • sprintf.MSVCRT ref: 1000BBBB
                                                                                                                                                        • RegCreateKeyExA.KERNELBASE ref: 1000BBE8
                                                                                                                                                        • lstrlenA.KERNEL32(C:\Program Files (x86)\Flbi\Pfwnulduj.jpg), ref: 1000BBF3
                                                                                                                                                        • RegSetValueExA.KERNELBASE(00000000,ServiceDll,00000000,00000002,C:\Program Files (x86)\Flbi\Pfwnulduj.jpg,00000000), ref: 1000BC0C
                                                                                                                                                        • RegCloseKey.ADVAPI32(000F003F), ref: 1000BC17
                                                                                                                                                          • Part of subcall function 1000B980: RegSaveKeyA.ADVAPI32(00000000,?,00000000), ref: 1000B9BE
                                                                                                                                                          • Part of subcall function 1000B980: RegCloseKey.ADVAPI32 ref: 1000B9C9
                                                                                                                                                          • Part of subcall function 1000B9E0: RegRestoreKeyA.KERNELBASE(?,?,00000008,?,?,SeRestorePrivilege,?), ref: 1000BA35
                                                                                                                                                        • DeleteFileA.KERNELBASE(?,000F003F,00000000,?,?), ref: 1000BC49
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DeleteFile$CloseCreatesprintf$DirectoryOpenRestoreSaveValueWindowslstrlenrand
                                                                                                                                                        • String ID: %s\Parameters$C:\Program Files (x86)\Flbi\Pfwnulduj.jpg$Net-Temp.ini$Rsvxcj Otuftnsa Qwj$SOFTWARE\%d$SYSTEM\CurrentControlSet\Services\$ServiceDll$chost.exe -k imgsvc
                                                                                                                                                        • API String ID: 1476920120-2287909840
                                                                                                                                                        • Opcode ID: 6ab558c3a52563b465957775fe3867f7e007a6db7458d8d30fb9d540450f1a4c
                                                                                                                                                        • Instruction ID: f382e57c8ad258dd72b652206413f82fc0ad658f06ceac1f42cb70e726b3c528
                                                                                                                                                        • Opcode Fuzzy Hash: 6ab558c3a52563b465957775fe3867f7e007a6db7458d8d30fb9d540450f1a4c
                                                                                                                                                        • Instruction Fuzzy Hash: 6651C7725047486FD724CA74CC85AABB7E9FBC8350F404E2DF76687191EEB4DA088792
                                                                                                                                                        Function 1000B700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 69 1000b700-1000b733 70 1000b735-1000b736 69->70 71 1000b77f-1000b788 69->71 72 1000b73c-1000b740 70->72 73 1000b742-1000b75e strncpy _access 72->73 74 1000b76d-1000b77c 72->74 73->74 75 1000b760-1000b767 CreateDirectoryA 73->75 74->72 76 1000b77e 74->76 75->74 76->71
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CreateDirectory_accessstrncpy
                                                                                                                                                        • String ID: e__Wait
                                                                                                                                                        • API String ID: 3114431365-4292980163
                                                                                                                                                        • Opcode ID: ad58c649dfc681a88538822aba580dea423a0acb2321841fd8188d2563578ded
                                                                                                                                                        • Instruction ID: f318f1cd7b80543f7ea2b9d3ab467e07e0ad91170dd35d9d23b6e8f4c6ba5ea2
                                                                                                                                                        • Opcode Fuzzy Hash: ad58c649dfc681a88538822aba580dea423a0acb2321841fd8188d2563578ded
                                                                                                                                                        • Instruction Fuzzy Hash: F30124B21047542BE324CA38DCC0BABB7D8EBC1371F114A2DF766921E0DE75D80486A1
                                                                                                                                                        Function 1000B9E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 1000B920: GetCurrentProcess.KERNEL32(00000028,00000000,?,1000BB40,?,?), ref: 1000B92A
                                                                                                                                                          • Part of subcall function 1000B920: OpenProcessToken.ADVAPI32(00000000), ref: 1000B931
                                                                                                                                                          • Part of subcall function 1000B920: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1000B947
                                                                                                                                                          • Part of subcall function 1000B920: AdjustTokenPrivileges.KERNELBASE ref: 1000B96F
                                                                                                                                                        • RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?,SeRestorePrivilege,?), ref: 1000BA19
                                                                                                                                                        • RegRestoreKeyA.KERNELBASE(?,?,00000008,?,?,SeRestorePrivilege,?), ref: 1000BA35
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ProcessToken$AdjustCreateCurrentLookupOpenPrivilegePrivilegesRestoreValue
                                                                                                                                                        • String ID: SeRestorePrivilege
                                                                                                                                                        • API String ID: 2939723135-1684392131
                                                                                                                                                        • Opcode ID: 010fdb8444d41ae2ee0861866ce1fba35a082cdb174a2c4ac46b2c4117d02963
                                                                                                                                                        • Instruction ID: 0505fca78989e44538ffae6802d00d1e4955f677cefba3666cb03d5d60df2c9a
                                                                                                                                                        • Opcode Fuzzy Hash: 010fdb8444d41ae2ee0861866ce1fba35a082cdb174a2c4ac46b2c4117d02963
                                                                                                                                                        • Instruction Fuzzy Hash: 23F062B47443017BF700DB60DC46F7B72E8FB80B41F54842CFA48962C0E6B5E508C662
                                                                                                                                                        Function 1000B980 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 1000B920: GetCurrentProcess.KERNEL32(00000028,00000000,?,1000BB40,?,?), ref: 1000B92A
                                                                                                                                                          • Part of subcall function 1000B920: OpenProcessToken.ADVAPI32(00000000), ref: 1000B931
                                                                                                                                                          • Part of subcall function 1000B920: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1000B947
                                                                                                                                                          • Part of subcall function 1000B920: AdjustTokenPrivileges.KERNELBASE ref: 1000B96F
                                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,00000000), ref: 1000B9A4
                                                                                                                                                        • RegSaveKeyA.ADVAPI32(00000000,?,00000000), ref: 1000B9BE
                                                                                                                                                        • RegCloseKey.ADVAPI32 ref: 1000B9C9
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: OpenProcessToken$AdjustCloseCurrentLookupPrivilegePrivilegesSaveValue
                                                                                                                                                        • String ID: SeBackupPrivilege
                                                                                                                                                        • API String ID: 1969699473-2429070247
                                                                                                                                                        • Opcode ID: 4024a304bd0ef6ac4e054054c98162c2dced4fb6f2ecda1f38094298ea77ef27
                                                                                                                                                        • Instruction ID: 389b67d3d9abe42ee2d22f3a74c13c1bd6955f731e5d90c966dfb7b552b940d2
                                                                                                                                                        • Opcode Fuzzy Hash: 4024a304bd0ef6ac4e054054c98162c2dced4fb6f2ecda1f38094298ea77ef27
                                                                                                                                                        • Instruction Fuzzy Hash: 44F0C9B5614204BFF714DBA0DC8AF3BB3A8FB84641F14841DFA5A962C1DA70E910C662
                                                                                                                                                        Function 10012AFF Relevance: 3.8, APIs: 3, Instructions: 54COMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 92 10012aff-10012b05 93 10012b15-10012b26 92->93 94 10012b07-10012b0d 92->94 97 10012b67-10012b69 93->97 98 10012b28-10012b3b malloc 93->98 95 10012b3d-10012b3f 94->95 96 10012b0f 94->96 100 10012ba7 95->100 96->93 101 10012ba4-10012ba6 97->101 102 10012b6b-10012b72 97->102 98->95 99 10012b41-10012b65 _initterm 98->99 99->101 101->100 102->101 103 10012b74-10012b7b 102->103 104 10012b7e-10012b80 103->104 105 10012b82-10012b86 104->105 106 10012b94-10012ba3 free 104->106 107 10012b88-10012b8a 105->107 108 10012b8f-10012b92 105->108 106->101 107->108 108->104
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: _inittermfreemalloc
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1678931842-0
                                                                                                                                                        • Opcode ID: d2d9a7caceb91528d2ed2e9d6d4be7f71a7a7e0edaee68c07a8a07b578971443
                                                                                                                                                        • Instruction ID: 26e2ab29f321bbbdce438ad4de835350396b94b94c4244d5826011713d583a1e
                                                                                                                                                        • Opcode Fuzzy Hash: d2d9a7caceb91528d2ed2e9d6d4be7f71a7a7e0edaee68c07a8a07b578971443
                                                                                                                                                        • Instruction Fuzzy Hash: CE11FEB1608262ABF718CF65DCC4B5A37A4FB44395B12802DE906CB160EB31D8D1DB10
                                                                                                                                                        Function 1000A3E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5libraryCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        • Executed
                                                                                                                                                        • Not Executed
                                                                                                                                                        control_flow_graph 110 1000a3e0-1000a400 LoadLibraryA
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNELBASE(AVICAP32.dll), ref: 1000A3F5
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                        • String ID: AVICAP32.dll
                                                                                                                                                        • API String ID: 1029625771-3627695671
                                                                                                                                                        • Opcode ID: 13c2d91c83a9f44fefe388d6f9e174950ed73ee3e1e10ce13b4996167c9c667c
                                                                                                                                                        • Instruction ID: 4a90be2cd1eb0e1a59bcc82c511d2f078ecbb3fc9039117952e3e4db655caa60
                                                                                                                                                        • Opcode Fuzzy Hash: 13c2d91c83a9f44fefe388d6f9e174950ed73ee3e1e10ce13b4996167c9c667c
                                                                                                                                                        • Instruction Fuzzy Hash: 33B012B04010104BE3008B254D4410439B0F3051417018060F64841368DF3080809944

                                                                                                                                                        Non-executed Functions

                                                                                                                                                        Function 100045E0 Relevance: 45.6, APIs: 6, Strings: 20, Instructions: 124libraryfileloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10004689
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10004690
                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 100046E9
                                                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 10004761
                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 1000476C
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Find$File$AddressCloseFirstLibraryLoadNextProc
                                                                                                                                                        • String ID: %$%s\%s$.$.$.$2$3$A$D$R$\$c$d$i$m$n$s$t$v$y
                                                                                                                                                        • API String ID: 4073164423-3055321997
                                                                                                                                                        • Opcode ID: f2a0dce9bfe4a421dd2adf27e4b9dc0b31f96c7ff59bb07813d3c3912bdc5edf
                                                                                                                                                        • Instruction ID: af70fd04df743261d5c016c6eadad566c35d9b66c362bec3e68e098afc3f7e38
                                                                                                                                                        • Opcode Fuzzy Hash: f2a0dce9bfe4a421dd2adf27e4b9dc0b31f96c7ff59bb07813d3c3912bdc5edf
                                                                                                                                                        • Instruction Fuzzy Hash: 34515C6100D3C09EE312CB689884A9FBFE8ABEA648F484D4DF5D847252C779960CC777
                                                                                                                                                        Function 10002BC0 Relevance: 43.9, APIs: 13, Strings: 16, Instructions: 383sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10002C43
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10002C89
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 10002C9E
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 10002CE5
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 10002D2C
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 10002D73
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 100030A2
                                                                                                                                                          • Part of subcall function 10009C10: LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                          • Part of subcall function 10009C10: GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                          • Part of subcall function 10009C10: _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                          • Part of subcall function 10009C10: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                          • Part of subcall function 10009C10: CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Sleep$CloseHandle$AddressLibraryLoadObjectProcSingleWait_beginthreadex
                                                                                                                                                        • String ID: Sh06$ShP1$UUUSh05$UUUSh06$UUUSh@8$UUUSh@8$UUUShP1$UUUShP1$UU9m$UUDo$UUEl$UU[l$d$|j$|j$#n
                                                                                                                                                        • API String ID: 3602428423-543700837
                                                                                                                                                        • Opcode ID: 65a6fcd19eb84a39f7878a8d72c04aa964aaee3fde69655f21b73eebe3e789a3
                                                                                                                                                        • Instruction ID: 9c6f24cf16997e277a7d1a4c2ffea682bc069f55519cfff79f77d1453c7aabd2
                                                                                                                                                        • Opcode Fuzzy Hash: 65a6fcd19eb84a39f7878a8d72c04aa964aaee3fde69655f21b73eebe3e789a3
                                                                                                                                                        • Instruction Fuzzy Hash: A2B1F531A4120867F341AF2ADC85F9B779DEB953C5F028076FB0D9B18BDE7268818275
                                                                                                                                                        Function 10007250 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 166filelibraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • sprintf.MSVCRT ref: 1000728C
                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 100072B3
                                                                                                                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 1000732C
                                                                                                                                                        • _stricmp.MSVCRT(?,10017318), ref: 10007356
                                                                                                                                                        • _stricmp.MSVCRT(?,10017314), ref: 1000736D
                                                                                                                                                        • sprintf.MSVCRT ref: 100073A1
                                                                                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 100073AD
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PluginDescript), ref: 100073E4
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 100073F3
                                                                                                                                                        • FindNextFileA.KERNEL32(?,00000010), ref: 10007460
                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 10007470
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Find$File$Next_stricmpsprintf$AddressCloseFirstFreeHandleLibraryModuleProc
                                                                                                                                                        • String ID: %s %s %s$%s\%s$%s\*.*$PluginDescript
                                                                                                                                                        • API String ID: 2068427334-844292908
                                                                                                                                                        • Opcode ID: 0434abaf161368746192aa37ae4fe9683d0fab98aa522b629f438e409e56d033
                                                                                                                                                        • Instruction ID: 1fefc166323dcbb311493ec44372979f222988b9f4e4a663647ac7453ce9ec91
                                                                                                                                                        • Opcode Fuzzy Hash: 0434abaf161368746192aa37ae4fe9683d0fab98aa522b629f438e409e56d033
                                                                                                                                                        • Instruction Fuzzy Hash: 2051E672504791ABE321C724CC44BEB77E8FBC8345F41492DEA4D97250EB79EA088796
                                                                                                                                                        Function 100043D0 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 177memoryfilesleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030,?), ref: 100043F8
                                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00002800), ref: 10004400
                                                                                                                                                        • sprintf.MSVCRT ref: 10004440
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10004448
                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,?,?), ref: 1000445A
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?), ref: 10004466
                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?), ref: 100044B8
                                                                                                                                                        • LocalReAlloc.KERNEL32(00000000,?,00000042,?,?,?,?,?), ref: 100044C2
                                                                                                                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?), ref: 10004551
                                                                                                                                                        • FindNextFileA.KERNEL32(?,?,?,?,?,?,?), ref: 100045A4
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$AllocFileFindLocal$FirstNextSleeplstrlensprintf
                                                                                                                                                        • String ID: %$.$\$h$s
                                                                                                                                                        • API String ID: 3314986882-4236245780
                                                                                                                                                        • Opcode ID: 4bb2ce8a54688f1d5a6b1f7273d1e9343ff1f1af39bb21be4ab864652392e13a
                                                                                                                                                        • Instruction ID: 6617ed789e4c52784a1fdbd3f4f0ce7b7f2e454f03e0360fe4da3b054f52e239
                                                                                                                                                        • Opcode Fuzzy Hash: 4bb2ce8a54688f1d5a6b1f7273d1e9343ff1f1af39bb21be4ab864652392e13a
                                                                                                                                                        • Instruction Fuzzy Hash: C25139715083819BE310CF648C90B9BBBE5EF89384F064A58F9C897381DA79D90DC766
                                                                                                                                                        Function 10004FF0 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 129libraryfileloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000507E
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10005085
                                                                                                                                                        • FindFirstFileA.KERNEL32(?,00000000), ref: 100050C1
                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 1000513B
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10005174
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseFind$AddressFileFirstHandleLibraryLoadProc
                                                                                                                                                        • String ID: .23$2$3$A$C$F$a$i$k$n$p$t
                                                                                                                                                        • API String ID: 2078064777-4013726569
                                                                                                                                                        • Opcode ID: 0a988ad3c6a7b67d32af8c0ffbe80d190095fa82087322c8fbfcaed11c2c777a
                                                                                                                                                        • Instruction ID: 1a5ce15d6fa2e080dfb5ae7376460594c7d8e48167bb4d7df25aa2133c4c80b7
                                                                                                                                                        • Opcode Fuzzy Hash: 0a988ad3c6a7b67d32af8c0ffbe80d190095fa82087322c8fbfcaed11c2c777a
                                                                                                                                                        • Instruction Fuzzy Hash: BF41C57190C3819EE311CB28888479FBFD59F9A354F444A5DF4D897392C6B68A08C7A7
                                                                                                                                                        Function 1000B310 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 144sleepsynchronizationCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 1000B1A0: LoadLibraryA.KERNEL32(WININET.dll), ref: 1000B1CF
                                                                                                                                                          • Part of subcall function 1000B1A0: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 1000B1E3
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000B338
                                                                                                                                                        • SetErrorMode.KERNEL32(00000001,1000B6E7,00000000,00000000), ref: 1000B354
                                                                                                                                                          • Part of subcall function 10001E50: LoadLibraryA.KERNEL32(?,?), ref: 10001F42
                                                                                                                                                          • Part of subcall function 10001E50: GetProcAddress.KERNEL32(00000000), ref: 10001F49
                                                                                                                                                          • Part of subcall function 10001E50: putchar.MSVCRT(00000030), ref: 10001F69
                                                                                                                                                          • Part of subcall function 10001E50: putchar.MSVCRT(00000030), ref: 10001F7D
                                                                                                                                                        • OpenEventA.KERNEL32(001F0003,00000000,10019DF8), ref: 1000B399
                                                                                                                                                        • Sleep.KERNEL32(000000C8), ref: 1000B3A6
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1000B3BD
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000B3CF
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000B3F6
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 1000B46F
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000B4A0
                                                                                                                                                        • OpenEventA.KERNEL32(001F0003,00000000,10019DF8), ref: 1000B4B2
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00000064), ref: 1000B4C0
                                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 1000B4CD
                                                                                                                                                        • Sleep.KERNEL32(00001B58), ref: 1000B4DC
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1000B4EA
                                                                                                                                                          • Part of subcall function 10006020: TerminateThread.KERNEL32(?,000000FF,00000000,774D0F00,00000000,774D3000,1000B504), ref: 10006049
                                                                                                                                                          • Part of subcall function 10006020: CloseHandle.KERNEL32 ref: 1000604E
                                                                                                                                                          • Part of subcall function 10002000: puts.MSVCRT ref: 10002038
                                                                                                                                                          • Part of subcall function 10002000: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,02060251), ref: 10002046
                                                                                                                                                          • Part of subcall function 10002000: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,02060251), ref: 10002055
                                                                                                                                                          • Part of subcall function 10002000: puts.MSVCRT ref: 10002060
                                                                                                                                                          • Part of subcall function 10002000: puts.MSVCRT ref: 1000207C
                                                                                                                                                          • Part of subcall function 10002000: CloseHandle.KERNEL32(?,?,?,02060251), ref: 1000208E
                                                                                                                                                          • Part of subcall function 10002000: putchar.MSVCRT(00000030,?,?,02060251), ref: 10002092
                                                                                                                                                          • Part of subcall function 10002000: CloseHandle.KERNEL32(?,?,?,?,02060251), ref: 100020A2
                                                                                                                                                          • Part of subcall function 10002000: puts.MSVCRT ref: 100020A9
