Edit tour

Windows Analysis Report
capacart.dll

Overview

General Information

Sample name:	capacart.dll
Analysis ID:	1581364
MD5:	15d5da533da549efbcd0426bccdedf15
SHA1:	3345bd1993f144a1eed6709e9a94abc9b570a592
SHA256:	9060cde4a7fcb1296912f65d5a30e14e02f6d51c42325b02787b0808dd08507c
Tags:	dlluser-windshock
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to detect virtual machines (IN, VMware)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4832 cmdline: loaddll32.exe "C:\Users\user\Desktop\capacart.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6308 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3620 cmdline: rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3208 cmdline: rundll32.exe C:\Users\user\Desktop\capacart.dll,ServiceMain MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 1892 cmdline: rundll32.exe "C:\Users\user\Desktop\capacart.dll",ServiceMain MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 620 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: capacart.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: capacart.dll	ReversingLabs: Detection: 50%
Source: capacart.dll	Virustotal: Detection: 60%			Perma Link

Machine Learning detection for sample

Source: capacart.dll

Joe Sandbox ML: detected

Source: capacart.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_100020F0 wcscat,FindFirstFileW,wcscmp,wcscmp,wcscpy,wcscpy,FileTimeToLocalFileTime,FileTimeToSystemTime,wsprintfW,??2@YAPAXI@Z,send,??3@YAXPAX@Z,FindNextFileW,WSAGetLastError,??2@YAPAXI@Z,send,??3@YAXPAX@Z,FindClose,??2@YAPAXI@Z,send,WSAGetLastError,

3_2_100020F0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10003F90 ??2@YAPAXI@Z,??2@YAPAXI@Z,recv,??3@YAXPAX@Z,fwrite,WSAGetLastError,

3_2_10003F90

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10002D40 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_10002D40

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10001DD0

3_2_10001DD0

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 616

Source: capacart.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal64.evad.winDLL@12/9@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3208
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1892

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\36b651d7-aef8-4631-be48-a88c89a15cca

Jump to behavior

Source: capacart.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\capacart.dll,ServiceMain

Source: capacart.dll	ReversingLabs: Detection: 50%
Source: capacart.dll	Virustotal: Detection: 60%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\capacart.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\capacart.dll,ServiceMain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 616
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\capacart.dll",ServiceMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 620
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\capacart.dll,ServiceMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\capacart.dll",ServiceMain	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10001BB0 LoadLibraryW,GetProcAddress,GetSystemDirectoryW,wcscat,GetStartupInfoW,CreateProcessW,CreateThread,

3_2_10001BB0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10004360 push eax; ret

3_2_1000438E

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect virtual machines (IN, VMware)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10001330 in eax, dx

3_2_10001330

Source: C:\Windows\SysWOW64\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-769

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 0.9 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_100020F0

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10001BB0 LoadLibraryW,GetProcAddress,GetSystemDirectoryW,wcscat,GetStartupInfoW,CreateProcessW,CreateThread,

3_2_10001BB0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10001210 GetVersionExW,

