Edit tour

Windows Analysis Report
mNtu4X8ZyE.exe

Overview

General Information

Sample name:	mNtu4X8ZyE.exe renamed because original name is a hash value
Original sample name:	3d1ad8f5c275b10be10f06b5505bee6ae6c80e60.exe
Analysis ID:	1553820
MD5:	6e30d8bda11412a2272a387b549be17a
SHA1:	3d1ad8f5c275b10be10f06b5505bee6ae6c80e60
SHA256:	c3ad80d9e8443b1beae2dfe76227770b83fa852b9226f91a5628cb06624d8d9c
Tags:	exeuser-NDA0E
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Uses regedit.exe to modify the Windows registry

Connects to several IPs in different countries

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries the volume information (name, serial number etc) of a device

Sigma detected: Communication To Uncommon Destination Ports

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mNtu4X8ZyE.exe (PID: 7360 cmdline: "C:\Users\user\Desktop\mNtu4X8ZyE.exe" MD5: 6E30D8BDA11412A2272A387B549BE17A)

regedit.exe (PID: 7464 cmdline: "C:\Windows\SysWOW64\expand\regedit.exe" MD5: 6E30D8BDA11412A2272A387B549BE17A)

wpnclient.exe (PID: 7580 cmdline: "C:\Windows\SysWOW64\winhttpcom\wpnclient.exe" MD5: 6E30D8BDA11412A2272A387B549BE17A)

svchost.exe (PID: 7496 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.2541675452.0000000000590000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.1322151004.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1306249932.0000000002614000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.2541960416.0000000002184000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.1322291450.0000000002154000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.mNtu4X8ZyE.exe.221052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regedit.exe.1fd279e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wpnclient.exe.21e0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regedit.exe.1fd052e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.mNtu4X8ZyE.exe.221279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regedit.exe.1fd279e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wpnclient.exe.59052e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wpnclient.exe.59052e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regedit.exe.1fd052e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.mNtu4X8ZyE.exe.221052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.mNtu4X8ZyE.exe.221279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wpnclient.exe.59279e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.wpnclient.exe.59279e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.mNtu4X8ZyE.exe.2670000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.regedit.exe.21b0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 70.39.251.94, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe, Initiated: true, ProcessId: 7580, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49936

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 7496, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:22:34.128040+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.7	49798	TCP
2024-11-11T18:23:14.538600+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.7	49980	TCP

ET MALWARE Win32/Emotet CnC Activity (POST) M11

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:22:36.385675+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49766	190.202.229.74	80	TCP
2024-11-11T18:22:56.826697+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49936	70.39.251.94	8080	TCP
2024-11-11T18:23:08.796039+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49978	87.230.25.43	8080	TCP
2024-11-11T18:23:20.800044+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49979	94.23.62.116	8080	TCP
2024-11-11T18:23:32.953468+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49983	37.187.161.206	8080	TCP
2024-11-11T18:23:45.064324+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49984	45.46.37.97	80	TCP
2024-11-11T18:23:57.482018+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49985	138.97.60.141	7080	TCP
2024-11-11T18:24:08.284550+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49986	177.144.130.105	8080	TCP
2024-11-11T18:24:20.133558+0100	2035077	1	A Network Trojan was detected	192.168.2.7	49987	169.1.39.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mNtu4X8ZyE.exe

Avira: detected

Found malware configuration

Source: 4.2.wpnclient.exe.59052e.1.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}

Multi AV Scanner detection for submitted file

Source: mNtu4X8ZyE.exe

ReversingLabs: Detection: 78%

Machine Learning detection for sample

Source: mNtu4X8ZyE.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00401600
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,	2_2_00401600
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,	4_2_00401600
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,	4_2_021E2680
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E22C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam,	4_2_021E22C0
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E1FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap,	4_2_021E1FF0

Source: mNtu4X8ZyE.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02673A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,	0_2_02673A20
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,	2_2_021B3A20
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,	4_2_021E3A20

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49936 -> 70.39.251.94:8080
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49978 -> 87.230.25.43:8080
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49983 -> 37.187.161.206:8080
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49766 -> 190.202.229.74:80
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49979 -> 94.23.62.116:8080
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49984 -> 45.46.37.97:80
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49987 -> 169.1.39.242:80
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49986 -> 177.144.130.105:8080
Source: Network traffic	Suricata IDS: 2035077 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M11 : 192.168.2.7:49985 -> 138.97.60.141:7080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 190.202.229.74:80
Source: Malware configuration extractor	IPs: 118.69.11.81:7080
Source: Malware configuration extractor	IPs: 70.39.251.94:8080
Source: Malware configuration extractor	IPs: 87.230.25.43:8080
Source: Malware configuration extractor	IPs: 94.23.62.116:8080
Source: Malware configuration extractor	IPs: 37.187.161.206:8080
Source: Malware configuration extractor	IPs: 45.46.37.97:80
Source: Malware configuration extractor	IPs: 138.97.60.141:7080
Source: Malware configuration extractor	IPs: 177.144.130.105:8080
Source: Malware configuration extractor	IPs: 169.1.39.242:80
Source: Malware configuration extractor	IPs: 209.236.123.42:8080
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 193.251.77.110:80
Source: Malware configuration extractor	IPs: 2.45.176.233:80
Source: Malware configuration extractor	IPs: 217.13.106.14:8080
Source: Malware configuration extractor	IPs: 189.223.16.99:80
Source: Malware configuration extractor	IPs: 190.101.156.139:80
Source: Malware configuration extractor	IPs: 77.238.212.227:80
Source: Malware configuration extractor	IPs: 181.58.181.9:80
Source: Malware configuration extractor	IPs: 37.183.81.217:80
Source: Malware configuration extractor	IPs: 74.58.215.226:80
Source: Malware configuration extractor	IPs: 174.118.202.24:443
Source: Malware configuration extractor	IPs: 168.197.45.36:80
Source: Malware configuration extractor	IPs: 81.215.230.173:443
Source: Malware configuration extractor	IPs: 192.175.111.212:7080
Source: Malware configuration extractor	IPs: 216.47.196.104:80
Source: Malware configuration extractor	IPs: 128.92.203.42:80
Source: Malware configuration extractor	IPs: 94.176.234.118:443
Source: Malware configuration extractor	IPs: 191.182.6.118:80
Source: Malware configuration extractor	IPs: 212.71.237.140:8080
Source: Malware configuration extractor	IPs: 24.232.228.233:80
Source: Malware configuration extractor	IPs: 177.73.0.98:443
Source: Malware configuration extractor	IPs: 177.23.7.151:80
Source: Malware configuration extractor	IPs: 24.135.69.146:80
Source: Malware configuration extractor	IPs: 83.169.21.32:7080
Source: Malware configuration extractor	IPs: 189.34.181.88:80
Source: Malware configuration extractor	IPs: 179.222.115.170:80
Source: Malware configuration extractor	IPs: 177.144.130.105:443
Source: Malware configuration extractor	IPs: 213.197.182.158:8080
Source: Malware configuration extractor	IPs: 5.89.33.136:80
Source: Malware configuration extractor	IPs: 77.78.196.173:443
Source: Malware configuration extractor	IPs: 120.72.18.91:80
Source: Malware configuration extractor	IPs: 50.28.51.143:8080
Source: Malware configuration extractor	IPs: 190.64.88.186:443
Source: Malware configuration extractor	IPs: 111.67.12.221:8080
Source: Malware configuration extractor	IPs: 12.162.84.2:8080
Source: Malware configuration extractor	IPs: 46.105.114.137:8080
Source: Malware configuration extractor	IPs: 59.148.253.194:8080
Source: Malware configuration extractor	IPs: 201.213.177.139:80
Source: Malware configuration extractor	IPs: 82.76.52.155:80
Source: Malware configuration extractor	IPs: 172.104.169.32:8080
Source: Malware configuration extractor	IPs: 188.251.213.180:80
Source: Malware configuration extractor	IPs: 46.43.2.95:8080
Source: Malware configuration extractor	IPs: 137.74.106.111:7080
Source: Malware configuration extractor	IPs: 188.135.15.49:80
Source: Malware configuration extractor	IPs: 185.94.252.27:443
Source: Malware configuration extractor	IPs: 197.232.36.108:80
Source: Malware configuration extractor	IPs: 60.249.78.226:8080
Source: Malware configuration extractor	IPs: 187.162.248.237:80
Source: Malware configuration extractor	IPs: 181.129.96.162:8080
Source: Malware configuration extractor	IPs: 46.101.58.37:8080
Source: Malware configuration extractor	IPs: 109.242.153.9:80
Source: Malware configuration extractor	IPs: 178.211.45.66:8080
Source: Malware configuration extractor	IPs: 200.59.6.174:80
Source: Malware configuration extractor	IPs: 83.103.179.156:80
Source: Malware configuration extractor	IPs: 172.86.186.21:8080
Source: Malware configuration extractor	IPs: 70.32.115.157:8080
Source: Malware configuration extractor	IPs: 81.214.253.80:443
Source: Malware configuration extractor	IPs: 201.49.239.200:443
Source: Malware configuration extractor	IPs: 149.202.72.142:7080
Source: Malware configuration extractor	IPs: 190.45.24.210:80
Source: Malware configuration extractor	IPs: 186.189.249.2:80
Source: Malware configuration extractor	IPs: 219.92.13.25:80
Source: Malware configuration extractor	IPs: 170.81.48.2:80
Source: Malware configuration extractor	IPs: 51.75.33.127:80
Source: Malware configuration extractor	IPs: 192.241.143.52:8080
Source: Malware configuration extractor	IPs: 45.33.77.42:8080
Source: Malware configuration extractor	IPs: 152.169.22.67:80
Source: Malware configuration extractor	IPs: 1.226.84.243:8080
Source: Malware configuration extractor	IPs: 78.206.229.130:80
Source: Malware configuration extractor	IPs: 37.179.145.105:80
Source: Malware configuration extractor	IPs: 68.183.170.114:8080
Source: Malware configuration extractor	IPs: 192.232.229.54:7080
Source: Malware configuration extractor	IPs: 103.236.179.162:80
Source: Malware configuration extractor	IPs: 70.32.84.74:8080
Source: Malware configuration extractor	IPs: 79.118.74.90:80
Source: Malware configuration extractor	IPs: 60.93.23.51:80
Source: Malware configuration extractor	IPs: 181.120.29.49:80
Source: Malware configuration extractor	IPs: 213.52.74.198:80
Source: Malware configuration extractor	IPs: 51.255.165.160:8080
Source: Malware configuration extractor	IPs: 183.176.82.231:80
Source: Malware configuration extractor	IPs: 186.193.229.123:80
Source: Malware configuration extractor	IPs: 98.103.204.12:443
Source: Malware configuration extractor	IPs: 129.232.220.11:8080
Source: Malware configuration extractor	IPs: 181.61.182.143:80
Source: Malware configuration extractor	IPs: 68.183.190.199:8080
Source: Malware configuration extractor	IPs: 190.115.18.139:8080
Source: Malware configuration extractor	IPs: 200.24.255.23:80
Source: Malware configuration extractor	IPs: 103.13.224.53:80
Source: Malware configuration extractor	IPs: 85.214.26.7:8080
Source: Malware configuration extractor	IPs: 190.24.243.186:80
Source: Malware configuration extractor	IPs: 87.106.46.107:8080
Source: Malware configuration extractor	IPs: 177.107.79.214:8080
Source: Malware configuration extractor	IPs: 12.163.208.58:80
Source: Malware configuration extractor	IPs: 187.162.250.23:443
Source: Malware configuration extractor	IPs: 109.101.137.162:8080
Source: Malware configuration extractor	IPs: 82.76.111.249:443
Source: Malware configuration extractor	IPs: 181.30.61.163:443
Source: Malware configuration extractor	IPs: 5.196.35.138:7080
Source: Malware configuration extractor	IPs: 51.15.7.145:80
Source: Malware configuration extractor	IPs: 192.198.91.138:443
Source: Malware configuration extractor	IPs: 188.157.101.114:80
Source: Malware configuration extractor	IPs: 189.2.177.210:443
Source: Malware configuration extractor	IPs: 181.123.6.86:80
Source: Malware configuration extractor	IPs: 109.190.35.249:80
Source: Malware configuration extractor	IPs: 45.16.226.117:443
Source: Malware configuration extractor	IPs: 190.190.219.184:80
Source: Malware configuration extractor	IPs: 104.131.41.185:8080
Source: Malware configuration extractor	IPs: 101.187.81.254:80
Source: Malware configuration extractor	IPs: 62.84.75.50:80
Source: Malware configuration extractor	IPs: 178.250.54.208:8080
Source: Malware configuration extractor	IPs: 201.71.228.86:80
Source: Malware configuration extractor	IPs: 190.92.122.226:80
Source: Malware configuration extractor	IPs: 138.97.60.140:8080

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 7080

Source: unknown

Network traffic detected: IP country count 37

Source: global traffic	TCP traffic: 192.168.2.7:49852 -> 118.69.11.81:7080
Source: global traffic	TCP traffic: 192.168.2.7:49936 -> 70.39.251.94:8080
Source: global traffic	TCP traffic: 192.168.2.7:49978 -> 87.230.25.43:8080
Source: global traffic	TCP traffic: 192.168.2.7:49979 -> 94.23.62.116:8080
Source: global traffic	TCP traffic: 192.168.2.7:49983 -> 37.187.161.206:8080
Source: global traffic	TCP traffic: 192.168.2.7:49985 -> 138.97.60.141:7080
Source: global traffic	TCP traffic: 192.168.2.7:49986 -> 177.144.130.105:8080

Source: Joe Sandbox View	IP Address: 81.214.253.80 81.214.253.80
Source: Joe Sandbox View	IP Address: 94.176.234.118 94.176.234.118
Source: Joe Sandbox View	IP Address: 78.206.229.130 78.206.229.130
Source: Joe Sandbox View	IP Address: 181.58.181.9 181.58.181.9
Source: Joe Sandbox View	IP Address: 213.197.182.158 213.197.182.158