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseHandleSleep$CountTickputs$putchar$AddressEventLibraryLoadObjectOpenProcSingleWait$ErrorModeTerminateThread
                                                                                                                                                        • String ID: Global\Net_%d
                                                                                                                                                        • API String ID: 1792166387-2580831578
                                                                                                                                                        • Opcode ID: 55889eb08c0914f3323868c280edeeee1b4105e97c92d8c123a9226246a69de6
                                                                                                                                                        • Instruction ID: 5633d2337d3570f43b6acf2c763b5705dfc7d6737f7177ffbfed4cccefe4dd79
                                                                                                                                                        • Opcode Fuzzy Hash: 55889eb08c0914f3323868c280edeeee1b4105e97c92d8c123a9226246a69de6
                                                                                                                                                        • Instruction Fuzzy Hash: 0351C0361487919BF322DFA4CC85BDE77A4EF89380F414518FA8A67195CF34AA09C763
                                                                                                                                                        Function 1000AFA0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135libraryregistryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetVersionExA.KERNEL32 ref: 1000AFC7
                                                                                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,NetSubKey,00000000,00000000,00000000,00000001,00000000,00000000,?), ref: 1000B041
                                                                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.dll,GetComputerNameA), ref: 1000B057
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000B060
                                                                                                                                                        • RegQueryValueExA.ADVAPI32(00000100,100194E0,00000000,?,00000000,00000100), ref: 1000B086
                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 1000B095
                                                                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemInfo), ref: 1000B110
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000B113
                                                                                                                                                        • GlobalMemoryStatus.KERNEL32(?), ref: 1000B142
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc$CloseCreateGlobalMemoryQueryStatusValueVersion
                                                                                                                                                        • String ID: $GetComputerNameA$GetSystemInfo$KERNEL32.dll$NetSubKey$f
                                                                                                                                                        • API String ID: 4260706138-2242480277
                                                                                                                                                        • Opcode ID: 1b70c042a5daae6eac26b5ddb01491ec40f038f441633611bf099e5530fe33e6
                                                                                                                                                        • Instruction ID: f1c101309c186f52230471729395df42fcdbabf24d58ad2736cc456e0828dd4c
                                                                                                                                                        • Opcode Fuzzy Hash: 1b70c042a5daae6eac26b5ddb01491ec40f038f441633611bf099e5530fe33e6
                                                                                                                                                        • Instruction Fuzzy Hash: 79515871508385ABE324CF24C884BEBBBE4FBC8344F00491DF69997290DB75E948CB52
                                                                                                                                                        Function 100041E0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 141stringlibraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetLogicalDriveStringsA.KERNEL32 ref: 10004203
                                                                                                                                                        • LoadLibraryA.KERNEL32(Shell32.dll), ref: 10004227
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFileInfoA), ref: 10004239
                                                                                                                                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 10004278
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 100042A8
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 100042B6
                                                                                                                                                        • GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 100042D5
                                                                                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 1000431C
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10004386
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 1000439F
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: lstrlen$DriveFreeLibrary$AddressDiskInformationLoadLogicalProcSpaceStringsTypeVolume
                                                                                                                                                        • String ID: SHGetFileInfoA$Shell32.dll$g
                                                                                                                                                        • API String ID: 136248132-1398116833
                                                                                                                                                        • Opcode ID: 63cd8424de20299c576f3d1c2348b2e79d151a37f4d68f1b6ba2a3d68aae8eff
                                                                                                                                                        • Instruction ID: 5b02b7c2379839f1f0bd83767e16b30e0a39f6f39ad4268cb20a5dbbd5351246
                                                                                                                                                        • Opcode Fuzzy Hash: 63cd8424de20299c576f3d1c2348b2e79d151a37f4d68f1b6ba2a3d68aae8eff
                                                                                                                                                        • Instruction Fuzzy Hash: FF51C2715083559FD311DF10C880AAFBBE9FBC8740F45492DFACA97250CB70AA05CBA2
                                                                                                                                                        Function 10003840 Relevance: 22.6, APIs: 15, Instructions: 121memorysleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT ref: 1000386C
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10003887
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10003897
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100038BF
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100038EA
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100038EE
                                                                                                                                                        • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?), ref: 100038FA
                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 10003901
                                                                                                                                                          • Part of subcall function 100037A0: GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,77303A20), ref: 100037B9
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?), ref: 1000392F
                                                                                                                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,?), ref: 1000393C
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?), ref: 1000394F
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 10003954
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?,?), ref: 1000395F
                                                                                                                                                        • putchar.MSVCRT(00000030,00000000,00001000,?,?,?,?,?,?,?,?), ref: 10003972
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1000399C
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$HeapProcess$AllocCountCurrentSleepTick
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2758985439-0
                                                                                                                                                        • Opcode ID: a8df8a81758e76899f2c783d8ef1c04281967ed1f6abcb27b60178c90fa4b6d4
                                                                                                                                                        • Instruction ID: f8b7a020ffe9ff2a1fe04dd0ad716be17218a72a21f376b12619278d8c98f993
                                                                                                                                                        • Opcode Fuzzy Hash: a8df8a81758e76899f2c783d8ef1c04281967ed1f6abcb27b60178c90fa4b6d4
                                                                                                                                                        • Instruction Fuzzy Hash: E03119706943006BF3119B64CC86F5B72D8EF44B94F004529FB4DAA2D0DAB5E609C66B
                                                                                                                                                        Function 100066B0 Relevance: 19.6, APIs: 13, Instructions: 68stringprocessCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT ref: 100066CA
                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,1000CFB4), ref: 100066D3
                                                                                                                                                        • putchar.MSVCRT(00000030,00000002,00000000,1000CFB4), ref: 100066DC
                                                                                                                                                        • putchar.MSVCRT ref: 100066E8
                                                                                                                                                        • Process32First.KERNEL32(00000000,?), ref: 100066F3
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,00000030), ref: 100066FA
                                                                                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 10006712
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,00000030), ref: 1000671A
                                                                                                                                                        • Process32Next.KERNEL32(00000000,?), ref: 10006725
                                                                                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 10006734
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,00000030), ref: 10006746
                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000030), ref: 1000674C
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,00000030), ref: 10006754
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Process32lstrcmpi$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1928693822-0
                                                                                                                                                        • Opcode ID: d2761e3851406ee1a002e23788e3bc96c2b3a8f80f4e69626256cff9cb31f0b0
                                                                                                                                                        • Instruction ID: 4f78c8412f87ed4eeca883bc78bd77c46e3fba895433fea6d0fff526a956e845
                                                                                                                                                        • Opcode Fuzzy Hash: d2761e3851406ee1a002e23788e3bc96c2b3a8f80f4e69626256cff9cb31f0b0
                                                                                                                                                        • Instruction Fuzzy Hash: 4711947160431867F200EB649C92FAF7A9CDF857C8F40042AFA4496181EB75EA18CBF3
                                                                                                                                                        Function 10004C40 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 167filestringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • lstrlenA.KERNEL32(?,?,?), ref: 10004C7A
                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?), ref: 10004CC5
                                                                                                                                                        • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000001), ref: 10004D5A
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000018,?,00000001), ref: 10004D9D
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(0000005C), ref: 10004E06
                                                                                                                                                        • FindNextFileA.KERNEL32(?,?), ref: 10004E35
                                                                                                                                                        • FindClose.KERNEL32(?), ref: 10004E48
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Find$File$??2@??3@CloseD@2@@std@@D@std@@FirstGrow@?$basic_string@NextU?$char_traits@V?$allocator@lstrlen
                                                                                                                                                        • String ID: %s%s%s$%s%s*.*$.
                                                                                                                                                        • API String ID: 2567169368-1343461528
                                                                                                                                                        • Opcode ID: 219c1ebaf9dca6f1a189b05b1975b9e9d065dcc1f11638b3c02074f49329988f
                                                                                                                                                        • Instruction ID: 71dd8b4dde0d95e1e20a087c3eeb1821ddc597d240e0a37750835cf90300ede5
                                                                                                                                                        • Opcode Fuzzy Hash: 219c1ebaf9dca6f1a189b05b1975b9e9d065dcc1f11638b3c02074f49329988f
                                                                                                                                                        • Instruction Fuzzy Hash: 4B51E5B14083809FD324CF24C884A9BBBE5FFC8744F424A1DF59A97251DB35E945CB56
                                                                                                                                                        Function 1000B8E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 24serviceCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,chost.exe -k imgsvc,1000C915), ref: 1000B8EB
                                                                                                                                                        • OpenServiceA.ADVAPI32(00000000,Rsvxcj Otuftnsa Qwj,000F003F,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B8FE
                                                                                                                                                        • StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B90B
                                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B918
                                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 1000B91B
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Service$CloseHandleOpen$ManagerStart
                                                                                                                                                        • String ID: Rsvxcj Otuftnsa Qwj$chost.exe -k imgsvc
                                                                                                                                                        • API String ID: 1485051382-2461265680
                                                                                                                                                        • Opcode ID: 80a839ee181e760cfcc0c6f4c976cc9a15f268929a294916c17868e52c7c3af2
                                                                                                                                                        • Instruction ID: 573fa93e01dafd1c0817bba3810fa5061af3ac22962802bf7d7cae148cd27705
                                                                                                                                                        • Opcode Fuzzy Hash: 80a839ee181e760cfcc0c6f4c976cc9a15f268929a294916c17868e52c7c3af2
                                                                                                                                                        • Instruction Fuzzy Hash: 46E012317812347FF63117619C49FBA3E68DB86FA2F114012FB19EB1D1CAB05902D6A5
                                                                                                                                                        Function 100029B0 Relevance: 7.6, APIs: 5, Instructions: 52timeCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CountTickrand$LocalTime
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3655434779-0
                                                                                                                                                        • Opcode ID: 641c7866c4df6c4ea5f3976af026a101deadc58631d7f60d094bd8f80917be4d
                                                                                                                                                        • Instruction ID: 1b79c5c9df3e1c51b29a4b4e2a68826460b1787a82ef1eb56ea4679697cbe800
                                                                                                                                                        • Opcode Fuzzy Hash: 641c7866c4df6c4ea5f3976af026a101deadc58631d7f60d094bd8f80917be4d
                                                                                                                                                        • Instruction Fuzzy Hash: 3001D237B4022247E320DBA9CC891A6B795EFD9351B4F8639EE48D3750E63C8C188691
                                                                                                                                                        Function 1000AB00 Relevance: 6.1, APIs: 4, Instructions: 52sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000AB1C
                                                                                                                                                          • Part of subcall function 1000A910: ??2@YAPAXI@Z.MSVCRT(0000002D), ref: 1000A916
                                                                                                                                                          • Part of subcall function 1000A910: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000A944
                                                                                                                                                          • Part of subcall function 10006B90: WaitForSingleObject.KERNEL32(?,000000FF,10007CA0,?,?,?,?,?,10013300,000000FF), ref: 10006B96
                                                                                                                                                          • Part of subcall function 10006B90: Sleep.KERNEL32(00000096,?,?,?,?,?,10013300,000000FF), ref: 10006BA1
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000AB63
                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 1000AB74
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000AB76
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CountTick$Sleep$??2@??3@ObjectSingleWait
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2046207290-0
                                                                                                                                                        • Opcode ID: 1879fdf892185a2a3ce3611540cd18c6d885bcd6d92faadc08a4dd75be08894f
                                                                                                                                                        • Instruction ID: c9fe937f839a00baf711299185c232bfa03818db41d34f9b5da1051e4d1f88c2
                                                                                                                                                        • Opcode Fuzzy Hash: 1879fdf892185a2a3ce3611540cd18c6d885bcd6d92faadc08a4dd75be08894f
                                                                                                                                                        • Instruction Fuzzy Hash: 5A01FC252002600BFA01EF788C9159FB7D7DF97AE07028A19D6D597297CF34E8C587E1
                                                                                                                                                        Function 10004F30 Relevance: 4.6, APIs: 3, Instructions: 66fileCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 10003FE0: putchar.MSVCRT(00000030), ref: 1000400F
                                                                                                                                                          • Part of subcall function 10003FE0: lstrlenA.KERNEL32(?), ref: 1000401C
                                                                                                                                                          • Part of subcall function 10003FE0: malloc.MSVCRT ref: 10004024
                                                                                                                                                          • Part of subcall function 10003FE0: lstrcpyA.KERNEL32(00000000,?), ref: 1000403C
                                                                                                                                                          • Part of subcall function 10003FE0: GetFileAttributesA.KERNEL32(00000000), ref: 100040CA
                                                                                                                                                          • Part of subcall function 10003FE0: Sleep.KERNEL32(00000000), ref: 100040DA
                                                                                                                                                          • Part of subcall function 10003FE0: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 100040DF
                                                                                                                                                          • Part of subcall function 10003FE0: Sleep.KERNEL32(00000000), ref: 100040EA
                                                                                                                                                          • Part of subcall function 10003FE0: GetLastError.KERNEL32 ref: 100040EC
                                                                                                                                                          • Part of subcall function 10003FE0: Sleep.KERNEL32(00000000), ref: 100040FB
                                                                                                                                                          • Part of subcall function 10003FE0: free.MSVCRT ref: 1000414E
                                                                                                                                                        • FindFirstFileA.KERNEL32(?,?,?), ref: 10004F90
                                                                                                                                                        • FindClose.KERNEL32(00000000,0000006D), ref: 10004FB9
                                                                                                                                                        • FindClose.KERNEL32(00000000), ref: 10004FD4
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: FindSleep$CloseFile$AttributesCreateDirectoryErrorFirstLastfreelstrcpylstrlenmallocputchar
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 4231297493-0
                                                                                                                                                        • Opcode ID: 020021277c6f82ba6895b0e5215d315754f71a7a9f1bfb7f647ee3ec38039f44
                                                                                                                                                        • Instruction ID: a524562f6f20514a9f1e211fd013143e5490745514869849d9da3b1f7a3de46f
                                                                                                                                                        • Opcode Fuzzy Hash: 020021277c6f82ba6895b0e5215d315754f71a7a9f1bfb7f647ee3ec38039f44
                                                                                                                                                        • Instruction Fuzzy Hash: C11127B27001050BE704DA25EC816BAB399FB88360F564639FE1ECB2E5CE76AC088254
                                                                                                                                                        Function 1000F03E Relevance: .5, Instructions: 514COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 9c7d72491318557dbb90d2c49cc7d1b1e9eb038b31fa4bcaec56af33f8832ca2
                                                                                                                                                        • Instruction ID: 62df1c32af5a89a33027f5fb1123ec19502fc2a5d6147cb235867192f123acb6
                                                                                                                                                        • Opcode Fuzzy Hash: 9c7d72491318557dbb90d2c49cc7d1b1e9eb038b31fa4bcaec56af33f8832ca2
                                                                                                                                                        • Instruction Fuzzy Hash: 051271B16047428FDB08CF18D89462ABBE6EFC8340F15896DE889DB749E731ED45CB91
                                                                                                                                                        Function 1000F28D Relevance: .5, Instructions: 514COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 32e37a652251cbfee229fccee3e03fcd73a05a8172dc5b9106e482fa1e3c96b6
                                                                                                                                                        • Instruction ID: a77f81f1db0b63d3f04af79e53060093bb84884b39478aee8f56f9793cb98a96
                                                                                                                                                        • Opcode Fuzzy Hash: 32e37a652251cbfee229fccee3e03fcd73a05a8172dc5b9106e482fa1e3c96b6
                                                                                                                                                        • Instruction Fuzzy Hash: 661271B16047428FDB08CF18D89462ABBE6EFC8340F15896DE889DB749E731ED45CB91
                                                                                                                                                        Function 10011640 Relevance: .5, Instructions: 502COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: f9d10b59028ef4823a23d978a5b13036c39b6c671c108ad2f41e88a65a6ab98e
                                                                                                                                                        • Instruction ID: 4347b1a0135841cdc494bb4f2d8e10f49536f3c281dc4755a0b40ae3240a7c3e
                                                                                                                                                        • Opcode Fuzzy Hash: f9d10b59028ef4823a23d978a5b13036c39b6c671c108ad2f41e88a65a6ab98e
                                                                                                                                                        • Instruction Fuzzy Hash: 811259B46097028FC748CF29D590A5ABBE1FF88344F158A6DE49ACB351E730E984CF52
                                                                                                                                                        Function 100109F0 Relevance: .4, Instructions: 379COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
                                                                                                                                                        • Instruction ID: 343342247051c8f4a22b30209f15c22663af5fe03a0433f683548e584e4d2ab6
                                                                                                                                                        • Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
                                                                                                                                                        • Instruction Fuzzy Hash: 4EF18A726092418FC309CF18D5949E27BE2EFA8754B1F42F9E4899B363D772D881CB91
                                                                                                                                                        Function 1000D330 Relevance: .4, Instructions: 373COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 00f9db0b3a6346192d9b377db9bae1cf7b1e063801f0658ea5cd927bcabc5565
                                                                                                                                                        • Instruction ID: 3aa9b1007b0871d03c8193c1b7c5151320c71ca78730384c2ea6036736d3b0bc
                                                                                                                                                        • Opcode Fuzzy Hash: 00f9db0b3a6346192d9b377db9bae1cf7b1e063801f0658ea5cd927bcabc5565
                                                                                                                                                        • Instruction Fuzzy Hash: 37E1D3B5600A018FD324DF19D490A1AFBF2FF89350B25C96ED89ACB765D731E846CB60
                                                                                                                                                        Function 10012680 Relevance: .4, Instructions: 359COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6dadc50af3b165b39ec0871a86be54c7141af01d7fa03030e0d142d4c0d7edd0
                                                                                                                                                        • Instruction ID: 3bbc6e223495cb3482dff837f07039d0b1ca03b159b538c561b041ce48bc9d1a
                                                                                                                                                        • Opcode Fuzzy Hash: 6dadc50af3b165b39ec0871a86be54c7141af01d7fa03030e0d142d4c0d7edd0
                                                                                                                                                        • Instruction Fuzzy Hash: 7DD1D4B560C3928FC718CF2CD49015AFBE1EB89310F198A6DE9DA97342C730E965CB85
                                                                                                                                                        Function 1000E670 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: c113c2fab58bda0f4d020dcd83353ef7307b387466b874cfd1a81997b0ade2be
                                                                                                                                                        • Instruction ID: 6433e4a67ac878868c67390cc6ad78d436d186cafa988f2af5c9c52bd1a70c6b
                                                                                                                                                        • Opcode Fuzzy Hash: c113c2fab58bda0f4d020dcd83353ef7307b387466b874cfd1a81997b0ade2be
                                                                                                                                                        • Instruction Fuzzy Hash: 5DD11379614B818FE324CF28C980AA7B7E6FF89744B14892DD8DA87B55DB31F845CB40
                                                                                                                                                        Function 10010F70 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 6809808a2ba96c87455d5f6e1c3195e436621037f185f775b8c264050e26be00