3_2_10001210

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Windows Service	111 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	LSASS Memory	111 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
capacart.dll	50%	ReversingLabs	Win32.Backdoor.Cartcapa
capacart.dll	61%	Virustotal		Browse
capacart.dll	100%	Avira	HEUR/AGEN.1322862
capacart.dll	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581364
Start date and time:	2024-12-27 14:09:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	capacart.dll
Detection:	MAL
Classification:	mal64.evad.winDLL@12/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.177.22, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
08:10:08	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:10:37	API Interceptor	2x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_eed257f8ca9568734a5676b04c69adc7f1e5eb8_7522e4b5_07470c55-aa7f-4b4f-ae3a-2efece447047\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8498150615134252
Encrypted:	false
SSDEEP:	96:jlFwq6iZFhVyPsj94s2Ggf/QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNl4Q:5+iZFOPO0BU/wjeT1zuiFRZ24IO8dci
MD5:	6038FD6C813898D937FE281B3458BF8B
SHA1:	4832E4484F763EBFC631CB0B39D15CDB36EDA73A
SHA-256:	4BB8DF71295E08AA68EDC7ECAB74D1D73CE32228D0106E0FF606AD314A986C5F
SHA-512:	379434065132F248E5DC372F41606F727920E5BEF0AF1B82F87A1FA28288E55CA3A715277A660EC82E45CF82AF9C43A34E1632406F9E657ABAA17571457BF3F0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.7.7.8.6.0.6.4.1.2.2.7.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.7.7.8.6.0.6.8.0.2.9.0.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.4.7.0.c.5.5.-.a.a.7.f.-.4.b.4.f.-.a.e.3.a.-.2.e.f.e.c.e.4.4.7.0.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.f.a.a.0.5.4.-.8.b.c.e.-.4.7.3.a.-.a.b.a.d.-.b.a.9.5.d.c.4.4.0.f.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.8.8.-.0.0.0.1.-.0.0.1.4.-.e.2.b.3.-.b.7.a.5.6.0.5.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_eed257f8ca9568734a5676b04c69adc7f1e5eb8_7522e4b5_9abcc6a2-0bbe-4fe0-8854-f9997e47819d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8500956816719805
Encrypted:	false
SSDEEP:	96:DfJFZh6i9uhVyvsj94s2Ggf/QXIDcQvc6QcEVcw3cE/O/a/z+HbHg/BQAS/YyNlt:tEicOvO0BU/wjeT1zuiFRZ24IO8dci
MD5:	2D0DEF7846453C434D11884A1D5C95F7
SHA1:	1FB5FE5AB0B2AD767330DF7E3F3ADD62D7D1E42D
SHA-256:	7934456023B80A11774E79606DC52D92E1A710D6578AFBB240B5E7F2F66C85C2
SHA-512:	E376DFFDA21783F766C4E7B2594F647953F1B8F94A2D85A20173F5BFF115326F50CD3B81F3371D94D3F0551945D57109261186819849CA4413FE0C4B20D7DAC3
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.7.7.8.6.0.9.0.6.1.4.1.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.7.7.8.6.0.9.5.6.1.4.0.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.b.c.c.6.a.2.-.0.b.b.e.-.4.f.e.0.-.8.8.5.4.-.f.9.9.9.7.e.4.7.8.1.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.0.c.7.9.e.2.-.4.8.d.9.-.4.e.7.5.-.8.e.f.9.-.e.2.2.7.d.8.4.1.8.7.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.6.4.-.0.0.0.1.-.0.0.1.4.-.c.6.7.d.-.8.6.a.7.6.0.5.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11F4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 27 13:10:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43120
Entropy (8bit):	1.9974758484848911
Encrypted:	false
SSDEEP:	192:lk5Xoj+ys4XO5H4J0DqdhsaJIPTlSFFTVABe:u5Xy+nV5H20jLTlOry
MD5:	505485F9E69C9F8A9B63AF6685AA1257
SHA1:	5BBABE914FAC104E66889B959F2366D20F157618
SHA-256:	245E1263443D180BF203DAFAA319120AEB6FBCAA63D49B2F6A1523BFA2940742
SHA-512:	BA960F544697EA1D2F8B56ED2E68E1D1DB7CFA33E60B86A8B5A946FB84A1B3D13618ED0DE8FFFF2E553EC53AE764CE9FE77A713BBC623C2E69AD6DBFFCCEC6DC
Malicious:	false
Preview:	MDMP..a..... .......1.ng........................4...............l(..........T.......8...........T......................................................................................................................eJ......T.......GenuineIntel............T.......d...0.ng.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1291.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8250
Entropy (8bit):	3.691298232785875
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/d6Mel6YXJ6cgmfT+qprP89bCpsfl2m:R6lXJ16M06Y56cgmfT+vCCfd
MD5:	33FA4BEB686054573E641B3DB294BFB2
SHA1:	2ACFE0FAD4211FE986C14DB3233B2DFBA1DF98A1
SHA-256:	C67C90AE6AB66F3EE50BE6D69C00631F98B0CBF9CF1AA2F943C2875E7C006229
SHA-512:	3435973771948EA89353433D095C6C7668CCB46798AFAAFA9F0503AF72AEB314823A590AFBC257B5805CE8A4E0F2F0955C85B8B57A0163CD89B9498C2A83C53E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12FF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.461362380281748
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg77aI9B+WpW8VYCYm8M4JCdPVFgy+q8/AfGScSid:uIjfyI7D/7VyJHyXJ3id
MD5:	2674401C9A6E94F499FC111BAEB9CA46
SHA1:	666EADC14F245490DD4447F0B36CE53F05677DF0
SHA-256:	15B3DD68EB16A9DCD6299A1EAEA1FD97290D69B5B56120C7086D38F9FE4F352C
SHA-512:	B3F44FEDE5A0C6CCE691C61172BBDC208F24CA2B4BC5AD33EA071D6959954AA2BCC7B91A2346F1D90DDECA88C65475B8E61A5B4FB6C9E611217DC334D8CBD7B6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="649692" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER784.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 27 13:10:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41244
Entropy (8bit):	2.075639322460395
Encrypted:	false
SSDEEP:	192:ykQXrxUvIGpoXO5H4o5HDcZQ3huDl/MBA31TaRhfw5:XQX9MVpo+5H4ZQylkBA3Qw5
MD5:	7A3606A6D05D3C501FB59E5E743D82E4
SHA1:	F94800D3EB8CBB0FAC9C1AF8BA2828F8A1076A01
SHA-256:	ABC217E23E900BD33EFC23CD416BDD87684005822590A15C516EBFC539DCA50E
SHA-512:	9480359C1A4E2C109C7D828405D11D1569A07FEF0463F6FB38FCF3031F312B7DD14827E757A30C2A40FCBAF85A695FDABEEF81FE28E024714AC058C3A29C5105
Malicious:	false
Preview:	MDMP..a..... .........ng........................4...............l(..........T.......8...........T.......................................................................................................................eJ......T.......GenuineIntel............T...........-.ng.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER811.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8260
Entropy (8bit):	3.689606901853278
Encrypted:	false
SSDEEP:	192:R6l7wVeJE66MF6YPG67uPgmfT+qpr089b1dsfZHm:R6lXJx6MF6YO6yPgmfT+O1WfU
MD5:	3158D6D6E51AFD2754389AA9AB70A2DB
SHA1:	0333E615374E29D7733068725317BB575DFC6651
SHA-256:	D6A07A68942636970D7F53E7D12BF2434649ADC1AD685CBF7AAD62D6FA596A37
SHA-512:	C95A9E10EC895A1FC5309407D694BAC405DBD0B0843763C4C179766EE7B99094B6E7D8E02B0E06A3779F6902B87C9CFA27DB390A3C3A12EED48B945D30DB19DC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER841.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4654
Entropy (8bit):	4.460102574849555
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0Jg77aI9B+WpW8VYpPYm8M4JCdPVFp+q8/AVMPGScSld:uIjfyI7D/7V1J26PJ3ld
MD5:	FD47DB3A4EDD3C11D35906EBAD759BE1
SHA1:	A49576F7DACC6AE533C64FD476E9D2598EBB2B10
SHA-256:	85A23F9567AC7361D32A0C9E807CE122A8D8D10A0A32CD94FE38AEB8A9A0D007
SHA-512:	64549FF5626D0370EE6D87F849832A8CBF49D04E08AEF46D331D8B6F4C31465C233E21C8E05E9377E6D8F4D60E1B9DDED0D9BD4D6C8CD48576FA663219FEE063
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="649692" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422289553970632
Encrypted:	false
SSDEEP:	6144:BSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNP0uhiTw:YvloTyW+EZMM6DFyl03w
MD5:	FCE2DEE51713C41547D7607B75374AE6
SHA1:	4D2999878B732AF62B014AAE86BD474B60AA5EE8
SHA-256:	11281DDE116215CB6B9DB941E9657F973E7E8E7EAF806C3E4DF27F85500554A4
SHA-512:	45539C3547935468D9EB6C988C03635E8E70BE3ECC15051E403D859098B85665F85FFB8DCDF772C7F0041009E7C6C9341578FBD03D53CD426299692982ED20D0
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....`X..............................................................................................................................................................................................................................................................................................................................................x...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.927697535259842
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	capacart.dll
File size:	19'968 bytes
MD5:	15d5da533da549efbcd0426bccdedf15
SHA1:	3345bd1993f144a1eed6709e9a94abc9b570a592
SHA256:	9060cde4a7fcb1296912f65d5a30e14e02f6d51c42325b02787b0808dd08507c
SHA512:	1c5e892a09ef432647b0f2c547e90282d6efa558ded74cec5f1151c0354ebbd492dbef54cc054d763fe8975d7642e33a325144746caf428573a13d8a3a265e3d
SSDEEP:	384:NpYtUX02EnhJX0aBXV0Fzo33XXESgr1ChqOPRfex0o0F8PCoyV1E7x:NpbEDFV+E33HEN1ChqR10GP2
TLSH:	F492E940964801FAE90A1B7130BBEF378B3D1B625A216A97DF53DEF53823261E51970B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b..f...f...f...z...f..uy...f..^iQ..f...f...f...y...f..uy...f..uy...f..Rich.f..........................PE..L....L.T...........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10004483
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x54864CE8 [Tue Dec 9 01:14:16 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	945811f85b5dceddf82b1a675f2faf92

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F42144F326Bh
cmp dword ptr [10006738h], 00000000h
jmp 00007F42144F3288h
cmp esi, 01h
je 00007F42144F3267h
cmp esi, 02h
jne 00007F42144F3284h
mov eax, dword ptr [10006748h]
test eax, eax
je 00007F42144F326Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F42144F326Eh
push edi
push esi
push ebx
call 00007F42144F317Ah
test eax, eax
jne 00007F42144F3266h
xor eax, eax
jmp 00007F42144F32B0h
push edi
push esi
push ebx
call 00007F42144F2902h
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F42144F326Eh
test eax, eax
jne 00007F42144F3299h
push edi
push eax
push ebx
call 00007F42144F3156h
test esi, esi
je 00007F42144F3267h
cmp esi, 03h
jne 00007F42144F3288h
push edi
push esi
push ebx
call 00007F42144F3145h
test eax, eax
jne 00007F42144F3265h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F42144F3273h
mov eax, dword ptr [10006748h]
test eax, eax
je 00007F42144F326Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [100050C8h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea ecx, dword ptr [ebp-000004D0h]
jmp 00007F42144F28AAh
mov eax, 10005190h
jmp 00007F42144F30B6h
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5930	0x4b	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5230	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7000	0x3f4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x35a8	0x3600	3c6799df96d12e0196974710fc42ff10	False	0.5099826388888888	data	6.073895380542516	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x97b	0xa00	4a58e8d220c5fb8a797f6669967e2f26	False	0.460546875	data	4.754723320043876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x74c	0x400	22c455f736f68d87b578e18d8f662984	False	0.3955078125	Matlab v4 mat-file (little endian) zhi, numeric, rows 0, columns 0	3.1679494707879146	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x7000	0x4a4	0x600	a696b314f94555ad1896553c19c2613f	False	0.607421875	data	5.127285207852784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	Process32NextW, OpenProcess, Process32FirstW, GetProcAddress, LoadLibraryW, TerminateProcess, ReadFile, CreateProcessW, GetStartupInfoW, GetSystemDirectoryW, WriteFile, WideCharToMultiByte, TerminateThread, GetExitCodeProcess, CloseHandle, FindClose, FindNextFileW, FileTimeToSystemTime, FileTimeToLocalFileTime, FindFirstFileW, DeleteFileW, GetFileAttributesW, SetEvent, ResetEvent, GetOEMCP, GetLastError, CreateMutexW, FreeConsole, Sleep, MultiByteToWideChar, GlobalMemoryStatus, GetVersionExW, CreateEventW, CreateThread, WaitForSingleObject, GetTickCount, GetDriveTypeW
USER32.dll	wsprintfW
ADVAPI32.dll	OpenSCManagerW, OpenServiceW, DeleteService, CloseServiceHandle, RegOpenKeyExW, RegQueryValueExW, RegisterServiceCtrlHandlerW, SetServiceStatus
SHELL32.dll	SHFileOperationW, ShellExecuteW
WS2_32.dll	select, __WSAFDIsSet, recv, connect, gethostbyname, inet_ntoa, send, WSAGetLastError, closesocket, htons, socket, WSAStartup, gethostname
PSAPI.DLL	GetModuleFileNameExW
MSVCRT.dll	sprintf, _adjust_fdiv, malloc, _initterm, free, fread, fseek, fwrite, fopen, wcsncpy, strncmp, strstr, exit, fclose, wcstombs, __CxxFrameHandler, wcscmp, wcslen, wcscat, ??3@YAXPAX@Z, ??2@YAPAXI@Z, _except_handler3, atoi, wcscpy, mbstowcs, _wtoi