Source: Joe Sandbox View	ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View	ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT
Source: Joe Sandbox View	ASN Name: PROXADFR PROXADFR
Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49798
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49980

Source: global traffic	HTTP traffic detected: POST /NVYQ97TAZC9w/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 190.202.229.74/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------8meBuivDM6SGek6tUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 190.202.229.74Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fcGeLw4p/ihOwVRSFxWUqd0kFgJ/4jfMfuO/EFhh74Ny/if77Qmg3AUNbSqT8W/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 118.69.11.81/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------c0nWQm36OPQWUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 118.69.11.81:7080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /cqrpaz30CJV6rcTaee/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 70.39.251.94/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------K4vFIFYq3VJwQqSnJZgKHxUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 70.39.251.94:8080Content-Length: 4628Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 87.230.25.43/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------MbOc2Awa9XJUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 87.230.25.43:8080Content-Length: 4628Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /MVkm4Pe/qvF8hKL0/xQboaYc/tEAE/bvOe1g/jyw23JOFoAe/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.62.116/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------anyJNRk198MUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 94.23.62.116:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /L3q6/BqUpGZyIOtsBpT/0zFYv51ZlaEeQ4uYJ9/AHC3ud/VyzjKGaZCXONK/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 37.187.161.206/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------TLs7tmoYUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 37.187.161.206:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 45.46.37.97/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------------9uUbHI4f4XOvefoNk2pHpUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.46.37.97Content-Length: 4612Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5ZnPdPFU/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 138.97.60.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------Vb7iRWQMUdrrUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.97.60.141:7080Content-Length: 4612Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY/s5tFZi8Vxs3oBnZWiR/tXm8d1/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 177.144.130.105/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------------Xese4L6C2RTuoGm0FY1zcNpUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 177.144.130.105:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 169.1.39.242/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------Za2AS9T3nIW3ZQcAbANUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 169.1.39.242Content-Length: 4612Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown	TCP traffic detected without corresponding DNS query: 45.46.37.97
Source: unknown	TCP traffic detected without corresponding DNS query: 45.46.37.97
Source: unknown	TCP traffic detected without corresponding DNS query: 45.46.37.97
Source: unknown	TCP traffic detected without corresponding DNS query: 45.46.37.97
Source: unknown	TCP traffic detected without corresponding DNS query: 45.46.37.97
Source: unknown	TCP traffic detected without corresponding DNS query: 45.46.37.97
Source: unknown	TCP traffic detected without corresponding DNS query: 138.97.60.141
Source: unknown	TCP traffic detected without corresponding DNS query: 138.97.60.141
Source: unknown	TCP traffic detected without corresponding DNS query: 138.97.60.141
Source: unknown	TCP traffic detected without corresponding DNS query: 138.97.60.141
Source: unknown	TCP traffic detected without corresponding DNS query: 138.97.60.141
Source: unknown	TCP traffic detected without corresponding DNS query: 138.97.60.141
Source: unknown	TCP traffic detected without corresponding DNS query: 177.144.130.105
Source: unknown	TCP traffic detected without corresponding DNS query: 177.144.130.105

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: unknown

HTTP traffic detected: POST /NVYQ97TAZC9w/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 190.202.229.74/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------8meBuivDM6SGek6tUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 190.202.229.74Content-Length: 4644Cache-Control: no-cache

Source: wpnclient.exe, 00000004.00000003.2232761331.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://118.69.11.81:7080/fcGeLw4p/ihOwVRSFxWUqd0kFgJ/4jfMfuO/EFhh74Ny/if77Qmg3AUNbSqT8W/
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.97.60.141:7080/5ZnPdPFU/
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.97.60.141:7080/5ZnPdPFU/H
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.97.60.141:7080/5ZnPdPFU/Y
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/s
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/wshqos.dll.mui
Source: wpnclient.exe, 00000004.00000002.2541739448.000000000061E000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://177.144.130.105:8080/2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.187.161.206:8080/L3q6/BqUpGZyIOtsBpT/0zFYv51ZlaEeQ4uYJ9/AHC3ud/VyzjKGaZCXONK/
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.46.37.97/9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.46.37.97/9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/;
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://70.39.251.94:8080/cqrpaz30CJV6rcTaee//if77Qmg3AUNbSqT8W/s
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://70.39.251.94:8080/cqrpaz30CJV6rcTaee/6
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000003.2232761331.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.230.25.43:8080/RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/
Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.230.25.43:8080/RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/Q
Source: wpnclient.exe, 00000004.00000003.2232761331.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.23.62.116:8080/MVkm4Pe/qvF8hKL0/xQboaYc/tEAE/bvOe1g/jyw23JOFoAe/

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.21e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.2670000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.21b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541675452.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1322151004.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1306249932.0000000002614000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541960416.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1322291450.0000000002154000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Code function: 4_2_021E2680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey,

4_2_021E2680

System Summary

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

Process created: C:\Windows\SysWOW64\expand\regedit.exe "C:\Windows\SysWOW64\expand\regedit.exe"

Source: C:\Windows\SysWOW64\expand\regedit.exe

Code function: 2_2_021B91E0 OpenSCManagerW,CloseServiceHandle,DeleteService,CloseServiceHandle,

2_2_021B91E0

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	File created: C:\Windows\SysWOW64\expand\			Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	File created: C:\Windows\SysWOW64\winhttpcom\			Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

File deleted: C:\Windows\SysWOW64\expand\regedit.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02678330	0_2_02678330
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026786F0	0_2_026786F0
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676860	0_2_02676860
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02677B30	0_2_02677B30
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02673CE0	0_2_02673CE0
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02673EE0	0_2_02673EE0
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026742C9	0_2_026742C9
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026741B7	0_2_026741B7
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02674190	0_2_02674190
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02215E67	0_2_02215E67
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02215A7E	0_2_02215A7E
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_0221A28E	0_2_0221A28E
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_022196CE	0_2_022196CE
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02219ECE	0_2_02219ECE
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_022183FE	0_2_022183FE
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_0221587E	0_2_0221587E
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02215D2E	0_2_02215D2E
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02215D55	0_2_02215D55
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B8330	2_2_021B8330
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B86F0	2_2_021B86F0
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B7B30	2_2_021B7B30
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B6860	2_2_021B6860
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B4190	2_2_021B4190
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B41B7	2_2_021B41B7
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B42C9	2_2_021B42C9
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B3CE0	2_2_021B3CE0
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B3EE0	2_2_021B3EE0
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD5D55	2_2_01FD5D55
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD5D2E	2_2_01FD5D2E
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD587E	2_2_01FD587E
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD83FE	2_2_01FD83FE
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD96CE	2_2_01FD96CE
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD9ECE	2_2_01FD9ECE
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FDA28E	2_2_01FDA28E
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD5A7E	2_2_01FD5A7E
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD5E67	2_2_01FD5E67
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E86F0	4_2_021E86F0
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E8330	4_2_021E8330
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E7B30	4_2_021E7B30
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E6860	4_2_021E6860
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E4190	4_2_021E4190
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E41B7	4_2_021E41B7
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E42C9	4_2_021E42C9
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E3CE0	4_2_021E3CE0
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E3EE0	4_2_021E3EE0
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_0059587E	4_2_0059587E
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00595D55	4_2_00595D55
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00595D2E	4_2_00595D2E
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00595A7E	4_2_00595A7E
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00595E67	4_2_00595E67
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_005996CE	4_2_005996CE
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00599ECE	4_2_00599ECE
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_0059A28E	4_2_0059A28E
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_005983FE	4_2_005983FE

Source: mNtu4X8ZyE.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/0@1/100

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,		0_2_02678CA0
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle,		2_2_021B8CA0

Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Code function: 4_2_021E4FD0 Process32NextW,Process32FirstW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,

4_2_021E4FD0

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

Code function: 0_2_02675390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,

0_2_02675390

Source: mNtu4X8ZyE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mNtu4X8ZyE.exe

ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\mNtu4X8ZyE.exe "C:\Users\user\Desktop\mNtu4X8ZyE.exe"
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Process created: C:\Windows\SysWOW64\expand\regedit.exe "C:\Windows\SysWOW64\expand\regedit.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\SysWOW64\expand\regedit.exe	Process created: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe "C:\Windows\SysWOW64\winhttpcom\wpnclient.exe"
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Process created: C:\Windows\SysWOW64\expand\regedit.exe "C:\Windows\SysWOW64\expand\regedit.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Process created: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe "C:\Windows\SysWOW64\winhttpcom\wpnclient.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

Code function: 0_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401600

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676240 push ecx; mov dword ptr [esp], 00008F23h	0_2_02676241
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676140 push ecx; mov dword ptr [esp], 00004AF2h	0_2_02676141
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676320 push ecx; mov dword ptr [esp], 00009128h	0_2_02676321
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676220 push ecx; mov dword ptr [esp], 00004B50h	0_2_02676221
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026760F0 push ecx; mov dword ptr [esp], 0000A172h	0_2_026760F1
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026762D0 push ecx; mov dword ptr [esp], 00001969h	0_2_026762D1
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026761D0 push ecx; mov dword ptr [esp], 00004B56h	0_2_026761D1
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026762A0 push ecx; mov dword ptr [esp], 0000BFAAh	0_2_026762A1
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_026761B0 push ecx; mov dword ptr [esp], 000003A6h	0_2_026761B1
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676180 push ecx; mov dword ptr [esp], 0000D106h	0_2_02676181
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02676090 push ecx; mov dword ptr [esp], 0000BAD9h	0_2_02676091
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217E3E push ecx; mov dword ptr [esp], 0000BFAAh	0_2_02217E3F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217E6E push ecx; mov dword ptr [esp], 00001969h	0_2_02217E6F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217EBE push ecx; mov dword ptr [esp], 00009128h	0_2_02217EBF
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_0221FF7E push esp; retf	0_2_0221FF7F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_0222C7B2 push edi; iretd	0_2_0222C7B3
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_0222ABBE push edi; iretd	0_2_0222ABBF
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_022257F0 push eax; ret	0_2_022257F3
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_022293C6 push ecx; retf	0_2_022293C7
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02228FCA push ecx; retf	0_2_02228FCB
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217C2E push ecx; mov dword ptr [esp], 0000BAD9h	0_2_02217C2F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02220404 push C9686868h; iretd	0_2_02220409
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217C8E push ecx; mov dword ptr [esp], 0000A172h	0_2_02217C8F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217CDE push ecx; mov dword ptr [esp], 00004AF2h	0_2_02217CDF
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217D1E push ecx; mov dword ptr [esp], 0000D106h	0_2_02217D1F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217D6E push ecx; mov dword ptr [esp], 00004B56h	0_2_02217D6F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217D4E push ecx; mov dword ptr [esp], 000003A6h	0_2_02217D4F
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217DBE push ecx; mov dword ptr [esp], 00004B50h	0_2_02217DBF
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02217DDE push ecx; mov dword ptr [esp], 00008F23h	0_2_02217DDF
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B6320 push ecx; mov dword ptr [esp], 00009128h	2_2_021B6321
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B6220 push ecx; mov dword ptr [esp], 00004B50h	2_2_021B6221

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\expand\regedit.exe	Executable created and started: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe			Jump to behavior
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Executable created and started: C:\Windows\SysWOW64\expand\regedit.exe			Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

PE file moved: C:\Windows\SysWOW64\expand\regedit.exe

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	File opened: C:\Windows\SysWOW64\expand\regedit.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	File opened: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 7080
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 7080

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\SysWOW64\expand\regedit.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_2-13404
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_0-13257

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,		0_2_02675390
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap,		2_2_021B5390

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe TID: 7364

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\expand\regedit.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02673A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,	0_2_02673A20
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,	2_2_021B3A20
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E3A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose,	4_2_021E3A20

Source: wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2541739448.000000000061E000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000003.2232761331.00000000028EC000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.2541665030.0000021035C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	API call chain: ExitProcess graph end node	graph_0-13070
Source: C:\Windows\SysWOW64\expand\regedit.exe	API call chain: ExitProcess graph end node	graph_2-13983
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	API call chain: ExitProcess graph end node	graph_4-13115

Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

0_2_00401600

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

0_2_00401600

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02675140 mov eax, dword ptr fs:[00000030h]	0_2_02675140
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02674190 mov eax, dword ptr fs:[00000030h]	0_2_02674190
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02210456 mov eax, dword ptr fs:[00000030h]	0_2_02210456
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02216CDE mov eax, dword ptr fs:[00000030h]	0_2_02216CDE
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02215D2E mov eax, dword ptr fs:[00000030h]	0_2_02215D2E
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_0221095E mov eax, dword ptr fs:[00000030h]	0_2_0221095E
Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe	Code function: 0_2_02611030 mov eax, dword ptr fs:[00000030h]	0_2_02611030
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B5140 mov eax, dword ptr fs:[00000030h]	2_2_021B5140
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_021B4190 mov eax, dword ptr fs:[00000030h]	2_2_021B4190
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD095E mov eax, dword ptr fs:[00000030h]	2_2_01FD095E
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD5D2E mov eax, dword ptr fs:[00000030h]	2_2_01FD5D2E
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD6CDE mov eax, dword ptr fs:[00000030h]	2_2_01FD6CDE
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_01FD0456 mov eax, dword ptr fs:[00000030h]	2_2_01FD0456
Source: C:\Windows\SysWOW64\expand\regedit.exe	Code function: 2_2_02151030 mov eax, dword ptr fs:[00000030h]	2_2_02151030
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E5140 mov eax, dword ptr fs:[00000030h]	4_2_021E5140
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_021E4190 mov eax, dword ptr fs:[00000030h]	4_2_021E4190
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00590456 mov eax, dword ptr fs:[00000030h]	4_2_00590456
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00596CDE mov eax, dword ptr fs:[00000030h]	4_2_00596CDE
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_0059095E mov eax, dword ptr fs:[00000030h]	4_2_0059095E
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_00595D2E mov eax, dword ptr fs:[00000030h]	4_2_00595D2E
Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe	Code function: 4_2_02181030 mov eax, dword ptr fs:[00000030h]	4_2_02181030