                                                                                                                                                        • Instruction ID: 00982f202dc23290e3c545f4a46fe6e12495fbaa4b987746159241d908316009
                                                                                                                                                        • Opcode Fuzzy Hash: 6809808a2ba96c87455d5f6e1c3195e436621037f185f775b8c264050e26be00
                                                                                                                                                        • Instruction Fuzzy Hash: 24D179756082918FC319CF58E9D88E67BE1FFA8740B0E42F8D9899B323D7319981CB55
                                                                                                                                                        Function 1000E1D0 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 3be4eaa125058311339f9319d3f1e7313b2b3966a8e003bc98431c452c3d8c9c
                                                                                                                                                        • Instruction ID: 11df302a929d00ec58f297f4ddb57812d55fc72450f27170649e5808e413830e
                                                                                                                                                        • Opcode Fuzzy Hash: 3be4eaa125058311339f9319d3f1e7313b2b3966a8e003bc98431c452c3d8c9c
                                                                                                                                                        • Instruction Fuzzy Hash: 5AB12675214B818FD328CF28C9909A7B7E6FF89344B19892DD8DAC7B55DA71F841CB40
                                                                                                                                                        Function 1000F910 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID:
                                                                                                                                                        • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                                                                                                                        • Instruction ID: 7b8a33447366177497ceda1ae73addc54ee261a79d5c10cfc8abdfe8d768dd0d
                                                                                                                                                        • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                                                                                                                        • Instruction Fuzzy Hash: CB313E33B4558203F71DCA2F9CA13BAEAD34FC526872ED47E99CA8775AECB944174104
                                                                                                                                                        Function 10009F80 Relevance: 87.7, APIs: 11, Strings: 39, Instructions: 195libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000A014
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000A01D
                                                                                                                                                        • LoadLibraryA.KERNEL32(00000074,?), ref: 1000A09C
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000A09F
                                                                                                                                                        • LoadLibraryA.KERNEL32(WININET.dll), ref: 1000A0C1
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 1000A0CB
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000A0F1
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                        • String ID: .$.23l$2$2$3$3$A$C$F$F$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MZ$Mozilla/4.0 (compatible)$W$WININET.dll$a$d$i$i$i$k$k$l$l$l$l$l$l$n$n$r$r$r$r$t$t
                                                                                                                                                        • API String ID: 2238633743-4141200281
                                                                                                                                                        • Opcode ID: 2482afd2cfa1ccc812f456c6c8aba89e2ab3aec57a854ff2cadc764c7b8402bf
                                                                                                                                                        • Instruction ID: de272be500539869655261cd32d5cb3c468ca37c0b60d83a75590ebed541eb82
                                                                                                                                                        • Opcode Fuzzy Hash: 2482afd2cfa1ccc812f456c6c8aba89e2ab3aec57a854ff2cadc764c7b8402bf
                                                                                                                                                        • Instruction Fuzzy Hash: 83715A7154C3C0DEE312C7688844B5BBFE9ABD6648F44494EF2C497282C7BAD548C767
                                                                                                                                                        Function 10008E10 Relevance: 75.5, APIs: 20, Strings: 23, Instructions: 275libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 10006A00: LoadLibraryA.KERNEL32 ref: 10006A95
                                                                                                                                                          • Part of subcall function 10006A00: GetProcAddress.KERNEL32(00000000), ref: 10006A9C
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10008EFF
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10008F02
                                                                                                                                                        • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 10008F11
                                                                                                                                                        • GetProcAddress.KERNEL32 ref: 10008F96
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10008FBC
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10008FC9
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10008FF1
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10008FFE
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000902A
                                                                                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 10009034
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000903C
                                                                                                                                                        • putchar.MSVCRT ref: 10009076
                                                                                                                                                        • putchar.MSVCRT(00000030,?,00000030), ref: 1000908E
                                                                                                                                                        • putchar.MSVCRT(00000030,?,00000030), ref: 100090C9
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 100090D9
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009107
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10009116
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 1000911C
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10009122
                                                                                                                                                        • CloseHandle.KERNEL32 ref: 10009127
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseHandle$putchar$AddressProc$LibraryLoad$InfoStartup
                                                                                                                                                        • String ID: .$2$3$A$CreatePipe$CreateProcessA$D$D$G$Kernel32.dll$S$\cmd.exe$c$d$i$k$m$n$o$s$y$y$~
                                                                                                                                                        • API String ID: 884780310-1985334945
                                                                                                                                                        • Opcode ID: a25613b396ae078b07f60e0f80f77df10a06c23feb6a0221ff1f0205ca86c549
                                                                                                                                                        • Instruction ID: 92b4312836d0b664c96ea0d957f791a25f1c06207bf06424cb488ff06aa1e75d
                                                                                                                                                        • Opcode Fuzzy Hash: a25613b396ae078b07f60e0f80f77df10a06c23feb6a0221ff1f0205ca86c549
                                                                                                                                                        • Instruction Fuzzy Hash: 59B17C71608385AFE311CF69CC84B8BBBE5AF99744F04491DF2889B291CBB59508CB66
                                                                                                                                                        Function 100051A0 Relevance: 68.4, APIs: 6, Strings: 33, Instructions: 122libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10005233
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000523C
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 100052BB
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100052BE
                                                                                                                                                        • SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 100052F6
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10005315
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc$CloseFileHandlePointer
                                                                                                                                                        • String ID: .$.23l$2$2$3$3$A$C$F$F$W$a$d$i$i$i$k$k$l$l$l$l$l$l$n$n$p$r$r$r$r$t$t
                                                                                                                                                        • API String ID: 193975428-3157539632
                                                                                                                                                        • Opcode ID: ac09d4ca584da2090cac17b715c8122113b6397f4c5cfeaa81ddba853a5eb704
                                                                                                                                                        • Instruction ID: 077276ec6de4aaa2303604d1f5bfa5e13a17a93567dd9e965df7bc7d3517efca
                                                                                                                                                        • Opcode Fuzzy Hash: ac09d4ca584da2090cac17b715c8122113b6397f4c5cfeaa81ddba853a5eb704
                                                                                                                                                        • Instruction Fuzzy Hash: 7951C47114C3C0DEE312C6688888B5BFFE56BA6748F48498DF2C44B392C6BA9518C777
                                                                                                                                                        Function 10006CE0 Relevance: 66.6, APIs: 6, Strings: 32, Instructions: 121libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule

                                                                                                                                                        Control-flow Graph

                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10006D68
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10006D71
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10006DF7
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10006DFA
                                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10006E2B
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006E59
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc$CloseFileHandlePointer
                                                                                                                                                        • String ID: .$.23l$2$2$3$3$A$C$F$F$W$a$d$i$i$i$k$k$l$l$l$l$l$l$n$n$r$r$r$r$t$t
                                                                                                                                                        • API String ID: 193975428-3922351243
                                                                                                                                                        • Opcode ID: 3eb22b924cdbaa3a11f5768bad002c79b842aa24c5e8777c4552da5a57475fb6
                                                                                                                                                        • Instruction ID: ec70056c07158d71e8cb762106c6bbacea669e543e5d75efb5f261fc64d72568
                                                                                                                                                        • Opcode Fuzzy Hash: 3eb22b924cdbaa3a11f5768bad002c79b842aa24c5e8777c4552da5a57475fb6
                                                                                                                                                        • Instruction Fuzzy Hash: 8B51076110C3C0DDE312C6288888B5BBFD55BE7658F48498DF6C85B292C3FA9618C77B
                                                                                                                                                        Function 10009720 Relevance: 65.0, APIs: 31, Strings: 6, Instructions: 218libraryloadermemoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.dll,OpenProcess,00000050,00000050), ref: 1000973A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000973D
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000977E
                                                                                                                                                          • Part of subcall function 1000B920: GetCurrentProcess.KERNEL32(00000028,00000000,?,1000BB40,?,?), ref: 1000B92A
                                                                                                                                                          • Part of subcall function 1000B920: OpenProcessToken.ADVAPI32(00000000), ref: 1000B931
                                                                                                                                                          • Part of subcall function 1000B920: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 1000B947
                                                                                                                                                          • Part of subcall function 1000B920: AdjustTokenPrivileges.KERNELBASE ref: 1000B96F
                                                                                                                                                        • putchar.MSVCRT(00000030,SeDebugPrivilege), ref: 1000978C
                                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10009794
                                                                                                                                                        • putchar.MSVCRT(00000030,00000002,00000000), ref: 100097A1
                                                                                                                                                        • LocalAlloc.KERNEL32 ref: 100097C7
                                                                                                                                                        • LoadLibraryA.KERNEL32(PSAPI.dll), ref: 100097DC
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100097E2
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 100097ED
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100097F9
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100097FD
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 10009808
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009814
                                                                                                                                                        • Process32First.KERNEL32(?,?), ref: 10009823
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?), ref: 10009832
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000984B
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009870
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009888
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100098A6
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 100098B6
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 100098C6
                                                                                                                                                        • LocalSize.KERNEL32(00000000), ref: 100098D4
                                                                                                                                                        • LocalReAlloc.KERNEL32(00000000,774D0440,00000042), ref: 100098E2
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$AddressLocalProc$AllocLibraryLoadProcessTokenlstrlen$AdjustCreateCurrentFirstLookupOpenPrivilegePrivilegesProcess32SizeSnapshotToolhelp32Value
                                                                                                                                                        • String ID: EnumProcessModules$GetModuleFileNameExA$KERNEL32.dll$OpenProcess$PSAPI.dll$SeDebugPrivilege
                                                                                                                                                        • API String ID: 3404623018-3297456083
                                                                                                                                                        • Opcode ID: 81750315ac5d2126ea87fdfb9c27857549cbb9a70036cfbdd78f14389a4c714d
                                                                                                                                                        • Instruction ID: 00e844cd9759602d371076a0c224a7f44a465194c58652756db928e63df3d39c
                                                                                                                                                        • Opcode Fuzzy Hash: 81750315ac5d2126ea87fdfb9c27857549cbb9a70036cfbdd78f14389a4c714d
                                                                                                                                                        • Instruction Fuzzy Hash: 1761D571604304ABE301DBA4CC45BAFB7E8EBC8344F41492DF64597290DB75EA09CB96
                                                                                                                                                        Function 10001190 Relevance: 64.9, APIs: 30, Strings: 7, Instructions: 164sleeplibraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • puts.MSVCRT ref: 100011AA
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInReset), ref: 100011C0
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 100011CE
                                                                                                                                                        • puts.MSVCRT ref: 100011D5
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInStop), ref: 100011E6
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 100011EE
                                                                                                                                                        • puts.MSVCRT ref: 100011F5
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInClose), ref: 10001206
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 1000120E
                                                                                                                                                        • puts.MSVCRT ref: 10001215
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInUnprepareHeader), ref: 10001225
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 1000122D
                                                                                                                                                        • puts.MSVCRT ref: 10001234
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveOutReset), ref: 10001245
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 1000124D
                                                                                                                                                        • puts.MSVCRT ref: 10001254
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveOutClose), ref: 10001265
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 1000126D
                                                                                                                                                        • puts.MSVCRT ref: 10001274
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveOutUnprepareHeader), ref: 10001284
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 1000128A
                                                                                                                                                        • TerminateThread.KERNEL32(?,000000FF), ref: 100012CC
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?), ref: 1000130E
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?), ref: 10001316
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,?), ref: 1000131F
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?), ref: 10001328
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10001340
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10001346
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 1000134C
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 10001354
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProcSleepputs$??3@$CloseHandle$FreeLibraryTerminateThread
                                                                                                                                                        • String ID: waveInClose$waveInReset$waveInStop$waveInUnprepareHeader$waveOutClose$waveOutReset$waveOutUnprepareHeader
                                                                                                                                                        • API String ID: 1978483368-3528797567
                                                                                                                                                        • Opcode ID: 3b0707eba582d79704fbf44d158fcb293e6f4f21a2b6f5553b3dc6c84939f001
                                                                                                                                                        • Instruction ID: 6d826b727beab6b9e9fa85d531dc8da3717c5ae0eebb46976724cfd29badb94a
                                                                                                                                                        • Opcode Fuzzy Hash: 3b0707eba582d79704fbf44d158fcb293e6f4f21a2b6f5553b3dc6c84939f001
                                                                                                                                                        • Instruction Fuzzy Hash: 0E51D2B5600304ABE210EBB5CC85E5BB7F8FF8C648F014A08F2459B261DB35F951CB65
                                                                                                                                                        Function 1000A1F0 Relevance: 43.9, APIs: 9, Strings: 16, Instructions: 117libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000A28D
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 1000A296
                                                                                                                                                        • LoadLibraryA.KERNEL32(user32.dll), ref: 1000A29F
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateWindowExA), ref: 1000A2D9
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000A300
                                                                                                                                                        • LoadLibraryA.KERNEL32(AVICAP32.dll), ref: 1000A30A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,capCreateCaptureWindowA), ref: 1000A314
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000A335
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 1000A33B
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressLoadProc$putchar$Free
                                                                                                                                                        • String ID: #32770$.$2$3$A$AVICAP32.dll$C$CVideoCap$CreateWindowExA$E$a$capCreateCaptureWindowA$d$k$user32.dll$v
                                                                                                                                                        • API String ID: 2049744097-2986035306
                                                                                                                                                        • Opcode ID: 7a96d2983503f3db0c584746443fc64fc9a540b0d8773938c1fc82cbb2a4673f
                                                                                                                                                        • Instruction ID: 03e10025ee6acb9746b0a410ae59cf37f14dcc4886d1fa117dea9fde7a70c308
                                                                                                                                                        • Opcode Fuzzy Hash: 7a96d2983503f3db0c584746443fc64fc9a540b0d8773938c1fc82cbb2a4673f
                                                                                                                                                        • Instruction Fuzzy Hash: F841C52114D3C09AE311DB788C80B9BBFD4ABA6648F04495DF6C85B282C6B9D648C76B
                                                                                                                                                        Function 10006570 Relevance: 43.8, APIs: 12, Strings: 13, Instructions: 95servicelibrarysleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 100065FC
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10006603
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10006613
                                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000001,?,?,?,?,?,?,?,?,100062AE), ref: 10006621
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?,?,100062AE), ref: 1000662B
                                                                                                                                                        • OpenServiceA.ADVAPI32(00000000,10019E2C,00010000,?,?,?,?,?,?,?,?,?,?,100062AE), ref: 1000663B
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?,?,?,?,100062AE), ref: 10006645
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?,?,?,?,?,100062AE), ref: 10006653
                                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100062AE), ref: 1000665F
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,?,?,?,?,?,?,?,100062AE), ref: 10006663
                                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,100062AE), ref: 10006669
                                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 1000667B
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Service$CloseHandleOpen$AddressLibraryLoadManagerProcSleep
                                                                                                                                                        • String ID: .$2$3$E$P$c$d$i$k$n$o$t$x
                                                                                                                                                        • API String ID: 327005149-4279487574
                                                                                                                                                        • Opcode ID: 713d76c016e48ae7b41700cd61715853ca59d62f3282018777af83db709f2438
                                                                                                                                                        • Instruction ID: 566a6e571541d5d4a80e141a062ae79845bcab10f8ca0e6710c887b49b8c068e
                                                                                                                                                        • Opcode Fuzzy Hash: 713d76c016e48ae7b41700cd61715853ca59d62f3282018777af83db709f2438
                                                                                                                                                        • Instruction Fuzzy Hash: 7A318C2154C3C09EE302DB689C49B4BBFD40BA6B48F08089DF2C45A2C3D6A6934CC7B7
                                                                                                                                                        Function 10006E70 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 303libraryfilestringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • strncpy.MSVCRT ref: 10006F2D
                                                                                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 10006F3B
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,PluginDelete), ref: 10006F4D
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 10006F8F
                                                                                                                                                        • sprintf.MSVCRT ref: 10006FC6
                                                                                                                                                        • DeleteFileA.KERNEL32(?), ref: 10006FD7
                                                                                                                                                          • Part of subcall function 10006BB0: SetEvent.KERNEL32(?,10007975), ref: 10006BB4
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressDeleteEventFileFreeHandleLibraryModuleProcsprintfstrncpy
                                                                                                                                                        • String ID: %s\%s$PluginDelete$PluginEnd$PluginStart$`1Mw
                                                                                                                                                        • API String ID: 1528736596-3212311150
                                                                                                                                                        • Opcode ID: 21b9ea2c45e6f46a5309ee6b972e6a5e653e45d98305c80dcc47e1168cb2755b
                                                                                                                                                        • Instruction ID: 25cd48fead932a265b388fa6ddf823d8e03d6f272e33806722926d3e0ffb110a
                                                                                                                                                        • Opcode Fuzzy Hash: 21b9ea2c45e6f46a5309ee6b972e6a5e653e45d98305c80dcc47e1168cb2755b
                                                                                                                                                        • Instruction Fuzzy Hash: 14A106765042846BE325DB68DC85EEBB7E9FBD8350F004D2EF78993141DF39960887A2
                                                                                                                                                        Function 10001E50 Relevance: 38.6, APIs: 4, Strings: 18, Instructions: 100libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 10001A00: LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,10001E7D,00000000,774D0F00), ref: 10001A1A
                                                                                                                                                          • Part of subcall function 10001A00: GetProcAddress.KERNEL32(00000000,InitializeCriticalSection), ref: 10001A28
                                                                                                                                                          • Part of subcall function 10001A00: FreeLibrary.KERNEL32(00000000), ref: 10001A35
                                                                                                                                                        • LoadLibraryA.KERNEL32(?,?), ref: 10001F42
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10001F49
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10001F69
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10001F7D
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressLoadProcputchar$Free
                                                                                                                                                        • String ID: :0w$.23$0$2$3$A$C$E$G$a$h$k$r$r$s$t$t$v
                                                                                                                                                        • API String ID: 1841845750-2930515468
                                                                                                                                                        • Opcode ID: b9b099d6f9eddf0d73ba2a459739dc75e8ff24d81f91c372dfe29c67358e53a7
                                                                                                                                                        • Instruction ID: 4b0fb8dc0bb8be93032a36d3b58fd2c8cd9a57c77812479b640be8ed250744d9
                                                                                                                                                        • Opcode Fuzzy Hash: b9b099d6f9eddf0d73ba2a459739dc75e8ff24d81f91c372dfe29c67358e53a7