Exports

Name	Ordinal	Address
ServiceMain	1	0x10003ab0

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• rundll32.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• rundll32.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	08:10:05
Start date:	27/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\capacart.dll"
Imagebase:	0x620000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:10:05
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:10:05
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:10:05
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\capacart.dll,ServiceMain
Imagebase:	0xa70000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:10:05
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\capacart.dll",#1
Imagebase:	0xa70000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:10:06
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 616
Imagebase:	0xe90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:10:08
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\capacart.dll",ServiceMain
Imagebase:	0xa70000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:10:08
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 620
Imagebase:	0xe90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	478
Total number of Limit Nodes:	1

Callgraph

Hide Legend

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10003AB0 Relevance: 9.1, APIs: 6, Instructions: 60
sleepregistrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.MSVCRT ref: 10003AC9
wcslen.MSVCRT ref: 10003AD3
RegisterServiceCtrlHandlerW.ADVAPI32(?,10003A10), ref: 10003B00
FreeConsole.KERNEL32 ref: 10003B0F

Part of subcall function 100039B0: SetServiceStatus.ADVAPI32 ref: 100039FB

CreateThread.KERNEL32(00000000,00000000,10003430,00000000,00000000,00000000), ref: 10003B3D
Sleep.KERNEL32(000003E8), ref: 10003B4E

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Service$ConsoleCreateCtrlFreeHandlerRegisterSleepStatusThreadwcslenwcsncpy
String ID:
API String ID: 2099132145-0
Opcode ID: 41c4d84f45bf79cb7adf8b392f819c452b916b46cfce9452d8cf03726bdc9df8
Instruction ID: 6aa1f97fdc80c0aa29635ff4dd13de3f845775d6b9d7f6e4113fde72151d068c
Opcode Fuzzy Hash: 41c4d84f45bf79cb7adf8b392f819c452b916b46cfce9452d8cf03726bdc9df8
Instruction Fuzzy Hash: 1E11A5357403106BF711DB64CC87F5F7799EB84B81F508418F709EB2CADBA1B5488696

Non-executed Functions

Function 100020F0 Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 244
networkfiletimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscat.MSVCRT ref: 10002109
FindFirstFileW.KERNEL32(?,?,00000000), ref: 1000211A
wcscmp.MSVCRT ref: 1000213C
wcscmp.MSVCRT ref: 10002159
wcscpy.MSVCRT ref: 1000218D
wcscpy.MSVCRT ref: 100021D7
FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 10002208
FileTimeToSystemTime.KERNEL32(?,?), ref: 10002218
wsprintfW.USER32 ref: 10002268
??2@YAPAXI@Z.MSVCRT(00000410), ref: 100022E7
send.WS2_32(00000000,00000104,00000410,00000000), ref: 10002310
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002323
FindNextFileW.KERNEL32(00000000,?), ref: 1000233C
WSAGetLastError.WS2_32 ref: 1000234B
??2@YAPAXI@Z.MSVCRT(00000410), ref: 100023B4
send.WS2_32(00000000,00000104,00000410,00000000), ref: 100023DD
??3@YAXPAX@Z.MSVCRT(00000000,?,00000410,00000000), ref: 100023F4
FindClose.KERNEL32(?,?,00000410,00000000), ref: 10002401
??2@YAPAXI@Z.MSVCRT(00000410), ref: 1000243C
send.WS2_32(00000000,?,00000410,00000000), ref: 10002465
WSAGetLastError.WS2_32(?,00000410,00000000), ref: 1000247C

Strings

%d-%d-%d %d:%d:%d, xrefs: 10002262
\*.*, xrefs: 10002101

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$Time$??2@Findsend$??3@ErrorLastwcscmpwcscpy$CloseFirstLocalNextSystemwcscatwsprintf
String ID: %d-%d-%d %d:%d:%d$\*.*
API String ID: 1477265053-3143167761
Opcode ID: 5b399aa4c510fb7db8cbdc862ee54e55cb9948b4e2aa86c191648d9733bbf2a5
Instruction ID: 1cb797ff643dc629983326aeed5f019ae3b53c4bf10aabbc1d3b7c0b44eb2bb5
Opcode Fuzzy Hash: 5b399aa4c510fb7db8cbdc862ee54e55cb9948b4e2aa86c191648d9733bbf2a5
Instruction Fuzzy Hash: BF9192B15087559BE720CF20CC84B9B73E5FFC8384F014A2CFA4997255DB79AA45CB92

Function 10001DD0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 243
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 10001EA5
wcscat.MSVCRT ref: 10001EB1
GetDriveTypeW.KERNEL32(?), ref: 10001EBE
wcscmp.MSVCRT ref: 10001EDE
wcscmp.MSVCRT ref: 10001EF4
wcscpy.MSVCRT ref: 10001F24
??2@YAPAXI@Z.MSVCRT(00000000), ref: 10001F8B
??2@YAPAXI@Z.MSVCRT(00000410), ref: 10002063
send.WS2_32(00000000,00000000,00000410,00000000), ref: 1000208C
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000209F
??3@YAXPAX@Z.MSVCRT(?), ref: 100020AC
??3@YAXPAX@Z.MSVCRT(?,?), ref: 100020B6
WSAGetLastError.WS2_32 ref: 100020DC

Strings

A:\, xrefs: 10001E3A
B:\, xrefs: 10001E6F

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??3@$??2@wcscmp$DriveErrorLastTypesendwcscatwcscpywsprintf
String ID: A:\$B:\
API String ID: 2310596656-1009255891
Opcode ID: 81019f50537fe5f6a27677a7089774dd1cdac0f59ba000b1f588a5eba51430cc
Instruction ID: f09f52fd22e86e73c91f1a35240c03eeb1886fc88f7823dc4d964afc5cad5309
Opcode Fuzzy Hash: 81019f50537fe5f6a27677a7089774dd1cdac0f59ba000b1f588a5eba51430cc
Instruction Fuzzy Hash: 6581B2716043468BE718DB24CC50BABB7E6FBC8384F054A2DF98597355EB75AA04C782