Source: C:\Users\user\Desktop\mNtu4X8ZyE.exe

Code function: 0_2_02611030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

0_2_02611030

Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Code function: 4_2_021E5720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

4_2_021E5720

Source: C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.21e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.1fd052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.221279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.wpnclient.exe.59279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mNtu4X8ZyE.exe.2670000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regedit.exe.21b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541675452.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1322151004.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1306249932.0000000002614000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2541960416.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1322291450.0000000002154000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Service Execution	22 Windows Service	22 Windows Service	12 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Process Injection	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 System Service Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
mNtu4X8ZyE.exe	79%	ReversingLabs	Win32.Trojan.Emotet
mNtu4X8ZyE.exe	100%	Avira	TR/Crypt.XPACK.Gen2
mNtu4X8ZyE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://138.97.60.141:7080/5ZnPdPFU/H	0%	Avira URL Cloud	safe
http://70.39.251.94:8080/cqrpaz30CJV6rcTaee/6	0%	Avira URL Cloud	safe
http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/s	0%	Avira URL Cloud	safe
http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/	0%	Avira URL Cloud	safe
http://70.39.251.94:8080/cqrpaz30CJV6rcTaee//if77Qmg3AUNbSqT8W/s	0%	Avira URL Cloud	safe
http://138.97.60.141:7080/5ZnPdPFU/Y	0%	Avira URL Cloud	safe
http://87.230.25.43:8080/RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/	0%	Avira URL Cloud	safe
http://87.230.25.43:8080/RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/Q	0%	Avira URL Cloud	safe
http://45.46.37.97/9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/;	0%	Avira URL Cloud	safe
http://37.187.161.206:8080/L3q6/BqUpGZyIOtsBpT/0zFYv51ZlaEeQ4uYJ9/AHC3ud/VyzjKGaZCXONK/	0%	Avira URL Cloud	safe
http://190.202.229.74/NVYQ97TAZC9w/	0%	Avira URL Cloud	safe
http://138.97.60.141:7080/5ZnPdPFU/	0%	Avira URL Cloud	safe
http://94.23.62.116:8080/MVkm4Pe/qvF8hKL0/xQboaYc/tEAE/bvOe1g/jyw23JOFoAe/	0%	Avira URL Cloud	safe
http://118.69.11.81:7080/fcGeLw4p/ihOwVRSFxWUqd0kFgJ/4jfMfuO/EFhh74Ny/if77Qmg3AUNbSqT8W/	0%	Avira URL Cloud	safe
http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/wshqos.dll.mui	0%	Avira URL Cloud	safe
http://70.39.251.94:8080/cqrpaz30CJV6rcTaee/	0%	Avira URL Cloud	safe
http://177.144.130.105:8080/2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY	0%	Avira URL Cloud	safe
http://45.46.37.97/9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/	0%	Avira URL Cloud	safe
http://177.144.130.105:8080/2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY/s5tFZi8Vxs3oBnZWiR/tXm8d1/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
time.windows.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/	true	Avira URL Cloud: safe	unknown
http://87.230.25.43:8080/RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/	true	Avira URL Cloud: safe	unknown
http://37.187.161.206:8080/L3q6/BqUpGZyIOtsBpT/0zFYv51ZlaEeQ4uYJ9/AHC3ud/VyzjKGaZCXONK/	true	Avira URL Cloud: safe	unknown
http://190.202.229.74/NVYQ97TAZC9w/	true	Avira URL Cloud: safe	unknown
http://138.97.60.141:7080/5ZnPdPFU/	true	Avira URL Cloud: safe	unknown
http://118.69.11.81:7080/fcGeLw4p/ihOwVRSFxWUqd0kFgJ/4jfMfuO/EFhh74Ny/if77Qmg3AUNbSqT8W/	true	Avira URL Cloud: safe	unknown
http://70.39.251.94:8080/cqrpaz30CJV6rcTaee/	true	Avira URL Cloud: safe	unknown
http://94.23.62.116:8080/MVkm4Pe/qvF8hKL0/xQboaYc/tEAE/bvOe1g/jyw23JOFoAe/	true	Avira URL Cloud: safe	unknown
http://177.144.130.105:8080/2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY/s5tFZi8Vxs3oBnZWiR/tXm8d1/	true	Avira URL Cloud: safe	unknown
http://45.46.37.97/9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://138.97.60.141:7080/5ZnPdPFU/H	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://70.39.251.94:8080/cqrpaz30CJV6rcTaee/6	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/s	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://138.97.60.141:7080/5ZnPdPFU/Y	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://70.39.251.94:8080/cqrpaz30CJV6rcTaee//if77Qmg3AUNbSqT8W/s	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://87.230.25.43:8080/RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/Q	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.46.37.97/9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/;	wpnclient.exe, 00000004.00000002.2542343717.00000000028C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://169.1.39.242/XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/wshqos.dll.mui	wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://177.144.130.105:8080/2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY	wpnclient.exe, 00000004.00000002.2541739448.000000000061E000.00000004.00000020.00020000.00000000.sdmp, wpnclient.exe, 00000004.00000002.2542343717.00000000028EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
81.214.253.80	unknown	Turkey	9121	TTNETTR	true
94.176.234.118	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
78.206.229.130	unknown	France	12322	PROXADFR	true
181.58.181.9	unknown	Colombia	10620	TelmexColombiaSACO	true
213.197.182.158	unknown	Lithuania	15440	BALTNETACustomersASLT	true
103.13.224.53	unknown	Bangladesh	58672	MAXNETONLINE-BDMaxnetOnlineBD	true
209.236.123.42	unknown	United States	393398	ASN-DISUS	true
79.118.74.90	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
51.15.7.145	unknown	France	12876	OnlineSASFR	true
190.45.24.210	unknown	Chile	22047	VTRBANDAANCHASACL	true
5.196.35.138	unknown	France	16276	OVHFR	true
190.190.219.184	unknown	Argentina	10481	TelecomArgentinaSAAR	true
200.59.6.174	unknown	Argentina	12150	COTELCAMAR	true
181.129.96.162	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
50.28.51.143	unknown	United States	32244	LIQUIDWEBUS	true
189.34.181.88	unknown	Brazil	28573	CLAROSABR	true
149.202.72.142	unknown	France	16276	OVHFR	true
82.76.52.155	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
5.89.33.136	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
45.16.226.117	unknown	United States	7018	ATT-INTERNET4US	true
120.72.18.91	unknown	Philippines	38553	DCTECHDVO-AS-APInternetServiceProviderandDataCenterP	true
187.162.250.23	unknown	Mexico	6503	AxtelSABdeCVMX	true
12.163.208.58	unknown	United States	7018	ATT-INTERNET4US	true
101.187.81.254	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
177.107.79.214	unknown	Brazil	52862	RedenilfServicosdeTelecomunicacoesLtdaBR	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
190.64.88.186	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	true
68.183.170.114	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
168.197.45.36	unknown	Argentina	264781	VIDEOTELSRLAR	true
1.226.84.243	unknown	Korea Republic of	9277	SKB-T-AS-KRSKBroadbandCoLtdKR	true
24.135.69.146	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	true
137.74.106.111	unknown	France	16276	OVHFR	true
172.104.169.32	unknown	United States	63949	LINODE-APLinodeLLCUS	true
178.250.54.208	unknown	United Kingdom	20860	IOMART-ASGB	true
45.33.77.42	unknown	United States	63949	LINODE-APLinodeLLCUS	true
46.101.58.37	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
177.23.7.151	unknown	Brazil	262886	LansofNetLTDAMEBR	true
216.47.196.104	unknown	United States	12083	WOW-INTERNETUS	true
83.169.21.32	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
109.190.35.249	unknown	France	35540	OVH-TELECOMFR	true
172.86.186.21	unknown	Canada	32489	AMANAHA-NEWCA	true
70.32.115.157	unknown	United States	31815	MEDIATEMPLEUS	true
186.189.249.2	unknown	Argentina	16814	NSSSAAR	true
109.101.137.162	unknown	Romania	9050	RTDBucharestRomaniaRO	true
190.115.18.139	unknown	Belize	262254	DDOS-GUARDCORPBZ	true
189.223.16.99	unknown	Mexico	8151	UninetSAdeCVMX	true
201.49.239.200	unknown	Brazil	52532	SpeednetTelecomunicacoesLtdaMEBR	true
185.94.252.27	unknown	Germany	197890	MEGASERVERS-DE	true
178.211.45.66	unknown	Turkey	197328	INETLTDTR	true
169.1.39.242	unknown	South Africa	37611	AfrihostZA	true
188.135.15.49	unknown	Oman	50010	NAWRAS-ASSultanateofOmanOM	true
60.249.78.226	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
181.123.6.86	unknown	Paraguay	23201	TelecelSAPY	true
193.251.77.110	unknown	France	3215	FranceTelecom-OrangeFR	true
192.241.143.52	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
128.92.203.42	unknown	United States	20115	CHARTER-20115US	true
81.215.230.173	unknown	Turkey	9121	TTNETTR	true
111.67.12.221	unknown	Australia	55803	DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU	true
46.105.114.137	unknown	France	16276	OVHFR	true
192.232.229.54	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
191.182.6.118	unknown	Brazil	28573	CLAROSABR	true
200.24.255.23	unknown	Argentina	52381	SociedadCooperativaPopularLimitadadeComodoroAR	true
177.73.0.98	unknown	Brazil	53184	INBTelecomEIRELIBR	true
70.32.84.74	unknown	United States	398110	GO-DADDY-COM-LLCUS	true
12.162.84.2	unknown	United States	7018	ATT-INTERNET4US	true
181.61.182.143	unknown	Colombia	10620	TelmexColombiaSACO	true
170.81.48.2	unknown	Brazil	263634	TACNETTELECOMBR	true
181.120.29.49	unknown	Paraguay	23201	TelecelSAPY	true
219.92.13.25	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	true
98.103.204.12	unknown	United States	10796	TWC-10796-MIDWESTUS	true
190.101.156.139	unknown	Chile	22047	VTRBANDAANCHASACL	true
2.45.176.233	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
187.162.248.237	unknown	Mexico	6503	AxtelSABdeCVMX	true
186.193.229.123	unknown	Brazil	262731	CTINETSOLUCOESEMCONECTIVIDADEEINFORMATICALTDBR	true
189.2.177.210	unknown	Brazil	4230	CLAROSABR	true
37.183.81.217	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
179.222.115.170	unknown	Brazil	28573	CLAROSABR	true
37.179.145.105	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
118.69.11.81	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	true
68.183.190.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
183.176.82.231	unknown	Japan	7522	STCNSTNetIncorporatedJP	true
177.144.130.105	unknown	Brazil	27699	TELEFONICABRASILSABR	true
181.30.61.163	unknown	Argentina	10318	TelecomArgentinaSAAR	true
190.202.229.74	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	true
82.76.111.249	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
77.238.212.227	unknown	Bosnia and Herzegowina	42560	BA-TELEMACH-ASTelemachdooSarajevoBA	true
217.13.106.14	unknown	Hungary	12301	INVITECHHU	true
77.78.196.173	unknown	Bosnia and Herzegowina	42560	BA-TELEMACH-ASTelemachdooSarajevoBA	true
62.84.75.50	unknown	Lebanon	42334	BBP-ASLB	true
37.187.161.206	unknown	France	16276	OVHFR	true
201.213.177.139	unknown	Argentina	10481	TelecomArgentinaSAAR	true
188.251.213.180	unknown	Portugal	3243	MEO-RESIDENCIALPT	true
109.242.153.9	unknown	Greece	25472	WIND-ASGR	true
85.214.26.7	unknown	Germany	6724	STRATOSTRATOAGDE	true
51.75.33.127	unknown	France	16276	OVHFR	true
188.157.101.114	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
46.43.2.95	unknown	United Kingdom	35425	BYTEMARK-ASGB	true
59.148.253.194	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
74.58.215.226	unknown	Canada	5769	VIDEOTRONCA	true
87.106.46.107	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553820
Start date and time:	2024-11-11 18:21:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mNtu4X8ZyE.exe renamed because original name is a hash value
Original Sample Name:	3d1ad8f5c275b10be10f06b5505bee6ae6c80e60.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/0@1/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 45
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: mNtu4X8ZyE.exe