                                                                                                                                                        • Instruction Fuzzy Hash: 08414F7110D3C0DEE312CB688884B9BBFD4ABA6748F484A5DF4D917292C7B9960CC767
                                                                                                                                                        Function 10004790 Relevance: 35.1, APIs: 8, Strings: 12, Instructions: 134librarystringmemoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000481F
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10004826
                                                                                                                                                        • GetFileSize.KERNEL32(00000000,?), ref: 1000488B
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10004894
                                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 1000489B
                                                                                                                                                        • LocalAlloc.KERNEL32(00000040,-0000000A), ref: 100048A9
                                                                                                                                                        • lstrlenA.KERNEL32(00000000), ref: 100048D7
                                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 100048FF
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Locallstrlen$AddressAllocCloseFileFreeHandleLibraryLoadProcSize
                                                                                                                                                        • String ID: .$2$3$A$C$F$a$d$i$k$n$t
                                                                                                                                                        • API String ID: 902267089-4182193278
                                                                                                                                                        • Opcode ID: dc83f2ff2e9bef4ce8a19c739d1c3b253bc0885606442a227f254041f8ebec34
                                                                                                                                                        • Instruction ID: 903efb299ba8dbed64a0f5be68de542bd0fc1b5e5b1fbbb62bb509aef062e1e0
                                                                                                                                                        • Opcode Fuzzy Hash: dc83f2ff2e9bef4ce8a19c739d1c3b253bc0885606442a227f254041f8ebec34
                                                                                                                                                        • Instruction Fuzzy Hash: 4341063120C3809FD305CB78988475BBFD59BD9608F49496DF68A97382DAB5CA08C767
                                                                                                                                                        Function 10004920 Relevance: 35.1, APIs: 8, Strings: 12, Instructions: 126libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 100049AA
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100049B1
                                                                                                                                                          • Part of subcall function 10004AA0: ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,00000000,00000000,10004A7F), ref: 10004ABD
                                                                                                                                                          • Part of subcall function 10004AA0: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10004AC4
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??3@AddressD@2@@std@@D@std@@LibraryLoadProcTidy@?$basic_string@U?$char_traits@V?$allocator@
                                                                                                                                                        • String ID: .$2$3$A$C$F$a$d$i$k$n$t
                                                                                                                                                        • API String ID: 3767746285-4182193278
                                                                                                                                                        • Opcode ID: 40820594049bb37e2f93a4f29097ed4b287952284abf7c9d06b7936a6074202e
                                                                                                                                                        • Instruction ID: 687a6f1a2150c2f86d792208f7b59405596ba19a01ecc0ce3ce862b1f4840a2a
                                                                                                                                                        • Opcode Fuzzy Hash: 40820594049bb37e2f93a4f29097ed4b287952284abf7c9d06b7936a6074202e
                                                                                                                                                        • Instruction Fuzzy Hash: 0F41E47520C3819EE311CB699884B5BBFD49BAA314F04892DF6D897282C675D60CC7BB
                                                                                                                                                        Function 10001000 Relevance: 35.1, APIs: 7, Strings: 13, Instructions: 111libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 1000109D
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100010A0
                                                                                                                                                        • LoadLibraryA.KERNEL32(WINMM.dll), ref: 100010AD
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(000003E8), ref: 100010E8
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000020,000003E8), ref: 100010F2
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(000003E8,00000020,000003E8), ref: 100010FD
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000020,000003E8,00000020,000003E8), ref: 10001107
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??2@$LibraryLoad$AddressProc
                                                                                                                                                        • String ID: .$2$3$A$C$E$WINMM.dll$a$d$k$r$r$v
                                                                                                                                                        • API String ID: 1878065171-2267849368
                                                                                                                                                        • Opcode ID: a2a6affb630affb8a757fe43f0e60ee16e78a1df61ad26c0df3b251c80fd2f76
                                                                                                                                                        • Instruction ID: cdcc97a6e3b569983479c83b791002ab23af5284a6383e751603ef36cfaaf651
                                                                                                                                                        • Opcode Fuzzy Hash: a2a6affb630affb8a757fe43f0e60ee16e78a1df61ad26c0df3b251c80fd2f76
                                                                                                                                                        • Instruction Fuzzy Hash: B5416AB040D3809ED311CF69948468BFFE4AF69348F44495DE1C98B342D3B9D648C76B
                                                                                                                                                        Function 10003290 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 198stringsleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putcharputs$Sleepstrncpystrstr
                                                                                                                                                        • String ID: :0w$%s%d%s
                                                                                                                                                        • API String ID: 3621272593-826452757
                                                                                                                                                        • Opcode ID: 339840d3ddb4da2afe1cafc55d0d8fbecc962e6f652e75c14c131766b25dee24
                                                                                                                                                        • Instruction ID: 61860832dfacf645227ea5b29211e45099a4a950064221387e31d2367d8b5647
                                                                                                                                                        • Opcode Fuzzy Hash: 339840d3ddb4da2afe1cafc55d0d8fbecc962e6f652e75c14c131766b25dee24
                                                                                                                                                        • Instruction Fuzzy Hash: B361AF715443409BE325CB68CC41BABB7E5FFC8314F004A2DF68E97290EB75EA058696
                                                                                                                                                        Function 10002100 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 145sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030,00000000,?,?,1000210E,00000000), ref: 1000264B
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 10002670
                                                                                                                                                          • Part of subcall function 10002630: CancelIo.KERNEL32(?), ref: 1000267C
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 10002684
                                                                                                                                                          • Part of subcall function 10002630: InterlockedExchange.KERNEL32(?,00000000), ref: 10002692
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 1000269A
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 100026AE
                                                                                                                                                          • Part of subcall function 10002630: SetEvent.KERNEL32(?), ref: 100026BA
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 100026C2
                                                                                                                                                        • puts.MSVCRT ref: 10002119
                                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 10002125
                                                                                                                                                        • puts.MSVCRT ref: 10002137
                                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 10002150
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10002173
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10002187
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Eventputs$CancelExchangeInterlockedResetSleep
                                                                                                                                                        • String ID: :0w$WS2_32.DLL$`$connect
                                                                                                                                                        • API String ID: 1157737886-4050183439
                                                                                                                                                        • Opcode ID: 8ffd4caf33f96122c9df791538b72f7b555029c2262af4edf7ca71cb44a99af6
                                                                                                                                                        • Instruction ID: 1488b138b12f9694b11cb9c7323386c6360dfa4fdb3ef0cfd6c32deb2d1d79b5
                                                                                                                                                        • Opcode Fuzzy Hash: 8ffd4caf33f96122c9df791538b72f7b555029c2262af4edf7ca71cb44a99af6
                                                                                                                                                        • Instruction Fuzzy Hash: E741E571240310BBF320DBA4DC86F9BB7A4EF89758F004429F7495A2D0DAB2E559C7A7
                                                                                                                                                        Function 10003530 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 81libraryloadersleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        • InternetOpenA, xrefs: 10003567
                                                                                                                                                        • WININET.dll, xrefs: 1000354A
                                                                                                                                                        • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E), xrefs: 100035A2
                                                                                                                                                        • InternetOpenUrlA, xrefs: 10003571
                                                                                                                                                        • InternetCloseHandle, xrefs: 1000355F
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: puts$AddressProc$LibrarySleep$FreeLoad
                                                                                                                                                        • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)$WININET.dll
                                                                                                                                                        • API String ID: 4030696466-4243719135
                                                                                                                                                        • Opcode ID: 52f8deb51a3728d510a7c1a40caea3639408169cd16a9ec3393e8981bfbda218
                                                                                                                                                        • Instruction ID: 803c503c21fb7ec218ab3f13c12af197254e3eb06e09f3532e9322bc87db0772
                                                                                                                                                        • Opcode Fuzzy Hash: 52f8deb51a3728d510a7c1a40caea3639408169cd16a9ec3393e8981bfbda218
                                                                                                                                                        • Instruction Fuzzy Hash: 6D21C071900324ABF211DBA58C85F9F7AA8FF4C254F114426FB0DA72A0EB70E5458AA7
                                                                                                                                                        Function 10009C10 Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 76libraryloadersynchronizationCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                        • _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressCloseHandleLibraryLoadObjectProcSingleWait_beginthreadex
                                                                                                                                                        • String ID: .23$2$3$A$C$E$a$k$r$r$v
                                                                                                                                                        • API String ID: 1084905922-316087735
                                                                                                                                                        • Opcode ID: 0a0e37bdfe2b8478246b32844f698462927701527cdf41d308809211da0581c7
                                                                                                                                                        • Instruction ID: e462e04365be30c409279ae38a10e8495bb6ada5e23e9d8ca32e0ec343cf011f
                                                                                                                                                        • Opcode Fuzzy Hash: 0a0e37bdfe2b8478246b32844f698462927701527cdf41d308809211da0581c7
                                                                                                                                                        • Instruction Fuzzy Hash: 6431C96510D3C19ED302CB688884B5BBFE45BA6644F08894CF5C857392C6B5D64CC7A7
                                                                                                                                                        Function 1000ABA0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 200COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000018,774D23A0), ref: 1000ABDC
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??2@
                                                                                                                                                        • String ID: ICOpen$ICSendMessage$ICSeqCompressFrameStart$IV32$M263$MP42$MSVFW32.dll$cvid$vidc
                                                                                                                                                        • API String ID: 1033339047-3354383837
                                                                                                                                                        • Opcode ID: 8ffec2f6880e50b9637796015312ec8ecd939897f6d25af81b819f7fbb355f3a
                                                                                                                                                        • Instruction ID: e9f4fa76cfece0081e1e5a9d501563b978deb5a270dbc7eb92546d56e3065f22
                                                                                                                                                        • Opcode Fuzzy Hash: 8ffec2f6880e50b9637796015312ec8ecd939897f6d25af81b819f7fbb355f3a
                                                                                                                                                        • Instruction Fuzzy Hash: 6771AAB4204B419FE310CF69C980A5BB7F1FB89740F008A1DE69687785DB75F985CB92
                                                                                                                                                        Function 1000B1A0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 130libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(WININET.dll), ref: 1000B1CF
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 1000B1E3
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000B20F
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                        • String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$Mozilla/4.0 (compatible)$WININET.dll
                                                                                                                                                        • API String ID: 2238633743-3763460191
                                                                                                                                                        • Opcode ID: e2d9336eb25f667b0da4de1c74ef8ca6c600ca2bc30db4866a15d89f23aa373a
                                                                                                                                                        • Instruction ID: 92b1fd6e968443257afb7459e678afc6e9f03ac318a22e0517edde50a9038532
                                                                                                                                                        • Opcode Fuzzy Hash: e2d9336eb25f667b0da4de1c74ef8ca6c600ca2bc30db4866a15d89f23aa373a
                                                                                                                                                        • Instruction Fuzzy Hash: 263108322402056AF301EB68DC84FFA77A4FBD0361F100539FA55961D1EFB9E98D86A5
                                                                                                                                                        Function 100091D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 128libraryloadersynchronizationCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,?,00000000,10013378,000000FF,100057D5,?), ref: 10009206
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,TerminateThread), ref: 1000921C
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000922A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,TerminateProcess), ref: 1000923B
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009247
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009256
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000007D0), ref: 10009264
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000926C
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DisconnectNamedPipe), ref: 10009285
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 100092BC
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 100092F6
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$AddressProc$FreeLibraryObjectSingleWait
                                                                                                                                                        • String ID: CloseHandle$DisconnectNamedPipe$TerminateProcess$TerminateThread
                                                                                                                                                        • API String ID: 2872089810-2477703270
                                                                                                                                                        • Opcode ID: e8bc89b057eb512476ccf94ce25ee415e6de53cf8d9dfcba1db01581ef6cbe57
                                                                                                                                                        • Instruction ID: c5235d1c4e3a5eda40f3b673f2fd86536f49c9b1cd42d20ae4feb397b91adf75
                                                                                                                                                        • Opcode Fuzzy Hash: e8bc89b057eb512476ccf94ce25ee415e6de53cf8d9dfcba1db01581ef6cbe57
                                                                                                                                                        • Instruction Fuzzy Hash: 384111B16407046BE620EF7ACC81F17F3EDEF98650F014A1DF546D76A0CAB4F9058A65
                                                                                                                                                        Function 10001460 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 118libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInGetNumDevs), ref: 1000147A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInOpen), ref: 10001498
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 100014AE
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100014B5
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                        • String ID: CreateThread$KERNEL32.dll$waveInAddBuffer$waveInGetNumDevs$waveInOpen$waveInPrepareHeader$waveInStart
                                                                                                                                                        • API String ID: 2238633743-2826348490
                                                                                                                                                        • Opcode ID: 3f4141f7d76f5e69206f51dbfbefac12299106a3ac4e4d1bc197ad117c7d8dd8
                                                                                                                                                        • Instruction ID: fade3fb71a50c888affbb04834096b8d37ab52eaf12a312bed6e7918b2872654
                                                                                                                                                        • Opcode Fuzzy Hash: 3f4141f7d76f5e69206f51dbfbefac12299106a3ac4e4d1bc197ad117c7d8dd8
                                                                                                                                                        • Instruction Fuzzy Hash: B9314976600311AFD310DFA8DC81FA6B7E4FB88750F118969FA088B240DB35E945CBA1
                                                                                                                                                        Function 100084D0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 10008521
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 1000854C
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1001333E,000000FF,100084B8), ref: 1000856D
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1001333E,000000FF,100084B8), ref: 10008579
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1001333E,000000FF,100084B8), ref: 10008582
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,1001333E,000000FF,100084B8), ref: 1000858B
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 1000859A
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 100085B7
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DestroyCursor), ref: 100085C5
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 100085E0
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??3@$AddressLibraryProc$Free$Load
                                                                                                                                                        • String ID: DeleteDC$DeleteObject$DestroyCursor$User32.dll
                                                                                                                                                        • API String ID: 2056459016-3978298618
                                                                                                                                                        • Opcode ID: 13a3e4b8c85b0e1cbc55a9d9254f0e6b05f29ae72866a84b45e35fbb93cc9780
                                                                                                                                                        • Instruction ID: 6f1117e45ddb937b1b4a1c77e15ffe687ccde868ac5d8a8a247cd6ae15178fc2
                                                                                                                                                        • Opcode Fuzzy Hash: 13a3e4b8c85b0e1cbc55a9d9254f0e6b05f29ae72866a84b45e35fbb93cc9780
                                                                                                                                                        • Instruction Fuzzy Hash: BB313CB6500710AFD320EBA9DC84E57B7E8FF88650F418A19F69AC7250DB79E8418B60
                                                                                                                                                        Function 10006A00 Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 58libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10006A95
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10006A9C
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                        • String ID: .$2$3$A$C$E$a$d$k$r$r$v
                                                                                                                                                        • API String ID: 2574300362-1171294034
                                                                                                                                                        • Opcode ID: 7e1c00b852fb7e9d0bd15a8818732bdfdf8fd3fcbcb4b4ee7a4a0a4c76c22f9e
                                                                                                                                                        • Instruction ID: 27bbfac456404c6b2431a043f5a4a9a040d4e6373fc6fbe5610ceece9b0c36e5
                                                                                                                                                        • Opcode Fuzzy Hash: 7e1c00b852fb7e9d0bd15a8818732bdfdf8fd3fcbcb4b4ee7a4a0a4c76c22f9e
                                                                                                                                                        • Instruction Fuzzy Hash: C121E56110D3C19EE312CB68844478BBFD55BAA648F08899DF1D85B393C6B9C64CC7BB
                                                                                                                                                        Function 100099F0 Relevance: 24.1, APIs: 16, Instructions: 104stringmemoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A08
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A19
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A38
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10009A57
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A63
                                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 10009A70
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A7A
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10009A84
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A8D
                                                                                                                                                        • LocalSize.KERNEL32 ref: 10009A93
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009A9D
                                                                                                                                                        • LocalReAlloc.KERNEL32(?,?,00000042), ref: 10009AA9
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,00000042), ref: 10009AB3
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009ACB
                                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 10009AD5
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009AF5
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Locallstrlen$Alloc$Size
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1397772873-0
                                                                                                                                                        • Opcode ID: 0f8d11664b283c13976a090d83d104ab1066cc228cc4319b1aff677cb5d2c6af
                                                                                                                                                        • Instruction ID: b6fc45d231d332bfd6a15581e0f0d2082569511555923ffcb90d6e6c90ca4d07
                                                                                                                                                        • Opcode Fuzzy Hash: 0f8d11664b283c13976a090d83d104ab1066cc228cc4319b1aff677cb5d2c6af
                                                                                                                                                        • Instruction Fuzzy Hash: AC3107B1A403046BF701EBA0DC96F9B7298EB84750F454438FF0697290EA79F619C6B6
                                                                                                                                                        Function 10003FE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145sleepstringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Sleep$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmallocputchar
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 871387027-3115172360
                                                                                                                                                        • Opcode ID: 5434257c31bc419b8c77275bc9b8acbc5be6f3b747f0c1d2b647a8dd9232fc4b
                                                                                                                                                        • Instruction ID: cf4da841f7519fc6c1ab9f9ca42085eb3c4b82034aafbf00fdd8a996284d2836
                                                                                                                                                        • Opcode Fuzzy Hash: 5434257c31bc419b8c77275bc9b8acbc5be6f3b747f0c1d2b647a8dd9232fc4b
                                                                                                                                                        • Instruction Fuzzy Hash: 8F4129F0C042559FF721CF688C447AE7BF4EF067D0F124259EAA1A3295CB344882CB9A
                                                                                                                                                        Function 1000C130 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 85COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • _strrev.MSVCRT ref: 1000C176
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT ref: 100066CA
                                                                                                                                                          • Part of subcall function 100066B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,1000CFB4), ref: 100066D3
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT(00000030,00000002,00000000,1000CFB4), ref: 100066DC
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT ref: 100066E8
                                                                                                                                                          • Part of subcall function 100066B0: Process32First.KERNEL32(00000000,?), ref: 100066F3
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT(00000030,?,?,00000030), ref: 100066FA
                                                                                                                                                          • Part of subcall function 100066B0: lstrcmpiA.KERNEL32(?,?), ref: 10006712