Function 10001BB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85
libraryprocessloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,CreatePipe,?), ref: 10001BC2
GetProcAddress.KERNEL32(00000000), ref: 10001BC9
GetSystemDirectoryW.KERNEL32(00000000,00000100), ref: 10001C2F
wcscat.MSVCRT ref: 10001C3F
GetStartupInfoW.KERNEL32(?,00000000), ref: 10001C73
CreateProcessW.KERNEL32 ref: 10001CC3
CreateThread.KERNEL32(00000000,00000000,10001A30,00000000,00000000,00000000), ref: 10001CE2

Strings

CreatePipe, xrefs: 10001BB8
Kernel32.dll, xrefs: 10001BBD
\cmd.exe, xrefs: 10001C39
D, xrefs: 10001CA4

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create$AddressDirectoryInfoLibraryLoadProcProcessStartupSystemThreadwcscat
String ID: CreatePipe$D$Kernel32.dll$\cmd.exe
API String ID: 4211703381-4005030481
Opcode ID: 4ba9e3705484fac20227168cc6c42bc61e6528e44f360de262ce13e398df4675
Instruction ID: 977645c93628cfe42ae8c11df0c6efa66cb6ef2cdd3aa39efd3e59097fc21fae
Opcode Fuzzy Hash: 4ba9e3705484fac20227168cc6c42bc61e6528e44f360de262ce13e398df4675
Instruction Fuzzy Hash: 84315E71548310AEF710CF54CC89B8B7BE5EB8C784F20481DF3559A2A8D7B5A148CF9A

Function 10003F90 Relevance: 9.1, APIs: 6, Instructions: 126networkfileCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000400,?,?), ref: 10003FBC
??2@YAPAXI@Z.MSVCRT(00000410), ref: 10004014
recv.WS2_32(?,00000000,00000410,00000000), ref: 10004028
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000410,00000000), ref: 1000404C
fwrite.MSVCRT ref: 1000407C
WSAGetLastError.WS2_32(?,00000000,00000410,00000000), ref: 100040C1

Part of subcall function 10003F70: fclose.MSVCRT ref: 10003F7B

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@ErrorLastfclosefwriterecv
String ID:
API String ID: 1190228266-0
Opcode ID: fb8e23e91456c18ce9e124ef80a1fdcdd7395fd16c058db91a6e9a4783862ac4
Instruction ID: a469010b371657938a835d1a49e02ba920d2b755804c3035d04ac2f5b7775b76
Opcode Fuzzy Hash: fb8e23e91456c18ce9e124ef80a1fdcdd7395fd16c058db91a6e9a4783862ac4
Instruction Fuzzy Hash: AB41B2B2A083428BE310CF14D88065FB3E5FFC4390F02093DFA85A7645DB75E9498B9A

Function 10002D40 Relevance: 7.5, APIs: 5, Instructions: 29serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 10002D4B
OpenServiceW.ADVAPI32(00000000,100064C0,00010000), ref: 10002D62
DeleteService.ADVAPI32(00000000), ref: 10002D6F
CloseServiceHandle.ADVAPI32(00000000), ref: 10002D80
CloseServiceHandle.ADVAPI32(00000000), ref: 10002D83

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID:
API String ID: 204194956-0
Opcode ID: e9f920ea6b0ac93f1da8a78629853bc3d8b9e1790e0e2dc86ee7852bc6bd51bc
Instruction ID: d4aa38b7b11c0e10988c49f5aa9b6fc21c6d9120cca4db4f7cfee64cdb8f1bd3
Opcode Fuzzy Hash: e9f920ea6b0ac93f1da8a78629853bc3d8b9e1790e0e2dc86ee7852bc6bd51bc
Instruction Fuzzy Hash: 41E04F3160163266F36257256C4CF6F3AA8EFC9FE3F520216FA04E629CEF519C0185E4

Function 10001330 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

hXMV, xrefs: 10001364
hXMV, xrefs: 10001379

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: hXMV$hXMV
API String ID: 0-400149659
Opcode ID: 9c1469fbd90d131cb05a814f9d29cef5578740e930c1fed6c4241e09c5ca588a
Instruction ID: 25e08977c553acebb425d342dc9919dad31361978b2bc62c39eb56c56b6c8ebf
Opcode Fuzzy Hash: 9c1469fbd90d131cb05a814f9d29cef5578740e930c1fed6c4241e09c5ca588a
Instruction Fuzzy Hash: 82F0C272E0868AABE714CB49DC91BAFFBB8E745B20F704229F524576C1C73A19018B90

Function 10001210 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(00000000), ref: 10001223

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 895c9c88edb24a52fb75ff49a360d76f78ac4b567bf5cc530db337261d7cc269
Instruction ID: 6c16c8dde2de0de552518a4f45345c70c84d4ac1e2a93fee1a70dada651428e6
Opcode Fuzzy Hash: 895c9c88edb24a52fb75ff49a360d76f78ac4b567bf5cc530db337261d7cc269
Instruction Fuzzy Hash: 6EE07E781483459FD329DF14D085ADABBE1BFCD310F408958E88883354D739A855CE82

Function 10003430 Relevance: 98.4, APIs: 51, Strings: 5, Instructions: 411
networksleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000001,111), ref: 10003443
GetLastError.KERNEL32 ref: 10003449
Sleep.KERNEL32(00000BB8), ref: 1000346A
GetOEMCP.KERNEL32(00000BB8), ref: 10003470
WSAStartup.WS2_32(00000202,?), ref: 10003488
socket.WS2_32(00000002,00000001,00000000), ref: 10003497
htons.WS2_32(000001BB), ref: 100034B7
gethostbyname.WS2_32(mircroupdata.dynamic-dns.net), ref: 100034C3
htons.WS2_32(000001BB), ref: 100034F9
gethostbyname.WS2_32(mircroupdata.dynamic-dns.net), ref: 10003505
closesocket.WS2_32(00000000), ref: 10003538
connect.WS2_32(00000000,?,00000010), ref: 1000355C

Strings

connect_ok, xrefs: 1000385F
111, xrefs: 1000343A
password, xrefs: 100036BE
mircroupdata.dynamic-dns.net, xrefs: 100034B9, 10003567
mircroupdata.dynamic-dns.net, xrefs: 100034FB, 1000367D

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbynamehtons$CreateErrorLastMutexSleepStartupclosesocketconnectsocket
String ID: 111$connect_ok$mircroupdata.dynamic-dns.net$mircroupdata.dynamic-dns.net$password
API String ID: 766072800-4198190782
Opcode ID: 297c83c01b996efc3e2887c630c78d32944365f44d252ed87a3ec685554ee870
Instruction ID: ebcbd91c580d4eb3c0e248b8f3a0af665f01bbd164a34ceb2893d659881f15f7
Opcode Fuzzy Hash: 297c83c01b996efc3e2887c630c78d32944365f44d252ed87a3ec685554ee870
Instruction Fuzzy Hash: 89E1D271504320ABF710DF64CC85BAB77EAFB88785F10851DF905972A8EB75E904CB92