Simulations

Behavior and APIs

Time	Type	Description
12:22:14	API Interceptor	1x Sleep call for process: mNtu4X8ZyE.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
81.214.253.80	ExeFile (107).exe	Get hash	malicious	Emotet	Browse	81.214.253.80:443/k9T0ogQ/wOeTRCAjeZOsy4XFiQ/
81.214.253.80	sample.exe	Get hash	malicious	Emotet	Browse	81.214.253.80:443/EcHFqzWnBKc4hX/EXKH5Mm0mWNMP9/8o0s02d4l/
94.176.234.118	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse
	ExeFile (278).exe	Get hash	malicious	Emotet	Browse
	ExeFile (305).exe	Get hash	malicious	Emotet	Browse
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse
	ExeFile (369).exe	Get hash	malicious	Emotet	Browse
	ExeFile (367).exe	Get hash	malicious	Emotet	Browse
	ExeFile (371).exe	Get hash	malicious	Emotet	Browse
	ExeFile (378).exe	Get hash	malicious	Emotet	Browse
78.206.229.130	ExeFile (211).exe	Get hash	malicious	Emotet	Browse
	LisectAVT_2403002C_62.dll	Get hash	malicious	Emotet	Browse
	xpng5kkgI.dll	Get hash	malicious	Emotet	Browse
	KNEa2w7v3a.exe	Get hash	malicious	Emotet	Browse
	Io8ic2291n.doc	Get hash	malicious	Emotet	Browse
181.58.181.9	ExeFile (305).exe	Get hash	malicious	Emotet	Browse
	ExeFile (394).exe	Get hash	malicious	Emotet	Browse
	ExeFile (286).exe	Get hash	malicious	Emotet	Browse
	ExeFile (211).exe	Get hash	malicious	Emotet	Browse
	KNEa2w7v3a.exe	Get hash	malicious	Emotet	Browse
213.197.182.158	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse
	ExeFile (305).exe	Get hash	malicious	Emotet	Browse
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse
	ExeFile (369).exe	Get hash	malicious	Emotet	Browse
	ExeFile (367).exe	Get hash	malicious	Emotet	Browse
	ExeFile (371).exe	Get hash	malicious	Emotet	Browse
	ExeFile (378).exe	Get hash	malicious	Emotet	Browse
	ExeFile (394).exe	Get hash	malicious	Emotet	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKRAYUABRakrejusLT	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	G9Z66ZF3Y370FN9E.js	Get hash	malicious	Unknown	Browse	79.98.25.1
	G9Z66ZF3Y370FN9E.js	Get hash	malicious	Unknown	Browse	79.98.25.1
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	176.223.128.227
	ExeFile (278).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (305).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (317).exe	Get hash	malicious	Emotet	Browse	79.98.24.39
	ExeFile (323).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (347).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
	ExeFile (349).exe	Get hash	malicious	Emotet	Browse	94.176.234.118
TTNETTR	sora.arm.elf	Get hash	malicious	Mirai	Browse	88.254.107.220
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	78.166.239.52
	shindemips.elf	Get hash	malicious	Unknown	Browse	88.255.203.195
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	85.100.46.152
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	95.8.187.72
	yakuza.x86.elf	Get hash	malicious	Unknown	Browse	88.235.149.95
	5r3fqt67ew531has4231.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	88.245.198.133
	5r3fqt67ew531has4231.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	88.245.198.125
	5r3fqt67ew531has4231.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	88.245.198.148
	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse	62.248.16.27
PROXADFR	sora.sh4.elf	Get hash	malicious	Mirai	Browse	82.225.50.254
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	78.222.108.142
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	83.157.71.225
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	88.189.183.27
	5r3fqt67ew531has4231.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	88.165.18.233
	yakuza.i686.elf	Get hash	malicious	Unknown	Browse	78.212.231.98
	5r3fqt67ew531has4231.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	88.180.232.157
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	78.219.16.122
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	78.217.246.201
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	78.224.159.162
TelmexColombiaSACO	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	190.156.99.191
	bin.m68k.elf	Get hash	malicious	Mirai	Browse	190.159.249.139
	bin.spc.elf	Get hash	malicious	Mirai	Browse	181.54.129.32
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	190.156.55.4
	C6IlHsFs4g.elf	Get hash	malicious	Mirai, Moobot	Browse	190.84.64.227
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	181.62.19.182
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	186.83.234.209
	spc.elf	Get hash	malicious	Mirai	Browse	190.143.63.161
	sh4.elf	Get hash	malicious	Mirai	Browse	181.61.167.58
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.146.112.188

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.961491680267367
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	mNtu4X8ZyE.exe
File size:	479'232 bytes
MD5:	6e30d8bda11412a2272a387b549be17a
SHA1:	3d1ad8f5c275b10be10f06b5505bee6ae6c80e60
SHA256:	c3ad80d9e8443b1beae2dfe76227770b83fa852b9226f91a5628cb06624d8d9c
SHA512:	bbc20aa344c58907b09647a308e204e1728d45efc60911c95c3b52f78bac2b3395b616796f0cc8f22250053a8b777bb38302ecd49fb81164e71912908516ff23
SSDEEP:	6144:gu079Bvns6+dSEDVoOhjfbJ0r0dZQ4XYo8Zv/J5QnEZgHmjihGXL/578RdBg9:gD9Z1/2GOxfbQCBURzQ4ga6U8Re
TLSH:	A1A422BAC0403AA5D9D25C7046C1BEBB1715CA43C34949EB4675B96FBD1BBCCE0BC09A
File Content Preview:	MZ~`.t.].-_.G\|.b../.c.!{....).7.ZKcG..).?oj.3 \oR...-.)...3.............!..L.!This program cannot be run in DOS mode....$.......sf!.7.O.7.O.7.O...E.<.O...A.6.O...K.3.O.U.\.3.O.#lN.4.O.7.N...O...D.4.O...I.6.O.Rich7.O.........PE..L......_.................0.

File Icon


Icon Hash:	49484d4b4b066c6e

Static PE Info

General

Entrypoint:	0x4020ea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5F9B1381 [Thu Oct 29 19:09:53 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	50f8a2255c4baf188eb0098c86160f78

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00404000h
push 004022A0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040632Ch]
pop ecx
or dword ptr [004059C4h], FFFFFFFFh
or dword ptr [004059D4h], FFFFFFFFh
call dword ptr [00406330h]
mov ecx, dword ptr [004059B4h]
mov dword ptr [eax], ecx
call dword ptr [00406334h]
mov ecx, dword ptr [004059B0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00406340h]
mov eax, dword ptr [eax]
mov dword ptr [004059B8h], eax
call 00007F43789C1523h
cmp dword ptr [00405844h], ebx
jne 00007F43789C13FEh
push 00402284h
call dword ptr [00406360h]
pop ecx
call 00007F43789C14EFh
push 00405418h
push 00405314h
call 00007F43789C14DAh
mov eax, dword ptr [004059ACh]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [004059A8h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00406358h]
push 00405210h
push 00405000h
call 00007F43789C14A7h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6000	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x6c0f3	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0x218	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x624c	0x1d4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23bb	0x3000	718fdc042134f25a5a40717602c1fef4	False	0.18717447916666666	data	3.248426933367741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x10e	0x1000	d7bfa72795a429a22c2933327a48ac36	False	0.009521484375	data	0.02988508912012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5000	0x9d8	0x1000	067e9b2b98c39feaedbe17a906add6e0	False	0.130615234375	data	1.4966190094799063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6000	0xab8	0x1000	39eba814fac73307fa69560b90aa11be	False	0.227294921875	data	2.933331512837663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7000	0x6c0f3	0x6d000	5e68363649596dedb1cb7bae79dad51f	False	0.8062329773509175	data	7.162307572718082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0x77d	0x1000	77d32d9e08808396ded4f36f995f0ea5	False	0.130615234375	data	1.3228145100632136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x72e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.2567204301075269
RT_ICON	0x75c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32432432432432434
RT_ICON	0x76f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.21695095948827292
RT_DIALOG	0x60f00	0x16a	data	English	United States	0.580110497237569
RT_RCDATA	0x85c8	0x58933	data	English	United States	0.9869460836872903
RT_GROUP_ICON	0x8598	0x30	data	English	United States	0.9583333333333334

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GetModuleHandleA, GetStartupInfoA, GetProcAddress, GetModuleHandleExA, VirtualAlloc
USER32.dll	SetDlgItemTextA, DestroyWindow, DispatchMessageA, GetDlgItemTextA, SetWindowTextA, FindWindowA, PostQuitMessage, GetSystemMenu, AppendMenuA, DefWindowProcA, LoadIconA, LoadCursorA, RegisterClassA, CreateWindowExA, ShowWindow, UpdateWindow, GetMessageA, DialogBoxParamA, TranslateMessage
GDI32.dll	GetStockObject
MSVCRT.dll	exit, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, malloc, ??3@YAXPAX@Z, _adjust_fdiv, _onexit, _exit, _XcptFilter, __dllonexit, _acmdln, __getmainargs, _initterm, __setusermatherr
MSVCP60.dll	?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ??0Init@ios_base@std@@QAE@XZ, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ??1_Winit@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T18:22:34.128040+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.7	49798	TCP
2024-11-11T18:22:36.385675+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49766	190.202.229.74	80	TCP
2024-11-11T18:22:56.826697+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49936	70.39.251.94	8080	TCP
2024-11-11T18:23:08.796039+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49978	87.230.25.43	8080	TCP
2024-11-11T18:23:14.538600+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.7	49980	TCP
2024-11-11T18:23:20.800044+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49979	94.23.62.116	8080	TCP
2024-11-11T18:23:32.953468+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49983	37.187.161.206	8080	TCP
2024-11-11T18:23:45.064324+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49984	45.46.37.97	80	TCP
2024-11-11T18:23:57.482018+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49985	138.97.60.141	7080	TCP
2024-11-11T18:24:08.284550+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49986	177.144.130.105	8080	TCP
2024-11-11T18:24:20.133558+0100	2035077	ET MALWARE Win32/Emotet CnC Activity (POST) M11	1	192.168.2.7	49987	169.1.39.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 18:22:28.033673048 CET	49766	80	192.168.2.7	190.202.229.74
Nov 11, 2024 18:22:28.038706064 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:28.038825035 CET	49766	80	192.168.2.7	190.202.229.74
Nov 11, 2024 18:22:28.038981915 CET	49766	80	192.168.2.7	190.202.229.74
Nov 11, 2024 18:22:28.039041042 CET	49766	80	192.168.2.7	190.202.229.74
Nov 11, 2024 18:22:28.043724060 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:28.043853998 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:28.043900967 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:28.043910980 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:28.043921947 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:36.385466099 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:36.385674953 CET	49766	80	192.168.2.7	190.202.229.74
Nov 11, 2024 18:22:36.385982990 CET	49766	80	192.168.2.7	190.202.229.74
Nov 11, 2024 18:22:36.390885115 CET	80	49766	190.202.229.74	192.168.2.7
Nov 11, 2024 18:22:39.759994984 CET	49852	7080	192.168.2.7	118.69.11.81
Nov 11, 2024 18:22:39.765162945 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:39.765270948 CET	49852	7080	192.168.2.7	118.69.11.81
Nov 11, 2024 18:22:39.765384912 CET	49852	7080	192.168.2.7	118.69.11.81
Nov 11, 2024 18:22:39.765417099 CET	49852	7080	192.168.2.7	118.69.11.81
Nov 11, 2024 18:22:39.770313978 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:39.770334005 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:39.770344019 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:39.770358086 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:39.770390987 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:48.285341024 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:48.285397053 CET	49852	7080	192.168.2.7	118.69.11.81
Nov 11, 2024 18:22:48.287019014 CET	49852	7080	192.168.2.7	118.69.11.81
Nov 11, 2024 18:22:48.291954041 CET	7080	49852	118.69.11.81	192.168.2.7
Nov 11, 2024 18:22:51.352839947 CET	49936	8080	192.168.2.7	70.39.251.94
Nov 11, 2024 18:22:51.357899904 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:51.357995987 CET	49936	8080	192.168.2.7	70.39.251.94
Nov 11, 2024 18:22:51.358166933 CET	49936	8080	192.168.2.7	70.39.251.94
Nov 11, 2024 18:22:51.358239889 CET	49936	8080	192.168.2.7	70.39.251.94
Nov 11, 2024 18:22:51.363073111 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:51.363087893 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:51.363104105 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:51.363115072 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:51.363250971 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:56.826567888 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:22:56.826697111 CET	49936	8080	192.168.2.7	70.39.251.94
Nov 11, 2024 18:22:56.826824903 CET	49936	8080	192.168.2.7	70.39.251.94
Nov 11, 2024 18:22:56.831907034 CET	8080	49936	70.39.251.94	192.168.2.7
Nov 11, 2024 18:23:00.450185061 CET	49978	8080	192.168.2.7	87.230.25.43
Nov 11, 2024 18:23:00.457026005 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:00.457109928 CET	49978	8080	192.168.2.7	87.230.25.43
Nov 11, 2024 18:23:00.457300901 CET	49978	8080	192.168.2.7	87.230.25.43
Nov 11, 2024 18:23:00.457340002 CET	49978	8080	192.168.2.7	87.230.25.43
Nov 11, 2024 18:23:00.462157011 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:00.462260962 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:00.462272882 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:00.462285042 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:00.462301970 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:08.795907021 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:08.796039104 CET	49978	8080	192.168.2.7	87.230.25.43
Nov 11, 2024 18:23:08.796128988 CET	49978	8080	192.168.2.7	87.230.25.43
Nov 11, 2024 18:23:08.800964117 CET	8080	49978	87.230.25.43	192.168.2.7
Nov 11, 2024 18:23:12.456856012 CET	49979	8080	192.168.2.7	94.23.62.116
Nov 11, 2024 18:23:12.461935997 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:12.462025881 CET	49979	8080	192.168.2.7	94.23.62.116
Nov 11, 2024 18:23:12.462187052 CET	49979	8080	192.168.2.7	94.23.62.116
Nov 11, 2024 18:23:12.462256908 CET	49979	8080	192.168.2.7	94.23.62.116
Nov 11, 2024 18:23:12.467140913 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:12.467153072 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:12.467199087 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:12.467210054 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:12.467226028 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:20.799906015 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:20.800044060 CET	49979	8080	192.168.2.7	94.23.62.116
Nov 11, 2024 18:23:20.800173998 CET	49979	8080	192.168.2.7	94.23.62.116
Nov 11, 2024 18:23:20.804981947 CET	8080	49979	94.23.62.116	192.168.2.7
Nov 11, 2024 18:23:24.582844019 CET	49983	8080	192.168.2.7	37.187.161.206
Nov 11, 2024 18:23:24.588320017 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:24.588397026 CET	49983	8080	192.168.2.7	37.187.161.206
Nov 11, 2024 18:23:24.590200901 CET	49983	8080	192.168.2.7	37.187.161.206
Nov 11, 2024 18:23:24.590223074 CET	49983	8080	192.168.2.7	37.187.161.206
Nov 11, 2024 18:23:24.595071077 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:24.595082045 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:24.595117092 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:24.595127106 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:24.595136881 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:32.953394890 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:32.953468084 CET	49983	8080	192.168.2.7	37.187.161.206
Nov 11, 2024 18:23:32.953569889 CET	49983	8080	192.168.2.7	37.187.161.206
Nov 11, 2024 18:23:32.958447933 CET	8080	49983	37.187.161.206	192.168.2.7
Nov 11, 2024 18:23:36.710030079 CET	49984	80	192.168.2.7	45.46.37.97
Nov 11, 2024 18:23:36.715105057 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:36.715250969 CET	49984	80	192.168.2.7	45.46.37.97
Nov 11, 2024 18:23:36.716316938 CET	49984	80	192.168.2.7	45.46.37.97
Nov 11, 2024 18:23:36.716373920 CET	49984	80	192.168.2.7	45.46.37.97
Nov 11, 2024 18:23:36.721196890 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:36.721229076 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:36.721240044 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:36.721251011 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:36.721261978 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:45.064210892 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:45.064323902 CET	49984	80	192.168.2.7	45.46.37.97
Nov 11, 2024 18:23:45.065167904 CET	49984	80	192.168.2.7	45.46.37.97
Nov 11, 2024 18:23:45.071005106 CET	80	49984	45.46.37.97	192.168.2.7
Nov 11, 2024 18:23:49.086641073 CET	49985	7080	192.168.2.7	138.97.60.141
Nov 11, 2024 18:23:49.091598034 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:49.091666937 CET	49985	7080	192.168.2.7	138.97.60.141
Nov 11, 2024 18:23:49.091840029 CET	49985	7080	192.168.2.7	138.97.60.141
Nov 11, 2024 18:23:49.092222929 CET	49985	7080	192.168.2.7	138.97.60.141
Nov 11, 2024 18:23:49.096898079 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:49.097011089 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:49.097132921 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:49.097146034 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:49.097343922 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:57.481935978 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:57.482017994 CET	49985	7080	192.168.2.7	138.97.60.141
Nov 11, 2024 18:23:57.482162952 CET	49985	7080	192.168.2.7	138.97.60.141
Nov 11, 2024 18:23:57.487051010 CET	7080	49985	138.97.60.141	192.168.2.7
Nov 11, 2024 18:23:59.943147898 CET	49986	8080	192.168.2.7	177.144.130.105
Nov 11, 2024 18:23:59.948381901 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:23:59.948525906 CET	49986	8080	192.168.2.7	177.144.130.105
Nov 11, 2024 18:23:59.948657036 CET	49986	8080	192.168.2.7	177.144.130.105
Nov 11, 2024 18:23:59.948718071 CET	49986	8080	192.168.2.7	177.144.130.105
Nov 11, 2024 18:23:59.953505993 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:23:59.953594923 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:23:59.953605890 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:23:59.953649998 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:23:59.953660011 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:24:08.284365892 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:24:08.284549952 CET	49986	8080	192.168.2.7	177.144.130.105
Nov 11, 2024 18:24:08.284629107 CET	49986	8080	192.168.2.7	177.144.130.105
Nov 11, 2024 18:24:08.289580107 CET	8080	49986	177.144.130.105	192.168.2.7
Nov 11, 2024 18:24:11.460161924 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:11.465339899 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:11.465428114 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:11.465689898 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:11.465728998 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:11.470717907 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:11.470725060 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:11.470733881 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:11.470740080 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:11.470879078 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:20.133462906 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:20.133558035 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:20.133641005 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:20.133893013 CET	80	49987	169.1.39.242	192.168.2.7
Nov 11, 2024 18:24:20.133945942 CET	49987	80	192.168.2.7	169.1.39.242
Nov 11, 2024 18:24:20.141896009 CET	80	49987	169.1.39.242	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 18:22:17.827318907 CET	52374	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 11, 2024 18:22:17.827318907 CET	192.168.2.7	1.1.1.1	0x2ab7	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 11, 2024 18:22:17.834407091 CET	1.1.1.1	192.168.2.7	0x2ab7	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