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT(00000030,?,?,?,00000030), ref: 1000671A
                                                                                                                                                          • Part of subcall function 100066B0: Process32Next.KERNEL32(00000000,?), ref: 10006725
                                                                                                                                                          • Part of subcall function 100066B0: lstrcmpiA.KERNEL32(?,?), ref: 10006734
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT(00000030,?,?,?,00000030), ref: 10006746
                                                                                                                                                          • Part of subcall function 100066B0: CloseHandle.KERNEL32(00000000,?,?,?,?,00000030), ref: 1000674C
                                                                                                                                                          • Part of subcall function 100066B0: putchar.MSVCRT(00000030,?,?,?,?,00000030), ref: 10006754
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000C225
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Process32lstrcmpi$CloseCreateFirstHandleNextSnapshotToolhelp32_strrev
                                                                                                                                                        • String ID: .$D$M$Rsvxcj Otuftnsa Qwj$S$SYSTEM\CurrentControlSet\Services\$\Parameters$a$i$n$x
                                                                                                                                                        • API String ID: 3051822850-912606850
                                                                                                                                                        • Opcode ID: 6214e5dfe981a238b6d7c39ebbe7e9955acd3e2bc6b5645d14ad39dd4b823ace
                                                                                                                                                        • Instruction ID: 05733d0cead7e6c43b5402b1ecd9b46eb1c4634fa4e3e53ec54a921414ec877c
                                                                                                                                                        • Opcode Fuzzy Hash: 6214e5dfe981a238b6d7c39ebbe7e9955acd3e2bc6b5645d14ad39dd4b823ace
                                                                                                                                                        • Instruction Fuzzy Hash: EB21E9315087845ED305CA38C84471FBED6AFD5250F58462DF9A6472D2DEB5DA0DC393
                                                                                                                                                        Function 10009320 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 76libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 100093A1
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100093A8
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100093DB
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100093F5
                                                                                                                                                          • Part of subcall function 10006BB0: SetEvent.KERNEL32(?,10007975), ref: 10006BB4
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$AddressEventLibraryLoadProc
                                                                                                                                                        • String ID: .$2$3$F$W$d$k$n$t
                                                                                                                                                        • API String ID: 3925614158-2716883345
                                                                                                                                                        • Opcode ID: c6c5640806302cdaa3c9a9005a1720045c805882c6d5c5ebb301b2d3511d2cd2
                                                                                                                                                        • Instruction ID: ebc14083017b9721a6bfebea1c234c37dace526eaff7997d010d5e18f75915bd
                                                                                                                                                        • Opcode Fuzzy Hash: c6c5640806302cdaa3c9a9005a1720045c805882c6d5c5ebb301b2d3511d2cd2
                                                                                                                                                        • Instruction Fuzzy Hash: 4A218C2510D3C19EE312DB289884B9FBFD4ABAA648F08098DF5C447382C2A5D74CC7B7
                                                                                                                                                        Function 100039C0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 258COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID:
                                                                                                                                                        • String ID: %d.%d.%d.%d $@$E$P
                                                                                                                                                        • API String ID: 0-3949059734
                                                                                                                                                        • Opcode ID: e85e68eaa3f9ac47830130e012db940b0f17d47c50d2fd70322ab86be63f61ee
                                                                                                                                                        • Instruction ID: 23a174a3c898c2b7b442ab449bc9aa26f04225ffd5eaf0a961e2792cc7df4ad6
                                                                                                                                                        • Opcode Fuzzy Hash: e85e68eaa3f9ac47830130e012db940b0f17d47c50d2fd70322ab86be63f61ee
                                                                                                                                                        • Instruction Fuzzy Hash: 1891AF752483909BE320DB68CC41BABB7E5FFC9710F00892DF69897291DAB4D9098B57
                                                                                                                                                        Function 10007CE0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 115librarysleeploaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(USER32.dll), ref: 10007CE9
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SystemParametersInfoA), ref: 10007CFB
                                                                                                                                                        • Sleep.KERNEL32(0000000A), ref: 10007D52
                                                                                                                                                          • Part of subcall function 100077F0: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 10007813
                                                                                                                                                          • Part of subcall function 100077F0: CloseHandle.KERNEL32(?,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 1000781D
                                                                                                                                                          • Part of subcall function 100077F0: ??2@YAPAXI@Z.MSVCRT(00000110,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 10007841
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10007D6B
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10007D7C
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10007DCC
                                                                                                                                                        • putchar.MSVCRT(00000030,?), ref: 10007DDE
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10007E13
                                                                                                                                                        • putchar.MSVCRT(00000030,00000000), ref: 10007E21
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 10007E27
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Library$??2@AddressCloseFreeHandleLoadObjectProcSingleSleepWait
                                                                                                                                                        • String ID: SystemParametersInfoA$USER32.dll
                                                                                                                                                        • API String ID: 765260387-3242283288
                                                                                                                                                        • Opcode ID: db546569e4e6fba7ad621b1f559912ae0f85f936b543c9b0068d8f9548914379
                                                                                                                                                        • Instruction ID: ba3a07879cba8dd7234ef844daa01cbfdffcf2ea4cbe0db832f86b8058e5cfd5
                                                                                                                                                        • Opcode Fuzzy Hash: db546569e4e6fba7ad621b1f559912ae0f85f936b543c9b0068d8f9548914379
                                                                                                                                                        • Instruction Fuzzy Hash: B831F63064434527F501DB208C93FBB3BAAFF857D4F040029F6C96B1D6CE75A906C6A2
                                                                                                                                                        Function 10001CF0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: puts$Sleep_ftolceil
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 1434147230-3115172360
                                                                                                                                                        • Opcode ID: 11ecf0e6528e96334e713109c9c84ec4cd6e7626dc6510948c1946f1263be0b3
                                                                                                                                                        • Instruction ID: 61511dc81f5f92b4430e639810ec569fd93a223b6865b7d546d7259f061c604d
                                                                                                                                                        • Opcode Fuzzy Hash: 11ecf0e6528e96334e713109c9c84ec4cd6e7626dc6510948c1946f1263be0b3
                                                                                                                                                        • Instruction Fuzzy Hash: 442135756443049BE700EF64EC9275AB794FB84355F01843AFA458B390EB71E808C6A2
                                                                                                                                                        Function 10008920 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 129libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,774CF550,00000000,10008371,?,?,00000001), ref: 10008952
                                                                                                                                                        • putchar.MSVCRT(00000030,0000005C), ref: 100089B5
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100089C5
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100089C9
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 100089DF
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetDIBits), ref: 100089F6
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 10008A1A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProcputchar$??2@
                                                                                                                                                        • String ID: :0w$CreateCompatibleBitmap$DeleteObject$GetDIBits
                                                                                                                                                        • API String ID: 3108253923-3328670147
                                                                                                                                                        • Opcode ID: b37e572df8e1b8a8141b5d4c436e0188ab625ace8876adedb4fb40e4a7e7a6b0
                                                                                                                                                        • Instruction ID: dd05dc42548ec7406f252268dd93ecbf65bd22fe5d42fef8ea8b24f903737da7
                                                                                                                                                        • Opcode Fuzzy Hash: b37e572df8e1b8a8141b5d4c436e0188ab625ace8876adedb4fb40e4a7e7a6b0
                                                                                                                                                        • Instruction Fuzzy Hash: EA4103702057019FE310CF29CC85B5ABBE5FF88748F14892DE18A8B291D770E60ACB51
                                                                                                                                                        Function 10002AC0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 84registrystringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10002B2A
                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,ProductName,00000000,00000000,00000000,?), ref: 10002B57
                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 10002B62
                                                                                                                                                        • strstr.MSVCRT ref: 10002B78
                                                                                                                                                        • strstr.MSVCRT ref: 10002B8B
                                                                                                                                                        • strstr.MSVCRT ref: 10002B9E
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: strstr$CloseOpenQueryValue
                                                                                                                                                        • String ID: 2000$2003$2008$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                        • API String ID: 872665128-489656555
                                                                                                                                                        • Opcode ID: f909851f21d66760c22991acaee6c4af1ad6eeebb5181c95a1aeb0df5730c8dd
                                                                                                                                                        • Instruction ID: ca82dac0ed6f5b378f05580e4b8577b7973c640edff6a95172303a52999a5dab
                                                                                                                                                        • Opcode Fuzzy Hash: f909851f21d66760c22991acaee6c4af1ad6eeebb5181c95a1aeb0df5730c8dd
                                                                                                                                                        • Instruction Fuzzy Hash: 4C21D6312043066BE714DA68DD55BEBB7E8EBC4744F00496DFA5997280EB74DA0CC662
                                                                                                                                                        Function 10007700 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76librarysynchronizationloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • InterlockedExchange.KERNEL32 ref: 1000773C
                                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 10007744
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 10007752
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000775A
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 10007766
                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 1000776C
                                                                                                                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 1000778F
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DestroyCursor), ref: 1000779F
                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 100077BF
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseExchangeHandleInterlockedLibraryObjectSingleWait$AddressFreeLoadProc
                                                                                                                                                        • String ID: DestroyCursor$User32.dll
                                                                                                                                                        • API String ID: 1919673947-1847248185
                                                                                                                                                        • Opcode ID: 617bef6ed9fef08b0d0c3bcdace01a893f0747d2323e005fc359c32e866630a3
                                                                                                                                                        • Instruction ID: 9e91b5424cab692f45cd10c0d4b8c823cf488afae0d4a43309e0ddae18b5513c
                                                                                                                                                        • Opcode Fuzzy Hash: 617bef6ed9fef08b0d0c3bcdace01a893f0747d2323e005fc359c32e866630a3
                                                                                                                                                        • Instruction Fuzzy Hash: 29217F761047009FD324EF69CC84B56B7E8FF88760F164B1DF696976A0CBB8E4448B91
                                                                                                                                                        Function 10008190 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 227libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(GDI32.dll), ref: 10008275
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 100082D3
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 1000832A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateDIBSection), ref: 100083AA
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SelectObject), ref: 100083FF
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000002), ref: 10008446
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc$??2@CountLibraryLoadTick
                                                                                                                                                        • String ID: CreateCompatibleDC$CreateDIBSection$GDI32.dll$SelectObject
                                                                                                                                                        • API String ID: 2150971468-2732992214
                                                                                                                                                        • Opcode ID: 218875eb00e1a59c407eecab7a829624ea2be5391838677f93f14f28e70a1f72
                                                                                                                                                        • Instruction ID: fafb13a02237a613e0220e60c7d7434bbf0b55a5bdb38eaeb3b0fcbf2dd03346
                                                                                                                                                        • Opcode Fuzzy Hash: 218875eb00e1a59c407eecab7a829624ea2be5391838677f93f14f28e70a1f72
                                                                                                                                                        • Instruction Fuzzy Hash: F491E7B4504B419FE320DF65C884B6BBBE9FB88704F104A1DE58A87750DBB9F845CB91
                                                                                                                                                        Function 10012DA0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 10012E46
                                                                                                                                                        • GetLastError.KERNEL32 ref: 10012E52
                                                                                                                                                        • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 10012E85
                                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 10012E97
                                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000008), ref: 10012EAB
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 10012EC8
                                                                                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 10012F29
                                                                                                                                                        • GetLastError.KERNEL32 ref: 10012F35
                                                                                                                                                        • RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 10012F67
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
                                                                                                                                                        • String ID: $
                                                                                                                                                        • API String ID: 991255547-3993045852
                                                                                                                                                        • Opcode ID: c4bd5f0c2f303bfb8a028acdddafd5ae36fb26bf72f78bfb7657edca389898ae
                                                                                                                                                        • Instruction ID: d65f5feed224c465f38c1bfdd22ebb0f4ec006dead5b8f43117ceeaf67e9f1ad
                                                                                                                                                        • Opcode Fuzzy Hash: c4bd5f0c2f303bfb8a028acdddafd5ae36fb26bf72f78bfb7657edca389898ae
                                                                                                                                                        • Instruction Fuzzy Hash: A5610EB5A00205AFEB15CF99C884AAE77F5FB48340F11807DE519EB250DB70EE95CB60
                                                                                                                                                        Function 10008600 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 179librarysleeploaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 10008688
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DestroyCursor), ref: 10008696
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 100086A8
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 1000879F
                                                                                                                                                        • Sleep.KERNEL32(00000001), ref: 100087B4
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 100087B6
                                                                                                                                                        • GetTickCount.KERNEL32 ref: 100087C3
                                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 100087C7
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CountTick$Library$AddressExchangeFreeInterlockedLoadProcSleep
                                                                                                                                                        • String ID: DestroyCursor$User32.dll
                                                                                                                                                        • API String ID: 4150662843-1847248185
                                                                                                                                                        • Opcode ID: 58436947cac73fa7f7ace07e8b5f14a5d9ee05dcf84480c7a8d3c8873d0eeaea
                                                                                                                                                        • Instruction ID: e60850e0908a4f312d2536cd8dd5ad7b26db9eaa49dfbeb28ec38fc521e408c0
                                                                                                                                                        • Opcode Fuzzy Hash: 58436947cac73fa7f7ace07e8b5f14a5d9ee05dcf84480c7a8d3c8873d0eeaea
                                                                                                                                                        • Instruction Fuzzy Hash: 465183753047009FE724CF69C88096AB3E5FF88790B118A1DF58AC3655DB31FA458B61
                                                                                                                                                        Function 1000C930 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128filestringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • CreateFileA.KERNEL32(c:\NT_Path.old,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000C951
                                                                                                                                                        • ReadFile.KERNEL32(00000000,?,00000208,?,00000000), ref: 1000C9A2
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1000C9A9
                                                                                                                                                        • DeleteFileA.KERNEL32(c:\NT_Path.old), ref: 1000C9BA
                                                                                                                                                        • strstr.MSVCRT ref: 1000C9F7
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: File$CloseCreateDeleteHandleReadstrstr
                                                                                                                                                        • String ID: c:\NT_Path.old
                                                                                                                                                        • API String ID: 3113064283-2107492347
                                                                                                                                                        • Opcode ID: 79e08aeceb5d49552677aee57ce7c182ac29fe2183a3edd24e3fc02591276a72
                                                                                                                                                        • Instruction ID: eddf9464cc25e633ef0e1a3b9b9389c5725136b1d66e12656f0681c60db6deca
                                                                                                                                                        • Opcode Fuzzy Hash: 79e08aeceb5d49552677aee57ce7c182ac29fe2183a3edd24e3fc02591276a72
                                                                                                                                                        • Instruction Fuzzy Hash: 63316A722403086BE324C678DC41BEBB7C4E7C8360F014A3EFB56972D0DD759D4986A6
                                                                                                                                                        Function 10002000 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68sleepsynchronizationCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • puts.MSVCRT ref: 10002038
                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,02060251), ref: 10002046
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,02060251), ref: 10002055
                                                                                                                                                        • puts.MSVCRT ref: 10002060
                                                                                                                                                        • puts.MSVCRT ref: 1000207C
                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,02060251), ref: 1000208E
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,02060251), ref: 10002092
                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,02060251), ref: 100020A2
                                                                                                                                                        • puts.MSVCRT ref: 100020A9
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030,00000000,?,?,1000210E,00000000), ref: 1000264B
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 10002670
                                                                                                                                                          • Part of subcall function 10002630: CancelIo.KERNEL32(?), ref: 1000267C
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 10002684
                                                                                                                                                          • Part of subcall function 10002630: InterlockedExchange.KERNEL32(?,00000000), ref: 10002692
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 1000269A
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 100026AE
                                                                                                                                                          • Part of subcall function 10002630: SetEvent.KERNEL32(?), ref: 100026BA
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 100026C2
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$puts$CloseHandle$CancelEventExchangeInterlockedObjectSingleSleepWait
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 2107799874-3115172360
                                                                                                                                                        • Opcode ID: 1090c0c112c06205c3766d77480bb918daed353b1f1743197bd901dccffed952
                                                                                                                                                        • Instruction ID: c0744e997060d648e33f093bba814e41c07deb338cb205e27245e6debc21a4d2
                                                                                                                                                        • Opcode Fuzzy Hash: 1090c0c112c06205c3766d77480bb918daed353b1f1743197bd901dccffed952
                                                                                                                                                        • Instruction Fuzzy Hash: 24210370104744DFE311DB68CC45B8ABBE4EF55364F054A1CF5AA432A1DB74F2488BA3
                                                                                                                                                        Function 1000AE20 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 52libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(?,ICSendMessage), ref: 1000AE41
                                                                                                                                                        • GetProcAddress.KERNEL32(?,ICSeqCompressFrameEnd), ref: 1000AE5B
                                                                                                                                                        • GetProcAddress.KERNEL32(?,ICCompressorFree), ref: 1000AE6C
                                                                                                                                                        • GetProcAddress.KERNEL32(?,ICClose), ref: 1000AE7A
                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 1000AE86
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 1000AE96
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc$??3@FreeLibrary
                                                                                                                                                        • String ID: ICClose$ICCompressorFree$ICSendMessage$ICSeqCompressFrameEnd
                                                                                                                                                        • API String ID: 1366603396-4064686387
                                                                                                                                                        • Opcode ID: b0abc1eed270873efa744de58d3f835234cadb010f0c46120ddeadec7620bbd2
                                                                                                                                                        • Instruction ID: 2000e053fe43cc2729da9b6d5839fb555601198a3e5870d73a7632a8085a5e2c
                                                                                                                                                        • Opcode Fuzzy Hash: b0abc1eed270873efa744de58d3f835234cadb010f0c46120ddeadec7620bbd2
                                                                                                                                                        • Instruction Fuzzy Hash: 250125B6240F546BE221E7B9DC80F87B3ECEF88640B014909F366D7564CA75F8808764