Function 100016E0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 173
networklibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,CreateToolhelp32Snapshot,?,?,00000000,00000000), ref: 100016F4
GetProcAddress.KERNEL32(00000000), ref: 100016FB
Process32FirstW.KERNEL32(00000000,?), ref: 10001732
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 1000176F
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000104), ref: 10001785
wcscpy.MSVCRT ref: 100017B2
wcscpy.MSVCRT ref: 100017C4
??2@YAPAXI@Z.MSVCRT(00000410), ref: 10001809
send.WS2_32(00000000,00000000,00000410,00000000), ref: 10001832
??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000000,00000000), ref: 10001849
Process32NextW.KERNEL32(?,?), ref: 10001867
wsprintfW.USER32 ref: 100018A5
wcscpy.MSVCRT ref: 100018B5
??2@YAPAXI@Z.MSVCRT(00000410), ref: 100018EE
send.WS2_32(00000000,00000104,00000410,00000000), ref: 10001917
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 1000192A
CloseHandle.KERNEL32(00000000), ref: 10001937
WSAGetLastError.WS2_32(?,?,00000000,00000000), ref: 10001948

Strings

Kernel32.dll, xrefs: 100016EF
CreateToolhelp32Snapshot, xrefs: 100016EA
LOOK PRO FINISH (total %d), xrefs: 10001898

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wcscpy$??2@??3@Process32send$AddressCloseErrorFileFirstHandleLastLibraryLoadModuleNameNextOpenProcProcesswsprintf
String ID: CreateToolhelp32Snapshot$Kernel32.dll$LOOK PRO FINISH (total %d)
API String ID: 1465932988-42666897
Opcode ID: ba017d89b7384dbf8beae6dbc92bbd62b8fa4331ee3d7cd1a14d2058b056d1af
Instruction ID: 0a9712c74a3d14d32fc507253284868a3c75b8de6885b334269839cc9f8ffd83
Opcode Fuzzy Hash: ba017d89b7384dbf8beae6dbc92bbd62b8fa4331ee3d7cd1a14d2058b056d1af
Instruction Fuzzy Hash: CC51C3B15047559BF720DF24CC84BEF77E9FBC8380F010928FA4997295DB74AA058B92

Function 10002D90 Relevance: 33.3, APIs: 22, Instructions: 272
threadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 10002DBC
TerminateProcess.KERNEL32(00000000,00000000), ref: 10002EE8
CloseHandle.KERNEL32(00000000), ref: 10002EFA
TerminateThread.KERNEL32(00000000,00000000), ref: 10002F1E
CloseHandle.KERNEL32(00000000), ref: 10002F2A
??2@YAPAXI@Z.MSVCRT(0000041C), ref: 10002F7D
wcscpy.MSVCRT ref: 10002FA6
CreateThread.KERNEL32(00000000,00000000,100026B0,00000000,00000000,00000000), ref: 10002FC9
??2@YAPAXI@Z.MSVCRT(0000041C), ref: 10002FE8
wcscpy.MSVCRT ref: 10003011
CreateThread.KERNEL32(00000000,00000000,10002800,00000000,00000000,00000000), ref: 10003034
??2@YAPAXI@Z.MSVCRT(0000041C), ref: 10003053
wcscpy.MSVCRT ref: 1000307C
CreateThread.KERNEL32(00000000,00000000,10002950,00000000,00000000,00000000), ref: 10003092
CloseHandle.KERNEL32(00000000), ref: 1000309E
TerminateThread.KERNEL32(00000000,00000000,00000000), ref: 100030BD
CloseHandle.KERNEL32(00000000), ref: 100030CA
fclose.MSVCRT ref: 100030D6
??2@YAPAXI@Z.MSVCRT ref: 100030F8
send.WS2_32(00000000,?,00000410,00000000), ref: 1000311E
??3@YAXPAX@Z.MSVCRT(00000000,?,00000410,00000000,00000410,00000000), ref: 10003131

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$??2@CloseHandle$CreateTerminatewcscpy$??3@CountProcessTickfclosesend
String ID:
API String ID: 1819345987-0
Opcode ID: c3011058f0fe82002eac28cb9b040a563d2c80b97a7de21589a28dfa99763b7f
Instruction ID: 1c1eeca6c7e678e84d2552db9eafc9bc94aac18e0cc6718ed3338d9b968628f1
Opcode Fuzzy Hash: c3011058f0fe82002eac28cb9b040a563d2c80b97a7de21589a28dfa99763b7f
Instruction Fuzzy Hash: C6913BF56043109BF720DB28ECC1BDB77E4EB88395F14403AFA4887385D67AB4458BA5

Function 10001480 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 186
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32(00000000,00000032), ref: 100014A4
gethostbyname.WS2_32(00000000), ref: 100014B3
inet_ntoa.WS2_32 ref: 100014C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000032), ref: 10001513
mbstowcs.MSVCRT ref: 10001524
wcscpy.MSVCRT ref: 1000155A
wsprintfW.USER32 ref: 10001581
wcscpy.MSVCRT ref: 10001593
wsprintfW.USER32 ref: 100015FE
wcscpy.MSVCRT ref: 10001610
??2@YAPAXI@Z.MSVCRT(00000410), ref: 1000166D
send.WS2_32(?,00000000,00000410,00000000), ref: 1000169D
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?), ref: 100016B0
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?), ref: 100016C3

Strings

%d M, xrefs: 1000157B
%dDay %dHour %dMin %dSec, xrefs: 100015F8
mircroupdata.dynamic-dns.net, xrefs: 10001488

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: wcscpy$wsprintf$??2@??3@ByteCharErrorLastMultiWidegethostbynamegethostnameinet_ntoambstowcssend
String ID: %d M$%dDay %dHour %dMin %dSec$mircroupdata.dynamic-dns.net
API String ID: 4149417593-1019766390
Opcode ID: 9943b3763ba919198c90971646df82594e6995f7aed30f1b9187e5529ee36fcd
Instruction ID: fa9301ae2e92a151798d79a18c68dec0087eaa4b41b67b2342d2df146a23db2e
Opcode Fuzzy Hash: 9943b3763ba919198c90971646df82594e6995f7aed30f1b9187e5529ee36fcd
Instruction Fuzzy Hash: BA51B371604340ABE324CB64CC44BEBB3EDEBC8390F44491CF94997294DA75FA058B92

Function 10003465 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 64
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 1000346A
GetOEMCP.KERNEL32(00000BB8), ref: 10003470
WSAStartup.WS2_32(00000202,?), ref: 10003488
socket.WS2_32(00000002,00000001,00000000), ref: 10003497
htons.WS2_32(000001BB), ref: 100034B7
gethostbyname.WS2_32(mircroupdata.dynamic-dns.net), ref: 100034C3
htons.WS2_32(000001BB), ref: 100034F9
gethostbyname.WS2_32(mircroupdata.dynamic-dns.net), ref: 10003505
closesocket.WS2_32(00000000), ref: 10003538
connect.WS2_32(00000000,?,00000010), ref: 1000355C

Strings

mircroupdata.dynamic-dns.net, xrefs: 100034B9
mircroupdata.dynamic-dns.net, xrefs: 100034FB

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbynamehtons$SleepStartupclosesocketconnectsocket
String ID: mircroupdata.dynamic-dns.net$mircroupdata.dynamic-dns.net
API String ID: 1830810353-3462125824
Opcode ID: 3056f5cdb7e03079f624acb465ea02d17cb143927d5f1f6b0ee980c8f8f2f6ce
Instruction ID: 3fe1ecd4b492881f830b5980f4bd19f9185f32bb121a338048f6a1f8965fb255
Opcode Fuzzy Hash: 3056f5cdb7e03079f624acb465ea02d17cb143927d5f1f6b0ee980c8f8f2f6ce
Instruction Fuzzy Hash: 88218E302047219BFB15DF60CC8966BB7EAFF49B86F40801DEA069B228E7B6D844C755