190.202.229.74

118.69.11.81

118.69.11.81:7080

70.39.251.94

70.39.251.94:8080

87.230.25.43

87.230.25.43:8080

94.23.62.116

94.23.62.116:8080

37.187.161.206

37.187.161.206:8080

45.46.37.97

138.97.60.141

138.97.60.141:7080

177.144.130.105

177.144.130.105:8080

169.1.39.242

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49766	190.202.229.74	80	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:22:28.038981915 CET	547	OUT	POST /NVYQ97TAZC9w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 190.202.229.74/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----------------8meBuivDM6SGek6t User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 190.202.229.74 Content-Length: 4644 Cache-Control: no-cache
Nov 11, 2024 18:22:28.039041042 CET	4644	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 6d 65 42 75 69 76 44 4d 36 53 47 65 6b 36 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 78 6a 78 66 67 6b Data Ascii: ------------------8meBuivDM6SGek6tContent-Disposition: form-data; name="xjxfgktpayf"; filename="gmxiwfyqpa"Content-Type: application/octet-stream2h)gBmkxWz:@I\OFIQWQ!BgHgI2b$5%K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49852	118.69.11.81	7080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:22:39.765384912 CET	590	OUT	POST /fcGeLw4p/ihOwVRSFxWUqd0kFgJ/4jfMfuO/EFhh74Ny/if77Qmg3AUNbSqT8W/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 118.69.11.81/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=------------c0nWQm36OPQW User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 118.69.11.81:7080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49936	70.39.251.94	8080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:22:51.358166933 CET	566	OUT	POST /cqrpaz30CJV6rcTaee/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 70.39.251.94/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----------------------K4vFIFYq3VJwQqSnJZgKHx User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 70.39.251.94:8080 Content-Length: 4628 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49978	87.230.25.43	8080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:23:00.457300901 CET	594	OUT	POST /RXVvzMf/N2ZJn/HWDPmWEOobR5vsovM/wC1leNEGWSEakmmN/GZFwmhHZxt53d/1udoH/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 87.230.25.43/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------MbOc2Awa9XJ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 87.230.25.43:8080 Content-Length: 4628 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49979	94.23.62.116	8080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:23:12.462187052 CET	574	OUT	POST /MVkm4Pe/qvF8hKL0/xQboaYc/tEAE/bvOe1g/jyw23JOFoAe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 94.23.62.116/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------anyJNRk198M User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 94.23.62.116:8080 Content-Length: 4612 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49983	37.187.161.206	8080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:23:24.590200901 CET	583	OUT	POST /L3q6/BqUpGZyIOtsBpT/0zFYv51ZlaEeQ4uYJ9/AHC3ud/VyzjKGaZCXONK/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 37.187.161.206/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------TLs7tmoY User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 37.187.161.206:8080 Content-Length: 4612 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49984	45.46.37.97	80	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:23:36.716316938 CET	607	OUT	POST /9AWvP9tUiB0vNBtHp/soehIFh6TFhjHQ8To/FvPsEJTxaNlNquPbdI/I8C2Lbudvo8T8/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 45.46.37.97/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------9uUbHI4f4XOvefoNk2pHp User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 45.46.37.97 Content-Length: 4612 Cache-Control: no-cache
Nov 11, 2024 18:23:36.716373920 CET	4612	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 39 75 55 62 48 49 34 66 34 58 4f 76 65 66 6f 4e 6b 32 70 48 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 Data Ascii: -----------------------9uUbHI4f4XOvefoNk2pHpContent-Disposition: form-data; name="qwgld"; filename="tsknfqjdiig"Content-Type: application/octet-streamE*qnkt]4Q(gF(V^JP_@k-5=32xanZZgKc!V&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49985	138.97.60.141	7080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:23:49.091840029 CET	538	OUT	POST /5ZnPdPFU/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 138.97.60.141/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=------------Vb7iRWQMUdrr User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 138.97.60.141:7080 Content-Length: 4612 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49986	177.144.130.105	8080	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:23:59.948657036 CET	654	OUT	POST /2g3r3uVJyW4vwEwW2rV/BSwocEVkUzwjsP3EXb/tToQfSpvkbELnFp/GKhVdMsrUWytWXLFY/s5tFZi8Vxs3oBnZWiR/tXm8d1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 177.144.130.105/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------------------Xese4L6C2RTuoGm0FY1zcNp User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 177.144.130.105:8080 Content-Length: 4612 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49987	169.1.39.242	80	7580	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 18:24:11.465689898 CET	568	OUT	POST /XCULSRNtkPzEnoI/N2CP4bvAn2eR7Mn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 169.1.39.242/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-------------------Za2AS9T3nIW3ZQcAbAN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 169.1.39.242 Content-Length: 4612 Cache-Control: no-cache
Nov 11, 2024 18:24:11.465728998 CET	4612	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5a 61 32 41 53 39 54 33 6e 49 57 33 5a 51 63 41 62 41 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 Data Ascii: ---------------------Za2AS9T3nIW3ZQcAbANContent-Disposition: form-data; name="lqskmjzzcrm"; filename="gqcovh"Content-Type: application/octet-streams9{MqcI_"3@h)\e5/CPbT!L-CD`t;qoj^B

Target ID:	0
Start time:	12:22:14
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\mNtu4X8ZyE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mNtu4X8ZyE.exe"
Imagebase:	0x400000
File size:	479'232 bytes
MD5 hash:	6E30D8BDA11412A2272A387B549BE17A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1306249932.0000000002614000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:22:15
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\expand\regedit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\expand\regedit.exe"
Imagebase:	0x400000
File size:	479'232 bytes
MD5 hash:	6E30D8BDA11412A2272A387B549BE17A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.1322151004.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.1322291450.0000000002154000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:22:15
Start date:	11/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:22:16
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\winhttpcom\wpnclient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\winhttpcom\wpnclient.exe"
Imagebase:	0x400000
File size:	479'232 bytes
MD5 hash:	6E30D8BDA11412A2272A387B549BE17A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.2541675452.0000000000590000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.2541960416.0000000002184000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	96.3%
Signature Coverage:	14.6%
Total number of Nodes:	969
Total number of Limit Nodes:	22

Executed Functions

Function 00401600 Relevance: 121.2, APIs: 54, Strings: 15, Instructions: 458
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Advapi32.dll,EncryptFileA), ref: 0040161A
GetProcAddress.KERNEL32(00000000), ref: 00401623
EncryptFileA.ADVAPI32(C:\Windows\Setup\State\State.ini), ref: 0040162A
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60 ref: 0040167D
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(LdrFin), ref: 0040169F
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004016B2
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(dReso), ref: 004016D1
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004016E4
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(urce_U), ref: 00401703
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?), ref: 00401723
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401731
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401742
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401755
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Ldr), ref: 00401774
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401787
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Acces), ref: 004017A6

Strings

C:\Windows\Setup\State\State.ini, xrefs: 00401625
EncryptFileA, xrefs: 00401610
LdrFin, xrefs: 00401683, 00401693
ntdll.dll, xrefs: 0040181D
Ldr, xrefs: 0040175B, 0040176B
dReso, xrefs: 004016B8, 004016C8
Acces, xrefs: 0040178D, 0040179D
GIh@36E#YEA1tFmFqw44wMs%bm^9R?qzDkkk^Ht+tywp2T&M8aVQ1wu#c<eCQglgS+m&KyvZQb_x!tLZTbzSj4!?m$5vwsutammbhRsGHUifpf, xrefs: 004018AC
Windows Media Player HWND Editor, xrefs: 004019F0
sResource, xrefs: 004017BF, 004017CF
LdrAccessResource, xrefs: 0040182E
WMPlayerWindowEditor, xrefs: 00401939, 004019F5
LdrFindResource_U, xrefs: 00401826
Advapi32.dll, xrefs: 00401615
urce_U, xrefs: 004016EA, 004016FA

Memory Dump Source

Source File: 00000000.00000002.1305693753.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1305662841.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305718639.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000407000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000474000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mNtu4X8ZyE.jbxd

Similarity

API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@V12@$D@2@@0@Hstd@@V10@0@V?$basic_string@$AddressEncryptFileLibraryLoadProc
String ID: Acces$Advapi32.dll$C:\Windows\Setup\State\State.ini$EncryptFileA$GIh@36E#YEA1tFmFqw44wMs%bm^9R?qzDkkk^Ht+tywp2T&M8aVQ1wu#c<eCQglgS+m&KyvZQb_x!tLZTbzSj4!?m$5vwsutammbhRsGHUifpf$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$WMPlayerWindowEditor$Windows Media Player HWND Editor$dReso$ntdll.dll$sResource$urce_U
API String ID: 3516244591-712066751
Opcode ID: f8c8bf3419da7efc3c2f758ebdd38b7438056af9a9bfe9611bd3ddaf80b0cfcc
Instruction ID: dce9f58f7b180b880584391d3317b87618375bb0fe771e7de301abb772954e00
Opcode Fuzzy Hash: f8c8bf3419da7efc3c2f758ebdd38b7438056af9a9bfe9611bd3ddaf80b0cfcc
Instruction Fuzzy Hash: FDF1E4711183809FD324DF60CC49BAFBBA4EB84310F40493EF586632D1EBB99909CB5A

Function 02611030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02614054,02614040), ref: 02611047
GetProcAddress.KERNEL32(00000000), ref: 0261104E

Part of subcall function 02611B30: SetLastError.KERNEL32(0000000D,?,02611070,?,00000040), ref: 02611B3D

SetLastError.KERNEL32(000000C1), ref: 02611096

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: fabd02dca7b0b06edc4e9eef99e1759a9626acf4588b548c8df596add21ab645
Instruction ID: 3b33d807adcdcb60b5f97059448a308e0996b19db6a1cf23b5c4d5b2f05d2f87
Opcode Fuzzy Hash: fabd02dca7b0b06edc4e9eef99e1759a9626acf4588b548c8df596add21ab645
Instruction Fuzzy Hash: 29F107B4E00209EFDB04CF94D981BAEB7B1BF49305F248599EA09AB341D730EA51DF90

Function 02675390 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,?,?,?,?,02678CFA), ref: 02675682
RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,02678CFA), ref: 0267570C

Strings

12, xrefs: 026756CF
p^sw, xrefs: 026754A8, 026754C7, 02675656, 02675675
J`, xrefs: 02675405
12, xrefs: 02675641
12, xrefs: 02675493