                                                                                                                                                        Function 10002630 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 51COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030,00000000,?,?,1000210E,00000000), ref: 1000264B
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10002670
                                                                                                                                                        • CancelIo.KERNEL32(?), ref: 1000267C
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10002684
                                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 10002692
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000269A
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100026AE
                                                                                                                                                        • SetEvent.KERNEL32(?), ref: 100026BA
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 100026C2
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$CancelEventExchangeInterlocked
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 747868787-3115172360
                                                                                                                                                        • Opcode ID: ed98fad5b082d8ffc71817897628ab1f0105e834580019167835e6e83c3b991c
                                                                                                                                                        • Instruction ID: 3033a50d8e2987d4a8ac18dc0404ddada8bdec8ea37306a70e5d33f1a69bcf95
                                                                                                                                                        • Opcode Fuzzy Hash: ed98fad5b082d8ffc71817897628ab1f0105e834580019167835e6e83c3b991c
                                                                                                                                                        • Instruction Fuzzy Hash: 570184B12503007BF250A765DC56F5BB3A8AF84719F058529F39B862E0DEB1E118CB63
                                                                                                                                                        Function 100023F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 192COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$CancelEventExchangeInterlocked
                                                                                                                                                        • String ID: bad Allocate$bad buffer
                                                                                                                                                        • API String ID: 747868787-2913219628
                                                                                                                                                        • Opcode ID: 328f86ce7c4c5ba1b0edb4d1ce5f795b3ed345ca71508ea818c91df69f4f929b
                                                                                                                                                        • Instruction ID: 08e05108677a4dfa31002e8b4e1f50e866e8b6727c0ecc2dbdee2a2b18186974
                                                                                                                                                        • Opcode Fuzzy Hash: 328f86ce7c4c5ba1b0edb4d1ce5f795b3ed345ca71508ea818c91df69f4f929b
                                                                                                                                                        • Instruction Fuzzy Hash: 0451B475B00205ABEF14DF64CC91BEFB7B6EF48690F408429F909AB245DB34F9458BA1
                                                                                                                                                        Function 100030DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 154sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Sleepputs$putchar
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 2077369753-3115172360
                                                                                                                                                        • Opcode ID: c700fda896f778e87dfd9740f0a3e343aa567929a8646e1695328b8a1beb0c3f
                                                                                                                                                        • Instruction ID: c3dd85fd8eb86e96050f203d102bb3d32d01dd1ef5c3a7cf500ce14af9cfb6a7
                                                                                                                                                        • Opcode Fuzzy Hash: c700fda896f778e87dfd9740f0a3e343aa567929a8646e1695328b8a1beb0c3f
                                                                                                                                                        • Instruction Fuzzy Hash: A83158B15083409BE311DF64DC86AABB7E4FF89344F04492DF5899B251EB34EA08C7A7
                                                                                                                                                        Function 10003150 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Sleepputs$putchar
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 2077369753-3115172360
                                                                                                                                                        • Opcode ID: 9192f487596160c339f41983a33f2a38c7efea5f9f73055e964f01a2f8dd05f0
                                                                                                                                                        • Instruction ID: 928185dbe6a6a19738f5aa3115b882cc268472eaa2bf626173513b859fd1dc53
                                                                                                                                                        • Opcode Fuzzy Hash: 9192f487596160c339f41983a33f2a38c7efea5f9f73055e964f01a2f8dd05f0
                                                                                                                                                        • Instruction Fuzzy Hash: 9E3139B1508310ABE350DF64DC86BABB7E4FF88744F00492DF54997290EB75E60887A7
                                                                                                                                                        Function 10001C00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ceil.MSVCRT ref: 10001C3E
                                                                                                                                                        • _ftol.MSVCRT ref: 10001C44
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,?,10001AB9,00000000), ref: 10001C56
                                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,?,10001AB9,00000000), ref: 10001C65
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AllocVirtual_ftolceilputchar
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 2726256048-3115172360
                                                                                                                                                        • Opcode ID: b6ddf98486f6a5f80e58f1e8c7214f3ed062d36d073a613bec6f644c29dbdcbf
                                                                                                                                                        • Instruction ID: ab4524f9570b777224c827aebcd05b3483c44509336cf79f1e529fb5d9d83700
                                                                                                                                                        • Opcode Fuzzy Hash: b6ddf98486f6a5f80e58f1e8c7214f3ed062d36d073a613bec6f644c29dbdcbf
                                                                                                                                                        • Instruction Fuzzy Hash: 3A21E5756443049BE700EF28EC96B5ABBD4FB847A5F01843AF9458B390EF75D908C661
                                                                                                                                                        Function 10001B10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • Sleep.KERNEL32(00000000,00000000,?,?,?,10002519,?,00000005,00000005,00000000,?,1000238D,?,00000000,77303A20), ref: 10001B18
                                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,10002519,?,00000005,00000005,00000000,?,1000238D,?,00000000,77303A20), ref: 10001B26
                                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,10002519,?,00000005,00000005,00000000,?,1000238D,?,00000000,77303A20), ref: 10001B3C
                                                                                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,10002519,?,00000005,00000005,00000000,?,1000238D,?,00000000,77303A20), ref: 10001B83
                                                                                                                                                        • memmove.MSVCRT(?,?,00000000,?,?,?,10002519,?,00000005,00000005,00000000,?,1000238D,?,00000000,77303A20), ref: 10001B97
                                                                                                                                                        • Sleep.KERNEL32(00000000,?,00000000,77303A20,?,?,?,00000000,100130B0,000000FF,?,1000238D,?), ref: 10001BA2
                                                                                                                                                        • putchar.MSVCRT(00000030,00000000,?,?,?,10002519,?,00000005,00000005,00000000,?,1000238D,?,00000000,77303A20), ref: 10001BC2
                                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,77303A20,?,?,?,00000000,100130B0,000000FF,?,1000238D,?), ref: 10001BCC
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CriticalSectionSleep$Leave$Entermemmoveputchar
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 1918140591-3115172360
                                                                                                                                                        • Opcode ID: c069595def49c557dc7c2274fd5aa4a044d6bb28a15d2f6e68b7994a543ab67e
                                                                                                                                                        • Instruction ID: 193de783820adac7fc66e8420ece183fe9bf6922c5a0f216bd8d41a28372eff5
                                                                                                                                                        • Opcode Fuzzy Hash: c069595def49c557dc7c2274fd5aa4a044d6bb28a15d2f6e68b7994a543ab67e
                                                                                                                                                        • Instruction Fuzzy Hash: 4221C3363042155FE704FFB89C95AAEB799EF44291F01843DFA0297266EFB0EC0487A1
                                                                                                                                                        Function 10009ED0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,100132F0), ref: 10009EDE
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10009EE5
                                                                                                                                                        • _strrev.MSVCRT ref: 10009F28
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc_strrev
                                                                                                                                                        • String ID: GetCurrentThreadId$KERNEL32.dll$W$g$i$l
                                                                                                                                                        • API String ID: 773210053-3220650758
                                                                                                                                                        • Opcode ID: ac61637b6d01b09cb9f8c0fe09121c85f84b0587417f00f4bb3e179232ba9794
                                                                                                                                                        • Instruction ID: 00492b91638a2d29e4d5ce0ef95a64c72099852078c8275bc0db67a9c95e37b0
                                                                                                                                                        • Opcode Fuzzy Hash: ac61637b6d01b09cb9f8c0fe09121c85f84b0587417f00f4bb3e179232ba9794
                                                                                                                                                        • Instruction Fuzzy Hash: B801C02140C3D1AAE301D7A8AC48BDB3FD89FA1789F08C868F5C886292D675C658C763
                                                                                                                                                        Function 10005E90 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 45libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(Shell32.dll), ref: 10005EB5
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 10005EC3
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 10005EF6
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                        • String ID: Shell32.dll$ShellExecuteA$e$n$o$p
                                                                                                                                                        • API String ID: 145871493-2745875815
                                                                                                                                                        • Opcode ID: 990516df161a2306d4794604bdffc27e32b6b7dd98ea73b2ccd8d13181406760
                                                                                                                                                        • Instruction ID: e6f55804dc940045682f4676c21f018dda90ecff3070eaca2f3bf0dfb5eb610f
                                                                                                                                                        • Opcode Fuzzy Hash: 990516df161a2306d4794604bdffc27e32b6b7dd98ea73b2ccd8d13181406760
                                                                                                                                                        • Instruction Fuzzy Hash: C80149340083506EE300D7289C88BABBFD4EBD9666F04061CF998462D0CBBA99098377
                                                                                                                                                        Function 10009B20 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030,?,?,?,10009679,?,?,10009627), ref: 10009B33
                                                                                                                                                        • LoadLibraryA.KERNEL32(user32.dll), ref: 10009B3D
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009B47
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009B4B
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumWindows), ref: 10009B56
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009B60
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009B73
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$AddressLibraryLoadProc
                                                                                                                                                        • String ID: EnumWindows$user32.dll
                                                                                                                                                        • API String ID: 2374183287-245904054
                                                                                                                                                        • Opcode ID: dfbcb491b5d00e46e065b36145075481a0557ca5fb72edf7afa640eb18e43280
                                                                                                                                                        • Instruction ID: e37234f6ea5c8d1f9019da4b470510178668ab1ac96bc6abda4775b70e15542c
                                                                                                                                                        • Opcode Fuzzy Hash: dfbcb491b5d00e46e065b36145075481a0557ca5fb72edf7afa640eb18e43280
                                                                                                                                                        • Instruction Fuzzy Hash: CFF0B471911210BBF201E7A8DC65F9B3F98DFC4395F05402AF7498B190DA71D605CBA3
                                                                                                                                                        Function 10004180 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(Shell32.dll), ref: 10004189
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 10004197
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 100041CE
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                        • String ID: Shell32.dll$ShellExecuteA$e$n$o$p
                                                                                                                                                        • API String ID: 145871493-2745875815
                                                                                                                                                        • Opcode ID: 4ad32162aafe9748ef7f762456aaf6368669afa29cf49b7c76aa42c593bc2c15
                                                                                                                                                        • Instruction ID: db58dfb9a3466432ddcc4b23f3120db39b66b472227730687a2ad29d0db4f05d
                                                                                                                                                        • Opcode Fuzzy Hash: 4ad32162aafe9748ef7f762456aaf6368669afa29cf49b7c76aa42c593bc2c15
                                                                                                                                                        • Instruction Fuzzy Hash: C5F0BE200483A1AFE301DB24DC49BAB7FE0AF9A701F04450CF6C40A280CBB59A4CC7B3
                                                                                                                                                        Function 10008B10 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 109libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateDIBSection), ref: 10008B68
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SelectObject), ref: 10008B93
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,BitBlt), ref: 10008BAF
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 10008C1A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                        • String ID: BitBlt$CreateDIBSection$DeleteObject$SelectObject
                                                                                                                                                        • API String ID: 190572456-815035257
                                                                                                                                                        • Opcode ID: 4f5d6eb6a2c2feb56e9f72d2410f84019a65ec87506187976c49919a40bf3f20
                                                                                                                                                        • Instruction ID: c67215c464faf5d871b834cdfe0ecf185bc77a0ad6dd23337b848776d91c7b4b
                                                                                                                                                        • Opcode Fuzzy Hash: 4f5d6eb6a2c2feb56e9f72d2410f84019a65ec87506187976c49919a40bf3f20
                                                                                                                                                        • Instruction Fuzzy Hash: C841C3B6204701AFD214DF69DD85E2BB7B9FB88640F108A0DF69687754CB71F9008BA1
                                                                                                                                                        Function 1000B820 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49serviceCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,chost.exe -k imgsvc), ref: 1000B82F
                                                                                                                                                        • OpenServiceA.ADVAPI32(00000000,Rsvxcj Otuftnsa Qwj,000F003F,?,?,?,?,?,?,?,?,?,?,?,1000C91A), ref: 1000B842
                                                                                                                                                        • LockServiceDatabase.ADVAPI32 ref: 1000B8A5
                                                                                                                                                        • ChangeServiceConfig2A.ADVAPI32(00000000,00000002,?), ref: 1000B8B3
                                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1000B8BA
                                                                                                                                                        • UnlockServiceDatabase.ADVAPI32(00000000), ref: 1000B8C1
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Service$DatabaseOpen$ChangeCloseConfig2HandleLockManagerUnlock
                                                                                                                                                        • String ID: Rsvxcj Otuftnsa Qwj$chost.exe -k imgsvc
                                                                                                                                                        • API String ID: 3576742245-2461265680
                                                                                                                                                        • Opcode ID: d5e8110b3e0f16f6f9417dc3313dbaebc49bcf4a39a033817fcd25b7351920c2
                                                                                                                                                        • Instruction ID: 08899625aa57832932d822c9979de8df17352aeb433026220bbeacdf8fbac15f
                                                                                                                                                        • Opcode Fuzzy Hash: d5e8110b3e0f16f6f9417dc3313dbaebc49bcf4a39a033817fcd25b7351920c2
                                                                                                                                                        • Instruction Fuzzy Hash: 9211FEB1509310AFE301DF25C8C8AAFBAE4FBC8758F404A1DF59996241D7B98649CF92
                                                                                                                                                        Function 1000B600 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73sleepregistrystringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetStockObject.GDI32 ref: 1000B62E
                                                                                                                                                        • RegisterClassA.USER32 ref: 1000B64D
                                                                                                                                                        • strncpy.MSVCRT ref: 1000B664
                                                                                                                                                        • wcstombs.MSVCRT ref: 1000B677
                                                                                                                                                          • Part of subcall function 10009C10: LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                          • Part of subcall function 10009C10: GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                          • Part of subcall function 10009C10: _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                          • Part of subcall function 10009C10: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                          • Part of subcall function 10009C10: CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1000B6BC
                                                                                                                                                          • Part of subcall function 1000B310: GetTickCount.KERNEL32 ref: 1000B338
                                                                                                                                                          • Part of subcall function 1000B310: SetErrorMode.KERNEL32(00000001,1000B6E7,00000000,00000000), ref: 1000B354
                                                                                                                                                          • Part of subcall function 1000B310: OpenEventA.KERNEL32(001F0003,00000000,10019DF8), ref: 1000B399
                                                                                                                                                          • Part of subcall function 1000B310: Sleep.KERNEL32(000000C8), ref: 1000B3A6
                                                                                                                                                          • Part of subcall function 1000B310: CloseHandle.KERNEL32(00000000), ref: 1000B3BD
                                                                                                                                                          • Part of subcall function 1000B310: GetTickCount.KERNEL32 ref: 1000B3CF
                                                                                                                                                          • Part of subcall function 1000B310: GetTickCount.KERNEL32 ref: 1000B3F6
                                                                                                                                                          • Part of subcall function 1000B310: Sleep.KERNEL32(000003E8), ref: 1000B46F
                                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 1000B6EF
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseCountHandleSleepTick$Object$AddressClassErrorEventLibraryLoadModeOpenProcRegisterSingleStockWait_beginthreadexstrncpywcstombs
                                                                                                                                                        • String ID: f
                                                                                                                                                        • API String ID: 783065124-1993550816
                                                                                                                                                        • Opcode ID: 84ddb0aa9dda7dd039406c20547a437ecbbf519a9a3a5ffab97a3b00f690db92
                                                                                                                                                        • Instruction ID: 2893aa5efe7d73c34879945ae9b50fcc71fed96773c3755b4e1d54dca2853401
                                                                                                                                                        • Opcode Fuzzy Hash: 84ddb0aa9dda7dd039406c20547a437ecbbf519a9a3a5ffab97a3b00f690db92
                                                                                                                                                        • Instruction Fuzzy Hash: 5F213BB4800290BBF210DFA6CC8DE5BBEB8EBD6B45F04441DFA45562A5DBB59180CB62
                                                                                                                                                        Function 100094E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009500
                                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 10009510
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10009518
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,TerminateThread), ref: 1000952E
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,TerminateProcess), ref: 1000953E
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030,00000000,?,?,1000210E,00000000), ref: 1000264B
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 10002670
                                                                                                                                                          • Part of subcall function 10002630: CancelIo.KERNEL32(?), ref: 1000267C
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 10002684
                                                                                                                                                          • Part of subcall function 10002630: InterlockedExchange.KERNEL32(?,00000000), ref: 10002692
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 1000269A
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 100026AE
                                                                                                                                                          • Part of subcall function 10002630: SetEvent.KERNEL32(?), ref: 100026BA
                                                                                                                                                          • Part of subcall function 10002630: putchar.MSVCRT(00000030), ref: 100026C2
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$AddressProc$CancelEventExchangeInterlockedMultipleObjectsWait
                                                                                                                                                        • String ID: TerminateProcess$TerminateThread
                                                                                                                                                        • API String ID: 2508440631-2692071134
                                                                                                                                                        • Opcode ID: 1b18a8adaf73660c04587722c76f81c4ff8065b3520bc44a42ac4a377bbd95f4
                                                                                                                                                        • Instruction ID: 20bba0ca188fe36efb7e17e6ab60a7d7d29f6a271d78adb2c192687c07517623
                                                                                                                                                        • Opcode Fuzzy Hash: 1b18a8adaf73660c04587722c76f81c4ff8065b3520bc44a42ac4a377bbd95f4
                                                                                                                                                        • Instruction Fuzzy Hash: 11015E726403106BE600EBA9DC81F56B3E9BF98720F01491DF649D72A0DAB0F9088BA1
                                                                                                                                                        Function 100096A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45librarysleeploaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.dll,OpenProcess,?,?,?,?,?,1000961C,?,?), ref: 100096B5
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 100096BC
                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,?,?,?,1000961C,?,?), ref: 100096E4
                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,1000961C,?,?), ref: 100096EB
                                                                                                                                                        • Sleep.KERNEL32(00000064,?,?,?,?,?,1000961C,?,?), ref: 100096FE
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressCloseHandleLibraryLoadProcProcessSleepTerminate
                                                                                                                                                        • String ID: KERNEL32.dll$OpenProcess
                                                                                                                                                        • API String ID: 3920665617-1580943528
                                                                                                                                                        • Opcode ID: 9ab66ecbca88d38be8d99ead96aaf475ed5c7f924adf72b1525959238bdbd2f9
                                                                                                                                                        • Instruction ID: 3a1d50c84e35f253cfef4663ed0c3efdfbe3a69b3c461da1c16643c8ad1173e3
                                                                                                                                                        • Opcode Fuzzy Hash: 9ab66ecbca88d38be8d99ead96aaf475ed5c7f924adf72b1525959238bdbd2f9
                                                                                                                                                        • Instruction Fuzzy Hash: BCF0F472200310ABE212EB958C88B3FB7A9EBC8691F02441DF70287260CF71EC018661
                                                                                                                                                        Function 10005470 Relevance: 12.1, APIs: 8, Instructions: 136COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ?_Xran@std@@YAXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10013151,000000FF,10004BCB,-00000008,?,?,?,?,?), ref: 100054CF