Function 10002AD0 Relevance: 16.6, APIs: 11, Instructions: 109
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32(?,?,00000000,?,00000000), ref: 10002B1B
__WSAFDIsSet.WS2_32(00000000,?), ref: 10002B2D
??2@YAPAXI@Z.MSVCRT(00000410,00000000,?,?,?,00000000,?,00000000,00000000,0000000A), ref: 10002B42
recv.WS2_32(00000000,?,00000410,00000000), ref: 10002B56
??3@YAXPAX@Z.MSVCRT(00000000,?,00000410,00000000), ref: 10002B7D
??2@YAPAXI@Z.MSVCRT(?,00000000), ref: 10002BB1
send.WS2_32(?,00000000,?,00000000), ref: 10002BE8
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 10002BFB
WSAGetLastError.WS2_32(?,00000000), ref: 10002C08
closesocket.WS2_32(00000000), ref: 10002C1D
WSAGetLastError.WS2_32(?,00000410,00000000), ref: 10002C28

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@ErrorLast$closesocketrecvselectsend
String ID:
API String ID: 2252093931-0
Opcode ID: 77c250424815a847c6f7ba61cc5b161b2bd579a3bbed4e98e10375f55bc999ab
Instruction ID: c976249a9a8c53d14f7152e282bfa887b7d50e62d0d8cb4940ca33b7c7704eaa
Opcode Fuzzy Hash: 77c250424815a847c6f7ba61cc5b161b2bd579a3bbed4e98e10375f55bc999ab
Instruction Fuzzy Hash: F031B0726003169BF724DF64CC95BDB77E9EB89380F010528F94587249DB76AA09CB92

Function 10002800 Relevance: 15.1, APIs: 10, Instructions: 96
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000010), ref: 10002821
ResetEvent.KERNEL32(00000000), ref: 1000288C
ResetEvent.KERNEL32(00000000), ref: 10002894
Sleep.KERNEL32(000007D0), ref: 1000289B
SetEvent.KERNEL32(00000000), ref: 100028B5
SetEvent.KERNEL32(00000000), ref: 100028BE

Part of subcall function 10004110: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000400,00000000,00000000), ref: 1000414F
Part of subcall function 10004110: fopen.MSVCRT ref: 1000415F
Part of subcall function 10004110: fseek.MSVCRT ref: 10004185

??2@YAPAXI@Z.MSVCRT(00000410), ref: 100028E2
send.WS2_32(00000000,00000000,00000410,00000000), ref: 10002908
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000291B
WSAGetLastError.WS2_32 ref: 1000293C

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Event$??2@Reset$??3@ByteCharErrorLastMultiSleepWidefopenfseeksend
String ID:
API String ID: 2237447286-0
Opcode ID: 545e26743b538da2d0256948276f9b189521645c888e31a5cc7cfd0753457a4c
Instruction ID: 8c88a7173fb445b308ccdb77c746ac7f4a700c5bc602be837f9330fd020dbf0f
Opcode Fuzzy Hash: 545e26743b538da2d0256948276f9b189521645c888e31a5cc7cfd0753457a4c
Instruction Fuzzy Hash: 6A3109F6600214ABF710DB64CC85B9B77E9FB8C790F114628FA0597399DB35A804CBE5

Function 100026B0 Relevance: 15.1, APIs: 10, Instructions: 96
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000010), ref: 100026D1
ResetEvent.KERNEL32(00000000), ref: 1000273C
ResetEvent.KERNEL32(00000000), ref: 10002744
Sleep.KERNEL32(000007D0), ref: 1000274B
SetEvent.KERNEL32(00000000), ref: 10002765
SetEvent.KERNEL32(00000000), ref: 1000276E

Part of subcall function 10004110: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000400,00000000,00000000), ref: 1000414F
Part of subcall function 10004110: fopen.MSVCRT ref: 1000415F
Part of subcall function 10004110: fseek.MSVCRT ref: 10004185

??2@YAPAXI@Z.MSVCRT(00000410), ref: 10002792
send.WS2_32(00000000,00000000,00000410,00000000), ref: 100027B8
??3@YAXPAX@Z.MSVCRT(00000000), ref: 100027CB
WSAGetLastError.WS2_32 ref: 100027EC

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Event$??2@Reset$??3@ByteCharErrorLastMultiSleepWidefopenfseeksend
String ID:
API String ID: 2237447286-0
Opcode ID: dc6aecf0e4e7584b8d597a30afd35f24a8038c87cc5cde6187605972ad39e936
Instruction ID: 9593be83d57895235682dcee4e743a818cf0cff742c977b3c7a1ba4151597c64
Opcode Fuzzy Hash: dc6aecf0e4e7584b8d597a30afd35f24a8038c87cc5cde6187605972ad39e936
Instruction Fuzzy Hash: 1331E6B66042109BF710DB64CC85B9B77A9FB88390F114628FA0987399DB75A844CBE5

Function 100031A4 Relevance: 13.6, APIs: 9, Instructions: 95
networkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcstombs.MSVCRT ref: 100031CD
gethostbyname.WS2_32(?), ref: 100031DA
socket.WS2_32(00000002,00000001,00000000), ref: 100031F0
htons.WS2_32 ref: 10003233
connect.WS2_32(00000000,?,00000010), ref: 10003246
ResetEvent.KERNEL32(00000000), ref: 10003270
ResetEvent.KERNEL32(00000000), ref: 10003278
CreateThread.KERNEL32(00000000,00000000,Function_00002AD0,00000000,00000000,00000000), ref: 1000329A
CreateThread.KERNEL32(00000000,00000000,Function_00002C40,?,00000000,00000000), ref: 100032BE

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CreateEventResetThread$connectgethostbynamehtonssocketwcstombs
String ID:
API String ID: 223029929-0
Opcode ID: a08a4fc2431d913bba4c9591927c1b2cd6d85cbfb5f5ff91f714eb7699c0cf9d
Instruction ID: 927e1738d20abe1d0f1b307c8ef05adcbb485e93cd62e5af3d16f770fc2d2d26
Opcode Fuzzy Hash: a08a4fc2431d913bba4c9591927c1b2cd6d85cbfb5f5ff91f714eb7699c0cf9d
Instruction Fuzzy Hash: FD31A475604310AFE720CB24CC81B9B77E5EB8CB51F10491DFA45A72D4D7B6A908CB96

Function 100013C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00020019,?,75A773E0,?,?,?,10001626,?,?), ref: 100013DA
??2@YAPAXI@Z.MSVCRT(0000000A,?,?,?,10001626,?,?), ref: 100013ED
RegQueryValueExW.ADVAPI32(?,ProxyEnable,00000000,?), ref: 1000142B

Strings

ProxyEnable, xrefs: 1000141D
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 100013D0

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@OpenQueryValue
String ID: ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
API String ID: 2275364114-1808106468
Opcode ID: c6987373415038016d1ad428303ba20c933c8d1a64fb8354375fcb3238d3cc6a
Instruction ID: 34fc9181e4f2e346789c2428ccb036e8b8c48cd1f4024b335a81f20db343bc21
Opcode Fuzzy Hash: c6987373415038016d1ad428303ba20c933c8d1a64fb8354375fcb3238d3cc6a
Instruction Fuzzy Hash: F41190B16083426BF314EF689C51ADBBAE5EF88340F44485DF58882256E770D60886E7

Function 10002950 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 10002971
??2@YAPAXI@Z.MSVCRT(00000410), ref: 100029ED
send.WS2_32(00000000,00000000,00000410,00000000), ref: 10002A16
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002A2D

Part of subcall function 10003F00: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000400,00000000,00000000,?), ref: 10003F35
Part of subcall function 10003F00: fopen.MSVCRT ref: 10003F45

wcscpy.MSVCRT ref: 10002A69
??2@YAPAXI@Z.MSVCRT(00000410,?,?), ref: 10002A79
send.WS2_32(00000000,00000000,00000410,00000000), ref: 10002A9F
WSAGetLastError.WS2_32 ref: 10002AB6