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: p^sw$12$12$12$J`
API String ID: 2488874121-2896302409
Opcode ID: d18958be94c75a276282220b4c4e7a237814c3e7af60f54e2f83b295d59b2804
Instruction ID: 754a80d2ad1e5c59a840aa438ea619a7e2f651cfd447ba19038661d59d389259
Opcode Fuzzy Hash: d18958be94c75a276282220b4c4e7a237814c3e7af60f54e2f83b295d59b2804
Instruction Fuzzy Hash: DF81D031F44241CBDB18AB79BC9472E36E2AB84644F8108BDEC16EB390EF65CC548F95

Function 02678330 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 236
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,000001C3,00000000,?,38CFF007,?,?), ref: 026784C7
SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0267853C

Strings

12, xrefs: 026785B5
V^!, xrefs: 02678396
iL`2, xrefs: 02678656
@, xrefs: 02678370
iL`2, xrefs: 026786AC

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID: @$iL`2$iL`2$12$V^!
API String ID: 3667790775-1221398831
Opcode ID: 8a77d4cb43b386f2707c37d5fb8fadee430cd554997de8d92f24c28af5d696ed
Instruction ID: 8b53d6a02bc7b653d52b5ffbbcae5c8077bba863b88735e1bf68b4f5d86c5c1d
Opcode Fuzzy Hash: 8a77d4cb43b386f2707c37d5fb8fadee430cd554997de8d92f24c28af5d696ed
Instruction Fuzzy Hash: 60915D71A083019FD718DF68A99862FBBE5AFC4304F104D2DF44A9B390EB75C9498F96

Function 02673A20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 02673B78
FindNextFileW.KERNELBASE(?,?), ref: 02673BB9
FindClose.KERNELBASE(?), ref: 02673CC5

Strings

HUE(, xrefs: 02673BCE
HUE(, xrefs: 02673BDC
., xrefs: 02673A7D
12, xrefs: 02673C53

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$HUE($HUE($12
API String ID: 3541575487-884143723
Opcode ID: 0f929f8a107fadaff842d698a85d666bab7afd2741f67105765e47d383f89a3e
Instruction ID: 722bcfb507c4970d36294cd435ecf5379051ac4b39d77b9f8b2f1dda289f3a6d
Opcode Fuzzy Hash: 0f929f8a107fadaff842d698a85d666bab7afd2741f67105765e47d383f89a3e
Instruction Fuzzy Hash: 8E51F671B442418BC728EB78B889B7F77E69F90600F004D6DE546CB341EF36C865AB96

Function 026786F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000), ref: 02678908

Strings

V^!, xrefs: 0267875B
x*, xrefs: 026786FE
[i, xrefs: 0267871B

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: [i$V^!$x*
API String ID: 823142352-1411442858
Opcode ID: f97c1338fac7f4f2a4e84018aca0efa12311935f85353153c2251fd893bd11b5
Instruction ID: 0316353f96255376b8a7646cf184e84195c01fa9db5f2ae9e56f1fd0d1237127
Opcode Fuzzy Hash: f97c1338fac7f4f2a4e84018aca0efa12311935f85353153c2251fd893bd11b5
Instruction Fuzzy Hash: 22716E71A083419FD708DF29E848A2FBBE5ABC4314F048D1DE4A99B390D7749D49CF86

Function 00401019 Relevance: 33.2, APIs: 22, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4,00000343,022C2598), ref: 00401398
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040139B
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013AC
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013AF
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013C1
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013C4
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,6EA4A3D8,004059A4), ref: 004013D9
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013EA
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013F0
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401402
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401405
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,6EA4A3D8,004059A4), ref: 0040141A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 0040142B
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040142E
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401440
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401443
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401455
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401458
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 0040146C
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040146F
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401481
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401484

Memory Dump Source

Source File: 00000000.00000002.1305693753.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1305662841.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305718639.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000407000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000474000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mNtu4X8ZyE.jbxd

Similarity

API ID: U?$char_traits@V?$basic_ostream@$?endl@std@@D@std@@@1@V21@@$??6std@@D@std@@@0@V10@
String ID:
API String ID: 2803004057-0
Opcode ID: 4e668faee3baf0bf314fe0a6ed89ed04cc46d060bfd11fc77c33a5f615d1b13b
Instruction ID: e5c193a8be6e18b913c016f231c9b957fb8706e5e71893854bd9b99652add971
Opcode Fuzzy Hash: 4e668faee3baf0bf314fe0a6ed89ed04cc46d060bfd11fc77c33a5f615d1b13b
Instruction Fuzzy Hash: 0E51F3796053919FC700EB74DD8882B7FA9EF88314F0548EDF845A73D1C6799418CBAA

Function 026731F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,0000021C), ref: 026733D1

Strings

p^sw, xrefs: 026733C4
12, xrefs: 02673390
V<j[, xrefs: 026733F7

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: V<j[$p^sw$12
API String ID: 1279760036-1938916030
Opcode ID: 772cd557450a5bf6a146d8f59586f20145016c6bf4ad6f9c0cbe736c9d60911c
Instruction ID: c1220ef7468c8cca04f80277ec6d32a5e5a81863d18748dfe74c9a87bd276105
Opcode Fuzzy Hash: 772cd557450a5bf6a146d8f59586f20145016c6bf4ad6f9c0cbe736c9d60911c
Instruction Fuzzy Hash: 6051D571A44341CBC758DE28B4C452EBBE2EBD4254F104D6EE452CB391DB71C96ACBD2

Function 0221002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,02210005), ref: 022100E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,02210005), ref: 02210111

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: e87a7abaa2fe85d5e1be2351f9f08c843da0220c70ad4e683244fe613137fbcc
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: A3D1C371A183068FD714CFA9C880B6AB3E1FFA4318F18452DEC95DB245E774EA85CB91

Function 026773C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,38CFF007,02676F11), ref: 0267747A

Strings

12, xrefs: 02677498

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 12
API String ID: 1029625771-2589614596
Opcode ID: 9b5306a557b6ff722e58e3305c1fd8275ba8ec70b608dd463ab39202973081e2
Instruction ID: 23ed74314e81c3ff7cd7ef6b46c8604adf81466af7b7c94d128999c1ad3fc4ce
Opcode Fuzzy Hash: 9b5306a557b6ff722e58e3305c1fd8275ba8ec70b608dd463ab39202973081e2
Instruction Fuzzy Hash: C031A460BC414487DA2EA679785073FF6939F80620F605C6EE903DF344EF65C856CB9A

Function 02674EC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 02674F41

Strings

D, xrefs: 02674F00

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 1892094786eeb1609e3a906f64971e257964cc9fa0fd6ba7bba085b5940316e8
Instruction ID: 8abd368459fb0f1a84848df4a094ca183dadeb053cae6301b933bab5ba5f1ec7
Opcode Fuzzy Hash: 1892094786eeb1609e3a906f64971e257964cc9fa0fd6ba7bba085b5940316e8
Instruction Fuzzy Hash: 5C219431B442815FE714AB78BC58B6F3BE6AFC0600F10482CB944CE380EF75D8698B95

Function 026737E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 026738A7

Strings

12, xrefs: 0267383E

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 12
API String ID: 4033686569-2589614596
Opcode ID: a249c7efcb405400371085864d005283e661b18986d82bb55ced5abc19703d80
Instruction ID: b2e76401069eef20218b642b4f3d102f90670971a70c17b00ceb62be34384288
Opcode Fuzzy Hash: a249c7efcb405400371085864d005283e661b18986d82bb55ced5abc19703d80
Instruction Fuzzy Hash: C2118270B842408BD718BB79B918B3F3AE6AFC5600B000C6CA815CB381EF75C8298F95

Function 02677320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,38CFF007,02677540,?,38CFF007,02676F11), ref: 02677350

Strings

12, xrefs: 0267736F

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 12
API String ID: 1029625771-2589614596
Opcode ID: 1b913bcba12e29a5bc36a44e222a14cf8d2f59dc9876a587c9d7b01f83aeb45b
Instruction ID: 8a276c1f36aa2c9ea8c2dbf2e932c8e83d0395b4ebf20545eaecaacf63997f28
Opcode Fuzzy Hash: 1b913bcba12e29a5bc36a44e222a14cf8d2f59dc9876a587c9d7b01f83aeb45b
Instruction Fuzzy Hash: AD014B74B842818BC718BB79B854B3E7BE6AFC16107015C7CA805DB341EF36C8658FA9

Function 02676060 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 0267608B

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 9d21193ce0bcc67affaa945b3f94f2e2939d3d0434139fb3833c5119f3a7c9c7
Instruction ID: e578e06a531ba8801642ba16acd7d5998865873ab9f2137b8ac20a746b25161c
Opcode Fuzzy Hash: 9d21193ce0bcc67affaa945b3f94f2e2939d3d0434139fb3833c5119f3a7c9c7
Instruction Fuzzy Hash: 1DD01230F805858AD704BBB6B914B3E36D6AF80705F405C2DF5419F285EF6588209F99

Function 02611D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98dc5cabca71d4b830df0347d0be53831c3de5a973e2040009da3dfd232530b7
Instruction ID: 4945b6df2568082fe3752fb74d8cbf864f31211057846cdf99fd7edd962778ea
Opcode Fuzzy Hash: 98dc5cabca71d4b830df0347d0be53831c3de5a973e2040009da3dfd232530b7
Instruction Fuzzy Hash: 2541C974A04109EFDB04CF94C494BAAB7B2FB89314F18C199E9199F395C775FA82CB80

Function 02678449 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,000001C3,00000000,?,38CFF007,?,?), ref: 026784C7
SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0267853C

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID:
API String ID: 3667790775-0
Opcode ID: d345bc4843815ed3c1c56d9e907ec27d96b58312be75b727fa9e41e0fec97057
Instruction ID: 9e6119aa5c9d82c66e7031438dc8b88338b71b08daffe0d1b821b6d537e0e3e8
Opcode Fuzzy Hash: d345bc4843815ed3c1c56d9e907ec27d96b58312be75b727fa9e41e0fec97057
Instruction Fuzzy Hash: 45F0CD716082005BDB2CDA58B8ACB3E73D66F88214F74191DF25ADBBD0D7209C415B56

Function 026127B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 026127D9

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 588f89f5ebd5181a5eed084dcd3e2464204bcc7241d3800004d29eb1a96d1463
Instruction ID: f77f59383c36437a73922e973799da6722e236e2f7e5e2e7a68c2a061420b2d0
Opcode Fuzzy Hash: 588f89f5ebd5181a5eed084dcd3e2464204bcc7241d3800004d29eb1a96d1463
Instruction Fuzzy Hash: CBD05EB4D40248BFD700EFA4D90AA5DBBB4EB04303F4480A9E905A7340EAB03B148F92

Function 02611820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0261182F

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b4a0a193c4fcaca9e1b0e65e2325144eb30d800d37d892fa9355c7b67289b0aa
Instruction ID: fc96a1682a335761fe1a9d8d986d52a2edc78797013af01cbc22e33a6bfd1868
Opcode Fuzzy Hash: b4a0a193c4fcaca9e1b0e65e2325144eb30d800d37d892fa9355c7b67289b0aa
Instruction Fuzzy Hash: EEC04C7A55424CAB8B04DF98E884DAB37EDBB8C651B048549BA1DC7200C630F9608BA4

Non-executed Functions

Function 02677B30 Relevance: 7.7, Strings: 6, Instructions: 230COMMON

Download Yara Rule

Strings

9Cl, xrefs: 02677BAD
12, xrefs: 02677DAA
7I, xrefs: 02677C1D
PM, xrefs: 02677BC5
}=1!, xrefs: 02677EB2
3-z, xrefs: 02677CB2

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: 3-z$7I$9Cl$PM$}=1!$12
API String ID: 0-3047339970
Opcode ID: 59076b1cdb3333194e7e187ae4a6fad1e6ec466821db8f34fba3fee4f5303cba
Instruction ID: 92be666800073729614ae65184cc6b94187097df9508d4817891a3882636dc02
Opcode Fuzzy Hash: 59076b1cdb3333194e7e187ae4a6fad1e6ec466821db8f34fba3fee4f5303cba
Instruction Fuzzy Hash: 4491AF71A083428FD719EF68F985A2FB7E5BB84308F004D2CE49597350EB71DA598F92

Function 022196CE Relevance: 7.7, Strings: 6, Instructions: 230COMMON

Download Yara Rule

Strings

12, xrefs: 02219948
}=1!, xrefs: 02219A50
9Cl, xrefs: 0221974B
PM, xrefs: 02219763
3-z, xrefs: 02219850
7I, xrefs: 022197BB

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: 3-z$7I$9Cl$PM$}=1!$12
API String ID: 0-3047339970
Opcode ID: fe3376d88962dbdf62e14e2e1c357dfbfa7d47802002f184e1e155cb176f56b9
Instruction ID: 15aefe067abe4bebfd7a76909ed326edbec4f7b61e71c995004a76e6702eff5f
Opcode Fuzzy Hash: fe3376d88962dbdf62e14e2e1c357dfbfa7d47802002f184e1e155cb176f56b9
Instruction Fuzzy Hash: 0191E271A183028FC724EFA8D954A2BB7E5FFD4308F40492CE095A7268D774DA19CF92

Function 02219ECE Relevance: 6.5, Strings: 5, Instructions: 236COMMON

Download Yara Rule

Strings

12, xrefs: 0221A153
V^!, xrefs: 02219F34
iL`2, xrefs: 0221A1F4
@, xrefs: 02219F0E
iL`2, xrefs: 0221A24A