                                                                                                                                                        • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,?,?,00000000,?,-00000008,10013151,000000FF,10004BCB,-00000008,?,?,?,?,?), ref: 100054D7
                                                                                                                                                        • memmove.MSVCRT(3B4208C4,?,?,?,00000000,?,-00000008,10013151,000000FF,10004BCB,-00000008,?,?,?,?,?), ref: 100054F9
                                                                                                                                                        • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(?,00000000), ref: 1000550B
                                                                                                                                                        • ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z.MSVCP60(?), ref: 10005518
                                                                                                                                                        • ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ.MSVCP60(?,00000000,?,-00000008,10013151,000000FF,10004BCB,-00000008,?,?,?,?,?), ref: 10005520
                                                                                                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,00000000,?,-00000008,10013151,000000FF,10004BCB,-00000008,?,?,?,?,?), ref: 10005557
                                                                                                                                                        • ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z.MSVCP60(3B4208C4,00000001,?,?,?,00000000,?,-00000008,10013151,000000FF,10004BCB,-00000008,?,?,?), ref: 10005598
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Grow@?$basic_string@Split@?$basic_string@$Eos@?$basic_string@Tidy@?$basic_string@Xran@std@@memmove
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1074130261-0
                                                                                                                                                        • Opcode ID: fff55965db0c58becd4d02e65a04908263491eec20bbf569262c2dab44870abc
                                                                                                                                                        • Instruction ID: 87b61ecaf65165e882bada16d7852beea7ff105125910843439215299bb61c25
                                                                                                                                                        • Opcode Fuzzy Hash: fff55965db0c58becd4d02e65a04908263491eec20bbf569262c2dab44870abc
                                                                                                                                                        • Instruction Fuzzy Hash: 4041D275640B54EFDB10CF18CCD469ABBE6FB886A2F51852DE85A87350CB36DC80CB40
                                                                                                                                                        Function 10006070 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 200registrysleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 100060AB
                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 100061C6
                                                                                                                                                        • RegCreateKeyExA.ADVAPI32 ref: 10006259
                                                                                                                                                        • RegSetValueExA.ADVAPI32(00000000,100194E0,00000000,00000001,?,?), ref: 10006278
                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,?), ref: 10006283
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseCreateExchangeInterlockedSleepValue
                                                                                                                                                        • String ID: NetSubKey
                                                                                                                                                        • API String ID: 1535352505-401508585
                                                                                                                                                        • Opcode ID: f410727212156bb6ac4bcedf7cf2aad61976973a318129d2f814f1b914a3a10c
                                                                                                                                                        • Instruction ID: 33905ba07257dca96c423bdd529f6a651a407892e2d33dcd99f6def206435263
                                                                                                                                                        • Opcode Fuzzy Hash: f410727212156bb6ac4bcedf7cf2aad61976973a318129d2f814f1b914a3a10c
                                                                                                                                                        • Instruction Fuzzy Hash: 4F51F636384300ABF720EA54DCC2FD7B355FB84752F248172FF489E2C6D2A6A54587A5
                                                                                                                                                        Function 10001590 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveOutGetNumDevs), ref: 100015A2
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveOutOpen), ref: 100015EB
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                        • String ID: waveOutGetNumDevs$waveOutOpen$waveOutPrepareHeader
                                                                                                                                                        • API String ID: 190572456-3006884721
                                                                                                                                                        • Opcode ID: e6c9c7372ab9e636bd0ef264945056c1430da1a2305f91158fb3781f6fcb951e
                                                                                                                                                        • Instruction ID: b1ffc3cde24e6e33766624a8a38fdb10a022db1e1b451f01f5fa0f3182756f0e
                                                                                                                                                        • Opcode Fuzzy Hash: e6c9c7372ab9e636bd0ef264945056c1430da1a2305f91158fb3781f6fcb951e
                                                                                                                                                        • Instruction Fuzzy Hash: 5421A476604211AFE714CF58EC84EA6B7E4FBCC350F15856DEA058B345DB72E845CB90
                                                                                                                                                        Function 10005D30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83stringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: mallocputcharstrrchr
                                                                                                                                                        • String ID: :0w$D
                                                                                                                                                        • API String ID: 1106483082-2083776233
                                                                                                                                                        • Opcode ID: 33a7e01c839521fb0246c212137cd941a1c67f8b5db0d77f74545bfbdaf3142e
                                                                                                                                                        • Instruction ID: dc1e8b1eb6329f80bcfa566204b4627c0389cdaa4a7122794a5da561735948ad
                                                                                                                                                        • Opcode Fuzzy Hash: 33a7e01c839521fb0246c212137cd941a1c67f8b5db0d77f74545bfbdaf3142e
                                                                                                                                                        • Instruction Fuzzy Hash: 0B1138B62001101BE7149B299C45AEBB7D9EBD4375F04443FFE06C3390EEB6990E82A2
                                                                                                                                                        Function 10005C70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82stringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: mallocputcharstrrchr
                                                                                                                                                        • String ID: :0w$D
                                                                                                                                                        • API String ID: 1106483082-2083776233
                                                                                                                                                        • Opcode ID: de5d8340017b26bed14d36257ac24b4031b000c7570f3a934ffd2b5b87abee6a
                                                                                                                                                        • Instruction ID: 486d3e8433787fd79062af2a3bda7343d1423c693d9a00c3d51a911f555d0f67
                                                                                                                                                        • Opcode Fuzzy Hash: de5d8340017b26bed14d36257ac24b4031b000c7570f3a934ffd2b5b87abee6a
                                                                                                                                                        • Instruction Fuzzy Hash: 4E1127B62002101FE70496299C45AEBB7D9E7D4371F05443AFE46C3390EEB6990E86B2
                                                                                                                                                        Function 10009410 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69sleeplibrarymemoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32 ref: 1000942D
                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 1000943E
                                                                                                                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 10009480
                                                                                                                                                        • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 10009499
                                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 100094AD
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Local$AddressAllocFileFreeProcReadSleep
                                                                                                                                                        • String ID: PeekNamedPipe
                                                                                                                                                        • API String ID: 3930002086-4103907019
                                                                                                                                                        • Opcode ID: df6353daf161fd19ab7ecfdd05565926c667798e3f439c1ba59310d2e7b17fc1
                                                                                                                                                        • Instruction ID: 53d3735ee02d3805f42c7b521e32e0efcc3b3ebbc9eae651c7d118f1b58f2983
                                                                                                                                                        • Opcode Fuzzy Hash: df6353daf161fd19ab7ecfdd05565926c667798e3f439c1ba59310d2e7b17fc1
                                                                                                                                                        • Instruction Fuzzy Hash: 31214DB1204302ABE714DF65DD85F6B77ECEB88744F01891CFB45A6290DA70E9098B76
                                                                                                                                                        Function 10007670 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 10007682
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DestroyCursor), ref: 10007692
                                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 100076B2
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 100076C0
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$??3@AddressFreeLoadProc
                                                                                                                                                        • String ID: DestroyCursor$User32.dll
                                                                                                                                                        • API String ID: 2975818177-1847248185
                                                                                                                                                        • Opcode ID: ab2b8b590988e06ffaf8f54e547b03954e739254c7f33f27517a41ba1afdd422
                                                                                                                                                        • Instruction ID: 44505e3466fcf23f76fd983ea27b7ecf52a6643ed392d4afe76879ee652c3faf
                                                                                                                                                        • Opcode Fuzzy Hash: ab2b8b590988e06ffaf8f54e547b03954e739254c7f33f27517a41ba1afdd422
                                                                                                                                                        • Instruction Fuzzy Hash: 30F0E0B25002155FE301DB55DC88E57BBE8FF84295F110439F74587221DF76E894C7A1
                                                                                                                                                        Function 100026E0 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 10001E10: EnterCriticalSection.KERNEL32(?,?,00000000,100026F7,?,00000000,774D0BD0,774CF550,00000000,02060251,774D0F00,774D3000), ref: 10001E18
                                                                                                                                                          • Part of subcall function 10001E10: LeaveCriticalSection.KERNEL32(?,00000400), ref: 10001E31
                                                                                                                                                        • _ftol.MSVCRT ref: 1000271F
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10002729
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,774CF550,00000000,02060251,774D0F00,774D3000), ref: 1000275E
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CriticalSection$??2@??3@EnterLeave_ftol
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 2245774403-0
                                                                                                                                                        • Opcode ID: e5e0a5cd29fd38392e695de1e8bc92ec52895340613ef89e60e7e3e62112d9cc
                                                                                                                                                        • Instruction ID: 74bc8f4f48d960f93c89bfae57346969df8f625a9ee438c50813d36951ecc362
                                                                                                                                                        • Opcode Fuzzy Hash: e5e0a5cd29fd38392e695de1e8bc92ec52895340613ef89e60e7e3e62112d9cc
                                                                                                                                                        • Instruction Fuzzy Hash: A641C37A7043045BE704EE249C82ABF7399EFC46D0F40492DF90657282EE34F95987A3
                                                                                                                                                        Function 10003630 Relevance: 9.1, APIs: 6, Instructions: 82sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar$Sleep
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1772244462-0
                                                                                                                                                        • Opcode ID: 2f1a62b852c378b903ed5e144f825719cc69a7eda8dd6a239163672c104a484c
                                                                                                                                                        • Instruction ID: 7ee5793222517231c36b2daf1d5777f574db8f220af18965c02a4fdf1a62f65f
                                                                                                                                                        • Opcode Fuzzy Hash: 2f1a62b852c378b903ed5e144f825719cc69a7eda8dd6a239163672c104a484c
                                                                                                                                                        • Instruction Fuzzy Hash: BB215E716583019BF310CF58DC85B9BB7E8EF88754F00482DF68997281DB75DA0987AB
                                                                                                                                                        Function 100022C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: putchar
                                                                                                                                                        • String ID: :0w
                                                                                                                                                        • API String ID: 2332253611-3115172360
                                                                                                                                                        • Opcode ID: c1f125501792343c31cd6ea13d3ae6a3bf6b42e6788a609245f270efe457d990
                                                                                                                                                        • Instruction ID: 5d6dafd9588cbcaebb962bc5625d51fd45672617379904dad83aedb6e43c03bb
                                                                                                                                                        • Opcode Fuzzy Hash: c1f125501792343c31cd6ea13d3ae6a3bf6b42e6788a609245f270efe457d990
                                                                                                                                                        • Instruction Fuzzy Hash: 7321D83264030427FA24DA549C85BDF7384DF807A0F000629FF595B2D1DA79BA4D82D7
                                                                                                                                                        Function 10009D20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71librarystringloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32 ref: 10009D3C
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10009D43
                                                                                                                                                        • lstrcmpiA.KERNEL32(?,00000000), ref: 10009DC0
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProclstrcmpi
                                                                                                                                                        • String ID: GetCurrentThreadId$KERNEL32.dll
                                                                                                                                                        • API String ID: 3068298283-1458786552
                                                                                                                                                        • Opcode ID: e4a057e6803aa4abfd26b64df6d06e4669982f8c7696b36e441741f3a934cc23
                                                                                                                                                        • Instruction ID: 7a2abb41d7ce5a70bfec941ef3d8e1e47265f5c039bc0ab6e41cdda95de73f46
                                                                                                                                                        • Opcode Fuzzy Hash: e4a057e6803aa4abfd26b64df6d06e4669982f8c7696b36e441741f3a934cc23
                                                                                                                                                        • Instruction Fuzzy Hash: D411E671104319ABF711DB60CC8AFDB77A8EB88740F014829FB4596191EF74E949C7A2
                                                                                                                                                        Function 100067F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54librarysleeploaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(user32.dll,?,00000000,100063BA,?), ref: 10006846
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumWindows), ref: 10006852
                                                                                                                                                        • Sleep.KERNEL32(000000C8,?,00000000,100063BA,?), ref: 1000687A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProcSleep
                                                                                                                                                        • String ID: EnumWindows$user32.dll
                                                                                                                                                        • API String ID: 188063004-245904054
                                                                                                                                                        • Opcode ID: 90c639c5e96282d111d208fb73f1537ef49cab6b4ead47bea7702ebce9b7b95a
                                                                                                                                                        • Instruction ID: b2c8236a7ac860ec77242b67be5d0fdedd1526f034aecaea6eb0b89d670c5f15
                                                                                                                                                        • Opcode Fuzzy Hash: 90c639c5e96282d111d208fb73f1537ef49cab6b4ead47bea7702ebce9b7b95a
                                                                                                                                                        • Instruction Fuzzy Hash: F701D8366045102BF748D678ED44A6A3292EBC86A0FA68339FB15976D4CE75CC418381
                                                                                                                                                        Function 10001850 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(WINMM.dll,?,?,00000000,1001300B,000000FF,1000176C,?,?,?,?,10012FC8,000000FF), ref: 1000186E
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,waveInGetNumDevs), ref: 1000187A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                        • String ID: WINMM.dll$waveInGetNumDevs
                                                                                                                                                        • API String ID: 2574300362-817700921
                                                                                                                                                        • Opcode ID: 521eb910f6eb7d4954694c773221802ef3dddd5b833826047b5bbf6eb90c8b69
                                                                                                                                                        • Instruction ID: 10846bf6970c78a7f3faa3b1b37d4a64cb1e7b24676bd52028779d98a776cec1
                                                                                                                                                        • Opcode Fuzzy Hash: 521eb910f6eb7d4954694c773221802ef3dddd5b833826047b5bbf6eb90c8b69
                                                                                                                                                        • Instruction Fuzzy Hash: 3101F575940BA0ABF751CF68CD017D63BE4FB49A90F40896DF45983791DB78D9018B41
                                                                                                                                                        Function 1000AF40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(AVICAP32.dll,?,00000000,774D0BD0,774CF550), ref: 1000AF51
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,capGetDriverDescriptionA), ref: 1000AF5F
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 1000AF8A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                        • String ID: AVICAP32.dll$capGetDriverDescriptionA
                                                                                                                                                        • API String ID: 145871493-2465018903
                                                                                                                                                        • Opcode ID: ef39897eba74e4404c6ef24e810fbc7b09566dfcd0abc76f417246c342b0981c
                                                                                                                                                        • Instruction ID: 1d9cbc6cc88ed3688f83fd70268496483e6ef269f62d000a2850d87fe1486c39
                                                                                                                                                        • Opcode Fuzzy Hash: ef39897eba74e4404c6ef24e810fbc7b09566dfcd0abc76f417246c342b0981c
                                                                                                                                                        • Instruction Fuzzy Hash: 3BF027721812252FF210E6259C44FEB3B9CE7472D0F424131FE4583151DE79884D86A0
                                                                                                                                                        Function 10007620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(User32.dll), ref: 10007631
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DestroyCursor), ref: 1000763F
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 1000765B
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                        • String ID: DestroyCursor$User32.dll
                                                                                                                                                        • API String ID: 145871493-1847248185
                                                                                                                                                        • Opcode ID: 6ba2a16786ddc6e772735a8c864b9c5ed02a54fc058043682251f4ed7e4a0eb7
                                                                                                                                                        • Instruction ID: 939e5d56f39fe4b42edf61e6d5a2ca94c14cfc64097d62af0dc4966a95ebc0c7
                                                                                                                                                        • Opcode Fuzzy Hash: 6ba2a16786ddc6e772735a8c864b9c5ed02a54fc058043682251f4ed7e4a0eb7
                                                                                                                                                        • Instruction Fuzzy Hash: 16E080726001145FE3019755EC48FD677ECF7491B27170435FE4997221DBBAECC04664
                                                                                                                                                        Function 10001A00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,10001E7D,00000000,774D0F00), ref: 10001A1A
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeCriticalSection), ref: 10001A28
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 10001A35
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                        • String ID: InitializeCriticalSection$kernel32.dll
                                                                                                                                                        • API String ID: 145871493-1469434275
                                                                                                                                                        • Opcode ID: b4d07b2f1cb6f58e3c224d835926ea1c24f76a6483c97df45ec5ba30d3096ff0
                                                                                                                                                        • Instruction ID: f25b9441c0715fb8e13b4dc7962bb8e7796d4c9feb80a96e714f5e542f50b016
                                                                                                                                                        • Opcode Fuzzy Hash: b4d07b2f1cb6f58e3c224d835926ea1c24f76a6483c97df45ec5ba30d3096ff0
                                                                                                                                                        • Instruction Fuzzy Hash: 7BE04F71500311AFD325DF79DC8897A7BF4FB8A651302892DFA5AC7220EB34D8818B50
                                                                                                                                                        Function 100077F0 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 10007813
                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 1000781D
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 10007841
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 10007872
                                                                                                                                                          • Part of subcall function 10008190: LoadLibraryA.KERNEL32(GDI32.dll), ref: 10008275
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000110,?,?,100132E1,000000FF,10007995,?,?,?,?,?,?,100132F0,000000FF), ref: 10007899
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??2@$CloseHandleLibraryLoadObjectSingleWait
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3344179222-0
                                                                                                                                                        • Opcode ID: 27db1c84135a12758d3a5169a164e3be35d36379a4c7e05d68543d389f2a3143
                                                                                                                                                        • Instruction ID: f0eaa606636af5e70e2a434aae5c72d5748a268e0d76edd0364b59459dc850de
                                                                                                                                                        • Opcode Fuzzy Hash: 27db1c84135a12758d3a5169a164e3be35d36379a4c7e05d68543d389f2a3143
                                                                                                                                                        • Instruction Fuzzy Hash: D231B2B4A447416BF720CF248C56B5B77E1FF44740F104A2CF69A9A2C1DBB4E544C792
                                                                                                                                                        Function 100068A0 Relevance: 7.6, APIs: 5, Instructions: 93sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(?), ref: 100068AE
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006923
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1000694B
                                                                                                                                                        • Sleep.KERNEL32(0000000D), ref: 10006994
                                                                                                                                                          • Part of subcall function 10009C10: LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                          • Part of subcall function 10009C10: GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                          • Part of subcall function 10009C10: _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                          • Part of subcall function 10009C10: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                          • Part of subcall function 10009C10: CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 100069AA
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseHandle$??2@??3@AddressLibraryLoadObjectProcSingleSleepWait_beginthreadex
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3366979071-0
                                                                                                                                                        • Opcode ID: 89ce756c8f61d6842bf8b667d11e0541efc6bbed6b7e730f3c4ac60ea2d34e68
                                                                                                                                                        • Instruction ID: 429babba93329987762198a54b73f9efd6620212f18058e4aa64b04762d079f8
                                                                                                                                                        • Opcode Fuzzy Hash: 89ce756c8f61d6842bf8b667d11e0541efc6bbed6b7e730f3c4ac60ea2d34e68
                                                                                                                                                        • Instruction Fuzzy Hash: 80210275A003452FF310DBA8DC86F4A36D9DB49740FA54028F605AB6C2E5B6E948C3A7