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@$send$??3@ByteCharErrorLastMultiWidefopenwcscpy
String ID:
API String ID: 2392472551-0
Opcode ID: 098c060dbc7b52ab303ffb784b6c3c40be57781a8cca0e9ef4fb8ef4fddbb040
Instruction ID: 8a26d9e6375ad740591beb029c97ee1d26c7202b34df74addd45442dcfb9abfd
Opcode Fuzzy Hash: 098c060dbc7b52ab303ffb784b6c3c40be57781a8cca0e9ef4fb8ef4fddbb040
Instruction Fuzzy Hash: 3031E5B26007519BF320CB25CC8579B77E9FB88790F014638F94997389DF74A904CB96

Function 10001A30 Relevance: 10.6, APIs: 7, Instructions: 112networkfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,000001FF,00000000,00000000), ref: 10001AB7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 10001B1E
wcscpy.MSVCRT ref: 10001B34
??2@YAPAXI@Z.MSVCRT ref: 10001B4F
send.WS2_32(00000000,?,00000410,00000000), ref: 10001B78
??3@YAXPAX@Z.MSVCRT(00000000,?,00000410,00000000), ref: 10001B8B
WSAGetLastError.WS2_32(?,00000410,00000000), ref: 10001B98

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@ByteCharErrorFileLastMultiReadWidesendwcscpy
String ID:
API String ID: 3138976475-0
Opcode ID: 0f5b30952a235ea7ee8b6396ddae8dec54b17ad26299772d589558d42acaa3ba
Instruction ID: 377c3d26e852191d57a91ee3c4ecf05a71ee6056ce44171d8d843e0d2da36775
Opcode Fuzzy Hash: 0f5b30952a235ea7ee8b6396ddae8dec54b17ad26299772d589558d42acaa3ba
Instruction Fuzzy Hash: 8831A871204346AFF720CB24CC54BEB73E9EBC8340F00092DF65997294EB75A90987A3

Function 10001000 Relevance: 10.6, APIs: 7, Instructions: 74networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1000102C
??2@YAPAXI@Z.MSVCRT ref: 1000106C
send.WS2_32(00000000,00000104,00000410,00000000), ref: 10001092
??3@YAXPAX@Z.MSVCRT(00000000), ref: 100010A5
Sleep.KERNEL32(00009C40), ref: 100010B2
WSAGetLastError.WS2_32 ref: 100010D0
closesocket.WS2_32(00000000), ref: 100010DF

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@CountErrorLastSleepTickclosesocketsend
String ID:
API String ID: 1914851243-0
Opcode ID: f577cd392b19dfd39cec723f6e96506bae673b0265301f3e92f584b97250d589
Instruction ID: d94c9553da811a28f2fce3e0f93dd2de5d444d9c04fac52cd2fe30fb4f9d74b8
Opcode Fuzzy Hash: f577cd392b19dfd39cec723f6e96506bae673b0265301f3e92f584b97250d589
Instruction Fuzzy Hash: BF21D1717002558BF700CB35DC8979B37E5EB843D6F010439FA41C725CEBBAE98886A2

Function 100025E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

Part of subcall function 100025B0: GetFileAttributesW.KERNEL32(?,100025F7,?,?,?,00000000), ref: 100025B9

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 1000260C
??2@YAPAXI@Z.MSVCRT(00000410), ref: 10002649
send.WS2_32(00000000,00000000,00000410,00000000), ref: 1000266F
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002682
WSAGetLastError.WS2_32 ref: 1000269A

Strings

open, xrefs: 10002605

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@AttributesErrorExecuteFileLastShellsend
String ID: open
API String ID: 4080252296-2758837156
Opcode ID: 36e9baf4d0c9fdb419819e233b878e263219e926738e82f55a11d176f5b109d4
Instruction ID: f943a664f0ea96b4dc68a7cff9be4213b8e2c9aab41f51eb370d717f6862ffb1
Opcode Fuzzy Hash: 36e9baf4d0c9fdb419819e233b878e263219e926738e82f55a11d176f5b109d4
Instruction Fuzzy Hash: 4A112BB260061057F310CB20DC86BDB76D8EB847D5F150435FA019B295DBBAF98983D9

Function 10001960 Relevance: 10.6, APIs: 7, Instructions: 67networkCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT(00000000,?,?,00000000), ref: 1000196F
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10001981
TerminateProcess.KERNEL32(00000000,00000000), ref: 1000198E
??2@YAPAXI@Z.MSVCRT(00000410), ref: 100019CB
send.WS2_32(00000000,?,00000410,00000000), ref: 100019F1
??3@YAXPAX@Z.MSVCRT(00000000,?,00000410,00000000), ref: 10001A04
WSAGetLastError.WS2_32(?,00000410,00000000), ref: 10001A17

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Process$??2@??3@ErrorLastOpenTerminate_wtoisend
String ID:
API String ID: 1682623619-0
Opcode ID: 44af0541fbcf324d5782b0593ad0bd05d5675197d9830564703dd29e861c911f
Instruction ID: 3a71037d7a96ea86da102fa6f60a34c4d0a357625117caae62ee29ec169a8fc7
Opcode Fuzzy Hash: 44af0541fbcf324d5782b0593ad0bd05d5675197d9830564703dd29e861c911f
Instruction Fuzzy Hash: 0311E6B2A003115BF310DF20DC89B9B3BD8EB807D5F050438F90497259DB7AE98882E6

Function 10002C40 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 10002C83
??2@YAPAXI@Z.MSVCRT(00000410), ref: 10002C9C
send.WS2_32(00000000,00000000,00000410,00000000), ref: 10002CC2
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002CD5
WSAGetLastError.WS2_32 ref: 10002CE6
closesocket.WS2_32 ref: 10002CFF

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@ErrorLastclosesocketrecvsend
String ID:
API String ID: 1873095041-0
Opcode ID: ec42ab6da09824132e15eb91856200ea3c1f693f3b5b376774f1d1f9f9650f75
Instruction ID: aeb44a3bb8e0a1203247f99ab37f821fb7ebe578f5c67549010c6e56c2d80e53
Opcode Fuzzy Hash: ec42ab6da09824132e15eb91856200ea3c1f693f3b5b376774f1d1f9f9650f75
Instruction Fuzzy Hash: 5511D2B26002249BF700CF64CC85ADBB7E8FB883A5F040539FA0597254DB76E94987E6

Function 10001D00 Relevance: 9.1, APIs: 6, Instructions: 67filethreadCOMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(00000000), ref: 10001D24
TerminateThread.KERNEL32(00000000,00000000,?,10002EC0,00000000,?), ref: 10001D3D
wcscat.MSVCRT ref: 10001D58
wcslen.MSVCRT ref: 10001D5E
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001000,00000000,00000000,10002EC0,00000000,?), ref: 10001DA2
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 10001DBC

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ByteCharCodeExitFileMultiProcessTerminateThreadWideWritewcscatwcslen
String ID:
API String ID: 118662748-0
Opcode ID: 3c4c689e0c29a72d78c46af162be03f7c0454913ae3d77586f60af4647f00eea
Instruction ID: 8b1c56680e10605e56bcb1be71bd95fa798179eed4ce51ed37410ee85b244767
Opcode Fuzzy Hash: 3c4c689e0c29a72d78c46af162be03f7c0454913ae3d77586f60af4647f00eea
Instruction Fuzzy Hash: A2118172204291BFF311DB64CC84FDF33EDFB88785F104629F64596198DB79AA088BA1