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: @$iL`2$iL`2$12$V^!
API String ID: 0-1221398831
Opcode ID: e02f4294084b2259ba109e77238ed80de81e8d9e351bf6523ceeb443ab4b0007
Instruction ID: 7d4472492830e7ddff4e1667c02ac784f48c43f81ab77b8f2adfe36dfb0d7227
Opcode Fuzzy Hash: e02f4294084b2259ba109e77238ed80de81e8d9e351bf6523ceeb443ab4b0007
Instruction Fuzzy Hash: 5D919C716183019FD318DFA49994A2FBBE5AFD4304F50892DF48ADB2A8D774D908CF92

Function 02676860 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 655COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 026770B6

Strings

PK, xrefs: 02676BF1
5~, xrefs: 0267705F

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: 5~$PK
API String ID: 536389180-1089616948
Opcode ID: ced2e47cef0e84d7cd2f2b47c55416f9ddb6e5fe9958de4e6b57e97c395fc8e5
Instruction ID: 519b28fc3a0b81e8050e070461da30273fcd737a0f92d5b82ada9f0be0a51061
Opcode Fuzzy Hash: ced2e47cef0e84d7cd2f2b47c55416f9ddb6e5fe9958de4e6b57e97c395fc8e5
Instruction Fuzzy Hash: 6932D371A087028BD718DE78F88412EB7E6AB90748F14492DE496DB360DB74D949CFE3

Function 0221A28E Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

x*, xrefs: 0221A29C
V^!, xrefs: 0221A2F9
[i, xrefs: 0221A2B9

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: [i$V^!$x*
API String ID: 0-1411442858
Opcode ID: ef6139f2aca061be2cddc88f17184936ffd241f444024dc4d897b8b57bbd0a9c
Instruction ID: be15ee6c4670d93ef720ef993db76e02bb42d258af6f38be0517883d00358577
Opcode Fuzzy Hash: ef6139f2aca061be2cddc88f17184936ffd241f444024dc4d897b8b57bbd0a9c
Instruction Fuzzy Hash: 3971B2716183019FD318DFA8D449A2FB7E1ABD4314F408D2DF49A9B298D778D909CF82

Function 022183FE Relevance: 3.2, Strings: 2, Instructions: 655COMMON

Download Yara Rule

Strings

5~, xrefs: 02218BFD
PK, xrefs: 0221878F

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: 5~$PK
API String ID: 0-1089616948
Opcode ID: 8b81b203fa51f8662998a0e189cc996ca1f84b5d6fb8c8cd66eb41d5b8c1ac9b
Instruction ID: 983533bde85d5800134d8d259eeb913ea1fc819b1f2a716891dca3b5294eaeae
Opcode Fuzzy Hash: 8b81b203fa51f8662998a0e189cc996ca1f84b5d6fb8c8cd66eb41d5b8c1ac9b
Instruction Fuzzy Hash: C232E671A283028BE728DEE8A9C592E76D2ABF0344F14092DF445DB36DDB74C945CB93

Function 02674190 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

B=, xrefs: 026741C3
}r, xrefs: 026742D4

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: B=$}r
API String ID: 0-4253951455
Opcode ID: 9a8714f60742fb2f3b1e2a78ede030c84d5c103d4bbae9b4e5573fab1c25ac96
Instruction ID: 1be2b775a8ca116b780d4924f490d45e530202997254a6452e894f28dd580137
Opcode Fuzzy Hash: 9a8714f60742fb2f3b1e2a78ede030c84d5c103d4bbae9b4e5573fab1c25ac96
Instruction Fuzzy Hash: 7761C2B15083928BD748DF24E19952ABBF0FBD4714F404E2DF4A19A291D3B4DA5CCB93

Function 02215D2E Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

B=, xrefs: 02215D61
}r, xrefs: 02215E72

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: B=$}r
API String ID: 0-4253951455
Opcode ID: 9a8714f60742fb2f3b1e2a78ede030c84d5c103d4bbae9b4e5573fab1c25ac96
Instruction ID: 93f834560520215d2c84e51db001b83a0a65d991c19faff75f7b4af675d0c1f7
Opcode Fuzzy Hash: 9a8714f60742fb2f3b1e2a78ede030c84d5c103d4bbae9b4e5573fab1c25ac96
Instruction Fuzzy Hash: 7E61E1B25083838BD758DF28D19951ABBE0FBD4B14F404E2DF4A19A291D3B4DA5CCB93

Function 026741B7 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

B=, xrefs: 026741C3
}r, xrefs: 026742D4

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: B=$}r
API String ID: 0-4253951455
Opcode ID: 642efa90a1a4a676d635c2900358808c2b1882d141a76647cec1752dd12e807e
Instruction ID: eae2317f2f15e931b1fc4bb04860d9b060edc71787216b98d8734f69eb1a3c05
Opcode Fuzzy Hash: 642efa90a1a4a676d635c2900358808c2b1882d141a76647cec1752dd12e807e
Instruction Fuzzy Hash: 5551B1B15083938BD758DF24E15911ABBF0BBD4B14F104E1DF4A29A290D3B4DA5CCB93

Function 02215D55 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

B=, xrefs: 02215D61
}r, xrefs: 02215E72

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: B=$}r
API String ID: 0-4253951455
Opcode ID: 642efa90a1a4a676d635c2900358808c2b1882d141a76647cec1752dd12e807e
Instruction ID: 31a79886a249f0c9f3b486bf8db41925c2cf55fa981396ec2239310cecdd1c10
Opcode Fuzzy Hash: 642efa90a1a4a676d635c2900358808c2b1882d141a76647cec1752dd12e807e
Instruction Fuzzy Hash: B851B0B15083838BD758DF24D19951ABBE1FBD4B04F404E2DF4A29A290E3B4DA5CCB93

Function 02673EE0 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

}r, xrefs: 02673FF4
}r, xrefs: 02673F35

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: }r$}r
API String ID: 0-495469283
Opcode ID: 6c7309ee0626a89c0661319d5c1751ec5d54d9f921b1d5b87d678b6d7bf1c6b7
Instruction ID: e992d882d4b88910d2cd6de52d34bb9144c0088795dc2375e4d073ed018b6d66
Opcode Fuzzy Hash: 6c7309ee0626a89c0661319d5c1751ec5d54d9f921b1d5b87d678b6d7bf1c6b7
Instruction Fuzzy Hash: 6751A171509351AFD748DF29D19A01BBBF0ABC4B64F10C91DF4AA8B290D378D958DF42

Function 02215A7E Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

}r, xrefs: 02215B92
}r, xrefs: 02215AD3

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: }r$}r
API String ID: 0-495469283
Opcode ID: 6c7309ee0626a89c0661319d5c1751ec5d54d9f921b1d5b87d678b6d7bf1c6b7
Instruction ID: f96b9d3076ba42552d461d603279dca4bb3b8145b03185b350291b2e4d709f59
Opcode Fuzzy Hash: 6c7309ee0626a89c0661319d5c1751ec5d54d9f921b1d5b87d678b6d7bf1c6b7
Instruction Fuzzy Hash: 3951B171509302AFD748DF29C19A41BBBE0EBC4B64F10C82DF4AA8B290D378D958DF42

Function 02673CE0 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

}r, xrefs: 02673DF7
}r, xrefs: 02673D35

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: }r$}r
API String ID: 0-495469283
Opcode ID: 6a3ea7fdc01b4fab83cd90332544e011179a86356ed67bb063007a8bde9b39db
Instruction ID: 3ad6ffb8e4b6c2154a1d8c303b3ce5e7e66a2f44bec4aba4e8e7d430c209fc08
Opcode Fuzzy Hash: 6a3ea7fdc01b4fab83cd90332544e011179a86356ed67bb063007a8bde9b39db
Instruction Fuzzy Hash: DF51B07150D351AFD748CF29C19A11BBBE0ABC4B64F10C82DF4AA8B290D378D958DF42

Function 0221587E Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

}r, xrefs: 02215995
}r, xrefs: 022158D3

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: }r$}r
API String ID: 0-495469283
Opcode ID: 6a3ea7fdc01b4fab83cd90332544e011179a86356ed67bb063007a8bde9b39db
Instruction ID: 147ce61eccc3e2c88aa5c82456b930807636a741a2bcca9d1c9847eac006639d
Opcode Fuzzy Hash: 6a3ea7fdc01b4fab83cd90332544e011179a86356ed67bb063007a8bde9b39db
Instruction Fuzzy Hash: 5A51BE7150D352AFD748CF29C19A51ABBE0ABC4B64F10C82DE4AA8B294D378D958DF42

Function 02678CA0 Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

12, xrefs: 02678E5C

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: 12
API String ID: 0-2589614596
Opcode ID: 6a48bf488bc67dc7bd7a99e3bef7bb2f2f0d0d6b2c1e394c0071dcaa3eb7a98b
Instruction ID: 4fc091b3124243a2ca8ad4c7695ca7d62340d5ae432b7a37d9ed5a26fffc73c1
Opcode Fuzzy Hash: 6a48bf488bc67dc7bd7a99e3bef7bb2f2f0d0d6b2c1e394c0071dcaa3eb7a98b
Instruction Fuzzy Hash: 0B51E130B01201CBD728AB69B89C73E37E6AF94300F504C2EE905DB381EF65DC959B96

Function 026742C9 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

}r, xrefs: 026742D4

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: }r
API String ID: 0-1698891092
Opcode ID: 6a74d2feb69e97d8a019e50bf5ff94201503b93b67f6a4a542c210167751f52b
Instruction ID: 8e0b83bc115079fdd7f307f15fc4e166697ce650d878497369cbc4fec89f5442
Opcode Fuzzy Hash: 6a74d2feb69e97d8a019e50bf5ff94201503b93b67f6a4a542c210167751f52b
Instruction Fuzzy Hash: E331E2B15083928BD758DF24E09912AB7F0BFD4614F104E2DF4A196280D3B4DA5CCBA3

Function 02215E67 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

}r, xrefs: 02215E72

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID: }r
API String ID: 0-1698891092
Opcode ID: 6a74d2feb69e97d8a019e50bf5ff94201503b93b67f6a4a542c210167751f52b
Instruction ID: d21e3cc8c3d72a11fce6d3ea504356cf2d06a1ecf45d1eebfb49e8021ade2565
Opcode Fuzzy Hash: 6a74d2feb69e97d8a019e50bf5ff94201503b93b67f6a4a542c210167751f52b
Instruction Fuzzy Hash: 4F3102B15083838BD758CF24D09511AB7E0FBD4610F504E2DF4A196280D3B4DA5CCBA3

Function 0221095E Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction ID: 2fbffbd10becf9a82bedf00c531dcaa39b0bac348b46785592f8b473fd2ff02e
Opcode Fuzzy Hash: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction Fuzzy Hash: 83F1E6B4A11209EFDB14CF94C990EAEB7F5FF58304F208558E906AB349D775EA81CB90

Function 02210456 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: ab00606e138d7b27682b00f2fd1e3b7c6f8ed689277ad42462bc4bb99235f69f
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 7731B136A1434A8FC710DF58C4C1D26B3E4FF98318F05096DE99587316D334EA868B91

Function 02675140 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1306329295.0000000002671000.00000020.00001000.00020000.00000000.sdmp, Offset: 02670000, based on PE: true

Associated: 00000000.00000002.1306312324.0000000002670000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306344646.000000000267D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.0000000002680000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1306358696.00000000026C3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 02216CDE Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1306123613.0000000002210000.00000040.00001000.00020000.00000000.sdmp, Offset: 02210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2210000_mNtu4X8ZyE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 00401D70 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 147windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00401D96

Part of subcall function 00401F90: FindWindowA.USER32(WMPlayerApp,00000000), ref: 00401F97

DestroyWindow.USER32(?), ref: 00401D9D
GetSystemMenu.USER32(?,00000000), ref: 00401DA8
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00401DC0
AppendMenuA.USER32(00000000,00000000,00000005,About...), ref: 00401DCC
CreateWindowExA.USER32(00000000,Button,&Show Window,50000000,00000005,00000005,0000007D,00000019,?,00000002,00000000,00000000), ref: 00401DF8
CreateWindowExA.USER32(00000000,Button,&Hide Window,50000000,00000087,00000005,0000007D,00000019,?,00000003,00000000,00000000), ref: 00401E27
CreateWindowExA.USER32(00000000,Edit,Windows Media Player,50800000,0000000F,0000002D,000000EB,00000019,?,00000001,00000000,00000000), ref: 00401E56
CreateWindowExA.USER32(00000000,Button,&Change Caption,50000000,00000048,0000004E,0000007D,00000019,?,00000004,00000000,00000000), ref: 00401E81
ShowWindow.USER32(00000000,00000000), ref: 00401EFB
DefWindowProcA.USER32(?,?,?,?), ref: 00401F0D

Strings

Button, xrefs: 00401DF1, 00401E1B, 00401E7A
&Change Caption, xrefs: 00401E75
Edit, xrefs: 00401E4A
Windows Media Player, xrefs: 00401E45
&Hide Window, xrefs: 00401E16
&Show Window, xrefs: 00401DEC
About..., xrefs: 00401DC2

Memory Dump Source

Source File: 00000000.00000002.1305693753.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1305662841.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305718639.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000407000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000474000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mNtu4X8ZyE.jbxd

Similarity

API ID: Window$Create$Menu$Append$DestroyFindMessagePostProcQuitShowSystem
String ID: &Change Caption$&Hide Window$&Show Window$About...$Button$Edit$Windows Media Player
API String ID: 1675743168-3498740803
Opcode ID: 6fa5b30cb9d90c5671a906c00b49d1a349abe0e32d26c551bf39c42dfad87899
Instruction ID: d2c89a25cf38dd3cc98bce7da6c1abaab37f22b51a640bf9a67e858da95faab1
Opcode Fuzzy Hash: 6fa5b30cb9d90c5671a906c00b49d1a349abe0e32d26c551bf39c42dfad87899
Instruction Fuzzy Hash: 43416271384705BBF630A7649D4AF6B3698EB44F15F204437F701BA2E1D6F9A8408BAD