                                                                                                                                                        Function 10008090 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GlobalSize.KERNEL32(00000000), ref: 100080C5
                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 100080CF
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 100080D8
                                                                                                                                                        • GlobalUnlock.KERNEL32(?), ref: 100080FF
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10008117
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Global$??2@??3@LockSizeUnlock
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3424962747-0
                                                                                                                                                        • Opcode ID: 687d3ae06680d440f64e1dea16dbfb4f202e60d7fa7e2f46fb69080eb264e867
                                                                                                                                                        • Instruction ID: 8b53166f88138b517547e258b53a8e4f91fd03c1c3ac5001bb0084a1b8ee2721
                                                                                                                                                        • Opcode Fuzzy Hash: 687d3ae06680d440f64e1dea16dbfb4f202e60d7fa7e2f46fb69080eb264e867
                                                                                                                                                        • Instruction Fuzzy Hash: 5101D6755042245FE700EB74AC89A9F379CFF48655F818228F90A83211DB75D919C7A2
                                                                                                                                                        Function 1000A960 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 1000A580: WaitForSingleObject.KERNEL32(?,00000BB8), ref: 1000A5AD
                                                                                                                                                        • ??2@YAPAXI@Z.MSVCRT(?), ref: 1000A980
                                                                                                                                                        • GetProcAddress.KERNEL32(?,ICSeqCompressFrame), ref: 1000AA0B
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000AA87
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??2@??3@AddressObjectProcSingleWait
                                                                                                                                                        • String ID: ICSeqCompressFrame
                                                                                                                                                        • API String ID: 4139222257-1610221639
                                                                                                                                                        • Opcode ID: 17721f671b4bd568b3279ca78b564c55f80c33f1e2484ba5e75bf0a4c5855e35
                                                                                                                                                        • Instruction ID: 0f2dec4c58927b59049f6d74d0dfa1e683196f85d884988a55a49926e5a5ac49
                                                                                                                                                        • Opcode Fuzzy Hash: 17721f671b4bd568b3279ca78b564c55f80c33f1e2484ba5e75bf0a4c5855e35
                                                                                                                                                        • Instruction Fuzzy Hash: 6C31D3757002059FDB08CF14D990AAB77E6EF8A280F05415CFC4A9B386DB34ED45C7A2
                                                                                                                                                        Function 10001665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71libraryloadersynchronizationCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(?,waveInAddBuffer), ref: 10001672
                                                                                                                                                        • SetEvent.KERNEL32(?), ref: 100016AD
                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100016B5
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressEventObjectProcSingleWait
                                                                                                                                                        • String ID: waveInAddBuffer
                                                                                                                                                        • API String ID: 183464563-4128413298
                                                                                                                                                        • Opcode ID: 4eac50bed195a3f44c8ca7a90d2722589fb3281e07065377e771dcf3cf4b447f
                                                                                                                                                        • Instruction ID: 0db133dc27e77428f67d1d0108e7c5033871d9e47f7264ebb910186cb29fd3de
                                                                                                                                                        • Opcode Fuzzy Hash: 4eac50bed195a3f44c8ca7a90d2722589fb3281e07065377e771dcf3cf4b447f
                                                                                                                                                        • Instruction Fuzzy Hash: 8E218172204301ABE320DF65DC88F97B7A8EB88760F058A19F641D7294D774E54987B1
                                                                                                                                                        Function 10005E00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52stringCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: strrchr
                                                                                                                                                        • String ID: D$zhongjie
                                                                                                                                                        • API String ID: 3418686817-2616795919
                                                                                                                                                        • Opcode ID: 24a9fe1a96bc57e5f35be05900e16027b07dd42951a3db1a93b935e527149c35
                                                                                                                                                        • Instruction ID: 7b4e25b6c7c29876e18f432b3b8516bbc564841d91331ff5e9b839bd6f583327
                                                                                                                                                        • Opcode Fuzzy Hash: 24a9fe1a96bc57e5f35be05900e16027b07dd42951a3db1a93b935e527149c35
                                                                                                                                                        • Instruction Fuzzy Hash: 9FF078321042116BEB10DB1CDC05AEB37E5EBC1394F400439FA8687250EB75964E81D3
                                                                                                                                                        Function 10009E00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • LoadLibraryA.KERNEL32(KERNEL32.dll,GetCurrentThreadId,?,00000000), ref: 10009E12
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 10009E19
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                        • String ID: GetCurrentThreadId$KERNEL32.dll
                                                                                                                                                        • API String ID: 2574300362-1458786552
                                                                                                                                                        • Opcode ID: ffad052a5c78050b4a71a0528352f50407e9cb63512b622cb25ce4c2b7e47c9c
                                                                                                                                                        • Instruction ID: ec83f4215a6083f33d7793c989d9c283d906bb14a404e31b9a5c624a51dd5967
                                                                                                                                                        • Opcode Fuzzy Hash: ffad052a5c78050b4a71a0528352f50407e9cb63512b622cb25ce4c2b7e47c9c
                                                                                                                                                        • Instruction Fuzzy Hash: 2DF0F675500221ABF3119B19DCCDFDB376CFF84B55F418025F654C21A0EB78CA8586A6
                                                                                                                                                        Function 1000AEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26registryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,~MHz,00000000,?,?,?), ref: 1000AF20
                                                                                                                                                        • RegCloseKey.ADVAPI32 ref: 1000AF2B
                                                                                                                                                        Strings
                                                                                                                                                        • ~MHz, xrefs: 1000AF1A
                                                                                                                                                        • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 1000AEF5
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseQueryValue
                                                                                                                                                        • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                                                                                                        • API String ID: 3356406503-2226868861
                                                                                                                                                        • Opcode ID: 2efa3a21e3070fae22f0fbc0b902a820e1780a39d08fa85db67e5dac0c8c0902
                                                                                                                                                        • Instruction ID: 7b03eb77d7fb5630cd31e422f6f027aaec439cacf783866b403d2b9fbb9090ef
                                                                                                                                                        • Opcode Fuzzy Hash: 2efa3a21e3070fae22f0fbc0b902a820e1780a39d08fa85db67e5dac0c8c0902
                                                                                                                                                        • Instruction Fuzzy Hash: 64F07FB5108355BFE700DB64CD85E6BB7B8FB84604F40CA5DF6AD96291D630DA088B52
                                                                                                                                                        Function 10003DB0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001,?,?,?,?,?,?,?,?,?,?,000000FF,10003D98), ref: 10003E02
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,000000FF,10003D98), ref: 10003E09
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,10003D98), ref: 10003E5F
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,000000FF,10003D98), ref: 10003E76
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??3@$D@2@@std@@D@std@@Tidy@?$basic_string@U?$char_traits@V?$allocator@
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3379573162-0
                                                                                                                                                        • Opcode ID: a9a045e1ff1b37c20f95f931173e243305f297aa4eeeb9b3887e3f5e38e3ea40
                                                                                                                                                        • Instruction ID: bd69bae32f17a933fd462f3409a95c60b9742e1bbad2fbb5ce561e209c51ce3f
                                                                                                                                                        • Opcode Fuzzy Hash: a9a045e1ff1b37c20f95f931173e243305f297aa4eeeb9b3887e3f5e38e3ea40
                                                                                                                                                        • Instruction Fuzzy Hash: AF3174B5600A429FC314DF19D880A46FBE4FF58710F40862DE55A8B792EB32F995CBD2
                                                                                                                                                        Function 1000A490 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,1000A358), ref: 1000A4EA
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,1000A358), ref: 1000A4FA
                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,1000A358), ref: 1000A551
                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,1000A358), ref: 1000A55E
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: ??3@$CloseFreeHandleLibrary
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 300116021-0
                                                                                                                                                        • Opcode ID: 278ec2db541abce9ddea777f2cdd17eb2b10b030d200d0a4dd65a5cef4c6da85
                                                                                                                                                        • Instruction ID: 7c27f5b679b66c363643525d88dc1037172dbe7b5c989d12b9ac13402a8ed591
                                                                                                                                                        • Opcode Fuzzy Hash: 278ec2db541abce9ddea777f2cdd17eb2b10b030d200d0a4dd65a5cef4c6da85
                                                                                                                                                        • Instruction Fuzzy Hash: 252151B5200700ABE630DFA5DC85F17B3ECAF84B80F128A19F64197290DAB4F845CB65
                                                                                                                                                        Function 10002860 Relevance: 6.1, APIs: 4, Instructions: 81sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Sleep$puts
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 3460495430-0
                                                                                                                                                        • Opcode ID: 1b6fa3a3f4867c02a42098529be14979870934e494b2d1e12c36ca52291137fa
                                                                                                                                                        • Instruction ID: e5391c887fde7239000a98e335800ee194278ac6ea9de39d4cb02804303f5b3d
                                                                                                                                                        • Opcode Fuzzy Hash: 1b6fa3a3f4867c02a42098529be14979870934e494b2d1e12c36ca52291137fa
                                                                                                                                                        • Instruction Fuzzy Hash: 0C218E72A043519BE300DF59CC84B0BB7E4FBC8B88F11492DF69997245DB70ED098BA2
                                                                                                                                                        Function 10004E70 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,?,?,00000000,?,10004B6B,?), ref: 10004EB4
                                                                                                                                                        • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,10004B6B,?), ref: 10004EC5
                                                                                                                                                        • ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z.MSVCP60(?,?,00000000,?,10004B6B,?), ref: 10004ED6
                                                                                                                                                        • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,10004B6B,?), ref: 10004EFF
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: D@2@@std@@D@std@@Refcnt@?$basic_string@U?$char_traits@V?$allocator@$??3@
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1648593004-0
                                                                                                                                                        • Opcode ID: 0040eb7e790be9e9c849203837c9d9f137b73d1bccc2403dbf19ee2486f41e0a
                                                                                                                                                        • Instruction ID: 40ba7abccb4cb6f5525327d54fc8258d6140bf183b0eabf7c547dc6eaf51982a
                                                                                                                                                        • Opcode Fuzzy Hash: 0040eb7e790be9e9c849203837c9d9f137b73d1bccc2403dbf19ee2486f41e0a
                                                                                                                                                        • Instruction Fuzzy Hash: B7218BB43006419FE704CF29D880927BBE5FF48690711856DE85ACB795EB70FC50CBA4
                                                                                                                                                        Function 10008020 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 1000803E
                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 1000804C
                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 10008069
                                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 10008079
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: Global$AllocFreeLockUnlock
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1984110005-0
                                                                                                                                                        • Opcode ID: 88cff10becca33bbac4b7c505bfaaf50eb5b147f7f8dc1221a1e9504ba2b2fe4
                                                                                                                                                        • Instruction ID: 35fe343b2c03e5177d087df03a44e87a5553036d42fedf90c8879d0d6c7ab910
                                                                                                                                                        • Opcode Fuzzy Hash: 88cff10becca33bbac4b7c505bfaaf50eb5b147f7f8dc1221a1e9504ba2b2fe4
                                                                                                                                                        • Instruction Fuzzy Hash: 3EF01D72200621DBF755ABB19CCCB6B7AACFB48652F458554FA46932A0CF70C909C761
                                                                                                                                                        Function 100063E9 Relevance: 6.0, APIs: 4, Instructions: 31sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10006411
                                                                                                                                                          • Part of subcall function 10009C10: LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                          • Part of subcall function 10009C10: GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                          • Part of subcall function 10009C10: _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                          • Part of subcall function 10009C10: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                          • Part of subcall function 10009C10: CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006430
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10006438
                                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 10006442
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseHandleputchar$AddressLibraryLoadObjectProcSingleSleepWait_beginthreadex
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1601960018-0
                                                                                                                                                        • Opcode ID: c277ea0be985af43b15d3be28882c9cc15d65268f9290a13b1aa90e2663d8a06
                                                                                                                                                        • Instruction ID: 4b7c79c7583eaa377e9a9709b4f5a273e8dabb34aa179b18352de8d8b3eb1ae1
                                                                                                                                                        • Opcode Fuzzy Hash: c277ea0be985af43b15d3be28882c9cc15d65268f9290a13b1aa90e2663d8a06
                                                                                                                                                        • Instruction Fuzzy Hash: 7FF0A775A803306FF320DBA09C96B963B94EF08B54F808026F705AB1E0D772A104C7D7
                                                                                                                                                        Function 10006454 Relevance: 6.0, APIs: 4, Instructions: 25sleepCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 1000645C
                                                                                                                                                          • Part of subcall function 10009C10: LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                          • Part of subcall function 10009C10: GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                          • Part of subcall function 10009C10: _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                          • Part of subcall function 10009C10: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                          • Part of subcall function 10009C10: CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 10006478
                                                                                                                                                        • putchar.MSVCRT(00000030), ref: 10006480
                                                                                                                                                        • Sleep.KERNEL32(000001F4), ref: 1000648A
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: CloseHandleputchar$AddressLibraryLoadObjectProcSingleSleepWait_beginthreadex
                                                                                                                                                        • String ID:
                                                                                                                                                        • API String ID: 1601960018-0
                                                                                                                                                        • Opcode ID: e1d7339ec2508815e39a4f33c8fb9df8a04c761585a94ca1289624522a04d9a9
                                                                                                                                                        • Instruction ID: 84ae5b4d6269cdc511d1bbef7f5abcffad1db806561c4f7c238289fa0e18954c
                                                                                                                                                        • Opcode Fuzzy Hash: e1d7339ec2508815e39a4f33c8fb9df8a04c761585a94ca1289624522a04d9a9
                                                                                                                                                        • Instruction Fuzzy Hash: 9DE0C2367C031077F26073E26C4BF8B3A08EB88BA5F264020F748680E0D9B1B154C6B6
                                                                                                                                                        Function 10003EB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111sleepfileCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: DeleteFileSleep
                                                                                                                                                        • String ID: `1Mw
                                                                                                                                                        • API String ID: 3161721237-3028120175
                                                                                                                                                        • Opcode ID: cb8d33bbff6237235d38251f774feabed4365937cc54afaf3e97f3cba224e4f3
                                                                                                                                                        • Instruction ID: 21d5b590318aea200e03cf81e9d99150e4b0ab3dd99156fdbdfdc18d548b31c3
                                                                                                                                                        • Opcode Fuzzy Hash: cb8d33bbff6237235d38251f774feabed4365937cc54afaf3e97f3cba224e4f3
                                                                                                                                                        • Instruction Fuzzy Hash: 1621876F30402012A495B21F7855FBFDB59EBF1EB2B02442BF286C5199CE945CDB82B9
                                                                                                                                                        Function 10006BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                          • Part of subcall function 10006A00: LoadLibraryA.KERNEL32 ref: 10006A95
                                                                                                                                                          • Part of subcall function 10006A00: GetProcAddress.KERNEL32(00000000), ref: 10006A9C
                                                                                                                                                        • CreateDirectoryA.KERNEL32(10019BAC,00000000,?,?,?,00000050,00000000,10013258,000000FF,10005893,?), ref: 10006C47
                                                                                                                                                        • puts.MSVCRT ref: 10006C52
                                                                                                                                                          • Part of subcall function 10006B90: WaitForSingleObject.KERNEL32(?,000000FF,10007CA0,?,?,?,?,?,10013300,000000FF), ref: 10006B96
                                                                                                                                                          • Part of subcall function 10006B90: Sleep.KERNEL32(00000096,?,?,?,?,?,10013300,000000FF), ref: 10006BA1
                                                                                                                                                          • Part of subcall function 10009C10: LoadLibraryA.KERNEL32 ref: 10009C9C
                                                                                                                                                          • Part of subcall function 10009C10: GetProcAddress.KERNEL32(00000000), ref: 10009CA3
                                                                                                                                                          • Part of subcall function 10009C10: _beginthreadex.MSVCRT ref: 10009CED
                                                                                                                                                          • Part of subcall function 10009C10: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10009CFF
                                                                                                                                                          • Part of subcall function 10009C10: CloseHandle.KERNEL32(?), ref: 10009D0A
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressLibraryLoadObjectProcSingleWait$CloseCreateDirectoryHandleSleep_beginthreadexputs
                                                                                                                                                        • String ID: \Plugin
                                                                                                                                                        • API String ID: 3582171539-639229884
                                                                                                                                                        • Opcode ID: 176e3543ef43105340a33cc701e2c8d088aa86f204ce64ba284733db60c7fe4a
                                                                                                                                                        • Instruction ID: 44e2fd127b71da9190e1dc01ddddab73ec900a513672d542f1ce06e77b499fc6
                                                                                                                                                        • Opcode Fuzzy Hash: 176e3543ef43105340a33cc701e2c8d088aa86f204ce64ba284733db60c7fe4a
                                                                                                                                                        • Instruction Fuzzy Hash: 57112470B046406BE714DB289C86F2B7AC9FB88720F54063CF21AEB2C1CBB9D8448215
                                                                                                                                                        Function 10008CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45sleeplibraryloaderCOMMON
                                                                                                                                                        Download Yara Rule
                                                                                                                                                        APIs
                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,BitBlt), ref: 10008D01
                                                                                                                                                        • Sleep.KERNEL32(00000005), ref: 10008D44
                                                                                                                                                        Strings
                                                                                                                                                        Memory Dump Source
                                                                                                                                                        • Source File: 00000009.00000002.1842884647.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                        • Associated: 00000009.00000002.1842850633.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842925144.0000000010014000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842955049.0000000010017000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1842986668.0000000010018000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843024421.0000000010019000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        • Associated: 00000009.00000002.1843055850.000000001001A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                        • Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd
                                                                                                                                                        Similarity
                                                                                                                                                        • API ID: AddressProcSleep
                                                                                                                                                        • String ID: BitBlt
                                                                                                                                                        • API String ID: 1175476452-1846796307
                                                                                                                                                        • Opcode ID: 289a08ee3922ae7d080c1aa7b9e36287cbbaa403d022526c64af2f22cdca61b0
                                                                                                                                                        • Instruction ID: c159d781e8173533e223bf22283bcc1a7896530a78b4c3c5d8a33ebb47bfb236
                                                                                                                                                        • Opcode Fuzzy Hash: 289a08ee3922ae7d080c1aa7b9e36287cbbaa403d022526c64af2f22cdca61b0
                                                                                                                                                        • Instruction Fuzzy Hash: 18F086722042156BE310CB55DC88F1BBBACFBD9791F11461EF68597294C671DC018771