Function 100010F0 Relevance: 9.1, APIs: 6, Instructions: 59networksleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10001124
??2@YAPAXI@Z.MSVCRT ref: 10001147
send.WS2_32(00000000,?,00000410,00000000), ref: 1000116D
??3@YAXPAX@Z.MSVCRT(00000000,?,00000410,00000000), ref: 10001180
Sleep.KERNEL32(00009C40,?,00000410,00000000), ref: 1000118D
WSAGetLastError.WS2_32(?,00000410,00000000), ref: 100011A7

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@ErrorLastObjectSingleSleepWaitsend
String ID:
API String ID: 3170285620-0
Opcode ID: 5bcd84b5a92d50d32167fff99c68aed3fb960083369a5a03cc47fbf4db115e83
Instruction ID: fb5898aab849cd6be72cbcf1b4ebb39d99d8b1d316814e8ca94bc596cba2b5ef
Opcode Fuzzy Hash: 5bcd84b5a92d50d32167fff99c68aed3fb960083369a5a03cc47fbf4db115e83
Instruction Fuzzy Hash: 6911E0B1600221ABF300CB24CC85BDB77E9EB853D4F014528FA04973A8DB76E94486D2

Function 100041C0 Relevance: 7.6, APIs: 5, Instructions: 104networkCOMMON

Download Yara Rule

APIs

fread.MSVCRT ref: 10004250
??2@YAPAXI@Z.MSVCRT(00000410), ref: 1000425C
send.WS2_32(?,00000000,00000410,00000000), ref: 10004282
??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,00000410,00000000,00000000,75923070,00000000), ref: 10004295
WSAGetLastError.WS2_32(?,00000000,00000410,00000000,00000000,75923070,00000000), ref: 100042C2

Part of subcall function 100041A0: fclose.MSVCRT ref: 100041AA

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: ??2@??3@ErrorLastfclosefreadsend
String ID:
API String ID: 2586463314-0
Opcode ID: e8f4d5085796ffea71cf3fd13c0752daad24d80455fdbf3b229a1b6ad2aa5663
Instruction ID: a39efd8a57863122f1050084b28ef757405dc8fdaf8256a10c4adfdd988bd093
Opcode Fuzzy Hash: e8f4d5085796ffea71cf3fd13c0752daad24d80455fdbf3b229a1b6ad2aa5663
Instruction Fuzzy Hash: D731C2B1A043119FE304CF24D84069BB7E5FBC8384F52493DFA85D7345DA74E9458B96

Function 100024E0 Relevance: 7.6, APIs: 5, Instructions: 67networkfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 1000250D
??2@YAPAXI@Z.MSVCRT ref: 1000253E
send.WS2_32(00000000,00000000,00000410,00000000), ref: 10002564
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002577

Part of subcall function 10002490: SHFileOperationW.SHELL32 ref: 100024D1

WSAGetLastError.WS2_32 ref: 1000258F

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$??2@??3@DeleteErrorLastOperationsend
String ID:
API String ID: 583681615-0
Opcode ID: 3314b34395dbffa4998d49237d848bb61304e9a670b211b1a176d33d2a4a99e8
Instruction ID: 3e42e3547cf1324030a642c7499dd84fa4143b2581b55218b4c6dadfc0ed3615
Opcode Fuzzy Hash: 3314b34395dbffa4998d49237d848bb61304e9a670b211b1a176d33d2a4a99e8
Instruction Fuzzy Hash: A4117AB26002195BF310DF38DC85BEB37D8EB84391F000934FA05C7244EA39F88987A6

Function 10002DE2 Relevance: 7.5, APIs: 5, Instructions: 41threadCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,00000000), ref: 10002E03
CloseHandle.KERNEL32(00000000), ref: 10002E16
TerminateThread.KERNEL32(00000000,00000000), ref: 10002E39
CloseHandle.KERNEL32(00000000), ref: 10002E46
exit.MSVCRT ref: 10002E4F

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseHandleTerminate$ProcessThreadexit
String ID:
API String ID: 909354777-0
Opcode ID: 4a34bacec99acaa7b4100a1cba2411b5570e92b895b3c2f021c06721252522bb
Instruction ID: d1620063f169c4269894aff42485f7cb6d1acb416f81c141ff79c1bf72eea847
Opcode Fuzzy Hash: 4a34bacec99acaa7b4100a1cba2411b5570e92b895b3c2f021c06721252522bb
Instruction Fuzzy Hash: 130112B5A446209BF704DB69CCC4B1A37EAFB8C7D9F24401AF50887268DB79A5448FA1

Function 100011B0 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,0000000A,100038A4,00000000,?,?,?,?,?,000001BB), ref: 100011BF
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,000001BB), ref: 100011CE
CreateThread.KERNEL32(00000000,00000000,10001000,00000000,00000000,00000000), ref: 100011EA
CreateThread.KERNEL32(00000000,00000000,100010F0,00000000,00000000,00000000), ref: 10001200

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Create$EventThread
String ID:
API String ID: 3571019211-0
Opcode ID: 0b6ac9352678b0e72ffd089906221d812fb054a5f938ba18cbaba84c6a01cb23
Instruction ID: c55ed9b9b4935bf2434d1d35b9174ab6cb5e28cba6f25b8c269aef842b3a1f56
Opcode Fuzzy Hash: 0b6ac9352678b0e72ffd089906221d812fb054a5f938ba18cbaba84c6a01cb23
Instruction Fuzzy Hash: 35F07571BD03347AFA309B645C87F863A969708F91F300416F3047F1D8D6E234808B98

Function 10003343 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137networksleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000001,111), ref: 10003443
GetLastError.KERNEL32 ref: 10003449
Sleep.KERNEL32(00000BB8), ref: 1000346A
GetOEMCP.KERNEL32(00000BB8), ref: 10003470
WSAStartup.WS2_32(00000202,?), ref: 10003488
socket.WS2_32(00000002,00000001,00000000), ref: 10003497
htons.WS2_32(000001BB), ref: 100034B7
gethostbyname.WS2_32(mircroupdata.dynamic-dns.net), ref: 100034C3
htons.WS2_32(000001BB), ref: 100034F9
gethostbyname.WS2_32(mircroupdata.dynamic-dns.net), ref: 10003505
closesocket.WS2_32(00000000), ref: 10003538
connect.WS2_32(00000000,?,00000010), ref: 1000355C

Strings

111, xrefs: 1000343A

Memory Dump Source

Source File: 00000003.00000002.2463931357.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2463889236.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463946181.0000000010005000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463959271.0000000010006000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2463973005.0000000010007000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbynamehtons$CreateErrorLastMutexSleepStartupclosesocketconnectsocket
String ID: 111
API String ID: 766072800-1298878781
Opcode ID: 7277068ca1c238f40571ebf68e59f023c591dcc063f81d36b2fc90246d2d8aaa
Instruction ID: f8972486e9c8a00a4c536b69445b814a1f584d8c326d2615df4a2f7668f35c35
Opcode Fuzzy Hash: 7277068ca1c238f40571ebf68e59f023c591dcc063f81d36b2fc90246d2d8aaa
Instruction Fuzzy Hash: 61018C2950E2C15FE7039374AD856963F62DF47359F4F48E1E1C4AA46BC18D180DCBA0

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report capacart.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_eed257f8ca9568734a5676b04c69adc7f1e5eb8_7522e4b5_07470c55-aa7f-4b4f-ae3a-2efece447047\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_eed257f8ca9568734a5676b04c69adc7f1e5eb8_7522e4b5_9abcc6a2-0bbe-4fe0-8854-f9997e47819d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER11F4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1291.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12FF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER784.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER811.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER841.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
capacart.dll