Function 004020EA Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00402117
__p__fmode.MSVCRT ref: 0040212C
__p__commode.MSVCRT ref: 0040213A
__setusermatherr.MSVCRT ref: 00402166
_initterm.MSVCRT ref: 0040217C
__getmainargs.MSVCRT ref: 0040219F
_initterm.MSVCRT ref: 004021AF
GetStartupInfoA.KERNEL32(?), ref: 004021EE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402212
exit.MSVCRT ref: 00402222
_XcptFilter.MSVCRT ref: 00402234

Memory Dump Source

Source File: 00000000.00000002.1305693753.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1305662841.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305718639.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000407000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000474000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mNtu4X8ZyE.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 6ec102433b06512b8c0474839b6dd368cc5f6bc9c2e1b5937cc38a74b614f200
Instruction ID: 87e11df5f4ae46379268185e5a3862cdd04542f6cf5212e8f2ca647c65b29d7f
Opcode Fuzzy Hash: 6ec102433b06512b8c0474839b6dd368cc5f6bc9c2e1b5937cc38a74b614f200
Instruction Fuzzy Hash: EB415DB19016449FDB249FA4DE49AAA7BB8FB09710F20017FE952B72E1C7B84940CF58

Function 026114A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 026114DB
SetLastError.KERNEL32(0000007F), ref: 02611507

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a996b79ec3766b9bd47e34c6a6b20b7b5d723e0e8a5c610fcdd4f07667b94ab1
Instruction ID: f97805c29c9a9cd389c43873e4458beb253c77025ee50507e74f202e10da66bd
Opcode Fuzzy Hash: a996b79ec3766b9bd47e34c6a6b20b7b5d723e0e8a5c610fcdd4f07667b94ab1
Instruction Fuzzy Hash: 05710574E04109EFDB08DF94C590BADB7B2FF49304F288599E91AAB341D735AA81CF94

Function 00401070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0040108C
DestroyWindow.USER32(?), ref: 0040109C
SetDlgItemTextA.USER32(?,000003E8,This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window.), ref: 004010B6
DestroyWindow.USER32(?), ref: 004010E0

Strings

This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window., xrefs: 004010AB

Memory Dump Source

Source File: 00000000.00000002.1305693753.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1305662841.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305718639.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000407000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000474000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mNtu4X8ZyE.jbxd

Similarity

API ID: DestroyWindow$ItemText
String ID: This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window.
API String ID: 396529852-1331625695
Opcode ID: a61dc5f83ef90b811d585fcc311af718773135b45cb18a34e47a048bdf587a9a
Instruction ID: b100099e501738790042682215e8a6d7cad033c4a8bb43f03221d718276c4884
Opcode Fuzzy Hash: a61dc5f83ef90b811d585fcc311af718773135b45cb18a34e47a048bdf587a9a
Instruction Fuzzy Hash: 0DF0AF322142406FC7148B70DA8C92B72D4EBA9701F41CC3AF182E6AE4D73DCC90EB59

Function 02612430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02612468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 026124B2

Strings

@, xrefs: 02612453

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 758b09b4f4b188b822678825a5f47361f6559773a8ae6037602e4fef26b8868d
Instruction ID: a8218d21f59b1a2d2eac663698611153b811e34491e9f49eeb7d638025caf2ad
Opcode Fuzzy Hash: 758b09b4f4b188b822678825a5f47361f6559773a8ae6037602e4fef26b8868d
Instruction Fuzzy Hash: 782107B0E00218EFDF14CF98C991BADBBB5BF44304F288589DD06AB340C334AA91DB51

Function 00401005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll), ref: 004015A3
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00000000,kernel32.dll), ref: 004015BB

Strings

kernel32.dll, xrefs: 00401599

Memory Dump Source

Source File: 00000000.00000002.1305693753.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1305662841.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305718639.0000000000405000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000407000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1305744729.0000000000474000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mNtu4X8ZyE.jbxd

Similarity

API ID: AllocHandleModuleVirtual
String ID: kernel32.dll
API String ID: 2270936652-1793498882
Opcode ID: 5bf35002c93f4facc3e081f7e865f0f685930981354593ef6d5b8ce1566f61f9
Instruction ID: bb32f66759e984ad9a82917001f02bd0d3e76ee526862dde03f538f9ec23572d
Opcode Fuzzy Hash: 5bf35002c93f4facc3e081f7e865f0f685930981354593ef6d5b8ce1566f61f9
Instruction Fuzzy Hash: BCF0A77230132427C614DA555C05BAF6699FBC4B61F14043EFA07F72C0CB749904D3A9

Function 026121A0 Relevance: 5.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 026121F9
SetLastError.KERNEL32(0000007E), ref: 0261223B

Memory Dump Source

Source File: 00000000.00000002.1306220984.0000000002611000.00000020.00001000.00020000.00000000.sdmp, Offset: 02611000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2611000_mNtu4X8ZyE.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 0ba5735d690fff462cf55554bad8746523d3fceeb9882938484c6c1b25645b03
Instruction ID: c89c90dd665e6c5f9027c14d33acae50c6cd05aef727d9da5631533e23774be0
Opcode Fuzzy Hash: 0ba5735d690fff462cf55554bad8746523d3fceeb9882938484c6c1b25645b03
Instruction Fuzzy Hash: E081AA74A00219DFDB08CF94C994BAEB7B1FF48314F148599E909AB351D734EA91CF91

Analysis Process: regedit.exePID: 7464, Parent PID: 7360COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	96.3%
Signature Coverage:	0.9%
Total number of Nodes:	974
Total number of Limit Nodes:	24

Executed Functions

Function 00401600 Relevance: 121.2, APIs: 54, Strings: 15, Instructions: 458
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Advapi32.dll,EncryptFileA), ref: 0040161A
GetProcAddress.KERNEL32(00000000), ref: 00401623
EncryptFileA.ADVAPI32(C:\Windows\Setup\State\State.ini), ref: 0040162A
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60 ref: 0040167D
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(LdrFin), ref: 0040169F
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004016B2
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(dReso), ref: 004016D1
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004016E4
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(urce_U), ref: 00401703
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?), ref: 00401723
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401731
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401742
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401755
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Ldr), ref: 00401774
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401787
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Acces), ref: 004017A6

Strings

GIh@36E#YEA1tFmFqw44wMs%bm^9R?qzDkkk^Ht+tywp2T&M8aVQ1wu#c<eCQglgS+m&KyvZQb_x!tLZTbzSj4!?m$5vwsutammbhRsGHUifpf, xrefs: 004018AC
urce_U, xrefs: 004016EA, 004016FA
dReso, xrefs: 004016B8, 004016C8
WMPlayerWindowEditor, xrefs: 00401939, 004019F5
Advapi32.dll, xrefs: 00401615
LdrFindResource_U, xrefs: 00401826
sResource, xrefs: 004017BF, 004017CF
LdrFin, xrefs: 00401683, 00401693
EncryptFileA, xrefs: 00401610
Windows Media Player HWND Editor, xrefs: 004019F0
Ldr, xrefs: 0040175B, 0040176B
ntdll.dll, xrefs: 0040181D
C:\Windows\Setup\State\State.ini, xrefs: 00401625
Acces, xrefs: 0040178D, 0040179D
LdrAccessResource, xrefs: 0040182E

Memory Dump Source

Source File: 00000002.00000002.1321303843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1321284705.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321339220.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_regedit.jbxd

Similarity

API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@V12@$D@2@@0@Hstd@@V10@0@V?$basic_string@$AddressEncryptFileLibraryLoadProc
String ID: Acces$Advapi32.dll$C:\Windows\Setup\State\State.ini$EncryptFileA$GIh@36E#YEA1tFmFqw44wMs%bm^9R?qzDkkk^Ht+tywp2T&M8aVQ1wu#c<eCQglgS+m&KyvZQb_x!tLZTbzSj4!?m$5vwsutammbhRsGHUifpf$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$WMPlayerWindowEditor$Windows Media Player HWND Editor$dReso$ntdll.dll$sResource$urce_U
API String ID: 3516244591-712066751
Opcode ID: f8c8bf3419da7efc3c2f758ebdd38b7438056af9a9bfe9611bd3ddaf80b0cfcc
Instruction ID: dce9f58f7b180b880584391d3317b87618375bb0fe771e7de301abb772954e00
Opcode Fuzzy Hash: f8c8bf3419da7efc3c2f758ebdd38b7438056af9a9bfe9611bd3ddaf80b0cfcc
Instruction Fuzzy Hash: FDF1E4711183809FD324DF60CC49BAFBBA4EB84310F40493EF586632D1EBB99909CB5A

Function 02151030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02154054,02154040), ref: 02151047
GetProcAddress.KERNEL32(00000000), ref: 0215104E

Part of subcall function 02151B30: SetLastError.KERNEL32(0000000D,?,02151070,?,00000040), ref: 02151B3D

SetLastError.KERNEL32(000000C1), ref: 02151096

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 1c70ebbdf06eb527305580aeb69db7613f0e5eb50ac8203d339ee57ead50b6cf
Instruction ID: 491529c3653632bbc86f1a0f068b7ee0f56f1a48ae8505bacccf1d52660e7627
Opcode Fuzzy Hash: 1c70ebbdf06eb527305580aeb69db7613f0e5eb50ac8203d339ee57ead50b6cf
Instruction Fuzzy Hash: F5F1E6B4E40219EFDB04CF94D994BAEB7B1BF48304F208598E929AB341D775EA51CF90

Function 021B8330 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 236
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,000001C3,00000000,?,38CFF007,?,?), ref: 021B84C7
SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 021B853C
CloseHandle.KERNELBASE(?,?,38CFF007,?,?), ref: 021B86DB

Strings

@, xrefs: 021B8370
iL`2, xrefs: 021B8656
V^!, xrefs: 021B8396
iL`2, xrefs: 021B86AC
12, xrefs: 021B85B5

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: FileHandle$CloseCreateInformation
String ID: @$iL`2$iL`2$12$V^!
API String ID: 1240749428-1221398831
Opcode ID: 596545ae51faefc2cbf7c3a7f2886ac0bb082c9eb62e14ea0b608f2d8e205852
Instruction ID: b307a3171a7ede1b06a9375dfd45c5142721078fd82af559ab3d3d102372400d
Opcode Fuzzy Hash: 596545ae51faefc2cbf7c3a7f2886ac0bb082c9eb62e14ea0b608f2d8e205852
Instruction Fuzzy Hash: C591AE71A483018FD719DE28E9946AFBBF9AFC4704F10892DF48A9B290D774D9448F92

Function 021B5390 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,?,?,?,?,021B8CFA), ref: 021B5682
RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,021B8CFA), ref: 021B570C

Strings

12, xrefs: 021B5641
J`, xrefs: 021B5405
12, xrefs: 021B5493
p^sw, xrefs: 021B54A8, 021B54C7, 021B5656, 021B5675
12, xrefs: 021B56CF

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: p^sw$12$12$12$J`
API String ID: 2488874121-2896302409
Opcode ID: 5e0bfe95f732a7905486466a2a5e083813f252920a02e4176e0d25b1636726a9
Instruction ID: 29e89f9de61bea9fa1ccc4f8a5418b5f47afcb989ffdf3ae5b35da568c44df46
Opcode Fuzzy Hash: 5e0bfe95f732a7905486466a2a5e083813f252920a02e4176e0d25b1636726a9
Instruction Fuzzy Hash: AC81F831FC4201AFDA166B79AC607EF26F7AF84344F854839E815DB351EB64DC118B91

Function 021B3A20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 021B3B78
FindNextFileW.KERNELBASE(?,?), ref: 021B3BB9
FindClose.KERNELBASE(?), ref: 021B3CC5

Strings

12, xrefs: 021B3C53
HUE(, xrefs: 021B3BCE
., xrefs: 021B3A7D
HUE(, xrefs: 021B3BDC

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$HUE($HUE($12
API String ID: 3541575487-884143723
Opcode ID: 1ae9f58a8a03f7b2906a05351232a2ecfa22cd9c29d2913861a1fb192ebeb18b
Instruction ID: abc909cc0f018ea368f004823d382ead05fd7e1d10ee8dfb29a44f966a66da11
Opcode Fuzzy Hash: 1ae9f58a8a03f7b2906a05351232a2ecfa22cd9c29d2913861a1fb192ebeb18b
Instruction Fuzzy Hash: FC511A31BC42014BCB2BFAB8A954BFB76F69F91200F104D6DF565C7241EB36C8658B92

Function 021B86F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000), ref: 021B8908

Strings

x*, xrefs: 021B86FE
V^!, xrefs: 021B875B
[i, xrefs: 021B871B

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: [i$V^!$x*
API String ID: 823142352-1411442858
Opcode ID: 6d64c3bfa24e0060e2e916f9898e37f64be72e527f063f4de237b0b4e56bafea
Instruction ID: a1c3916c89cc5c6ccee02d5e4a936539bb8446b50984e79b0b14ec7789aa70d6
Opcode Fuzzy Hash: 6d64c3bfa24e0060e2e916f9898e37f64be72e527f063f4de237b0b4e56bafea
Instruction Fuzzy Hash: B871C071A883019FD709EE29D8586AFBBF5AFC4714F018D2CE4A997290D774D909CF82

Function 00401019 Relevance: 33.2, APIs: 22, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4,00000343,02042508), ref: 00401398
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040139B
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013AC
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013AF
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013C1
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013C4
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,6EA4A3D8,004059A4), ref: 004013D9
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013EA
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013F0
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401402
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401405
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,6EA4A3D8,004059A4), ref: 0040141A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 0040142B
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040142E
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401440
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401443
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401455
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401458
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 0040146C
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040146F
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401481
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401484

Memory Dump Source

Source File: 00000002.00000002.1321303843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1321284705.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321339220.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_regedit.jbxd

Similarity

API ID: U?$char_traits@V?$basic_ostream@$?endl@std@@D@std@@@1@V21@@$??6std@@D@std@@@0@V10@
String ID:
API String ID: 2803004057-0
Opcode ID: 4e668faee3baf0bf314fe0a6ed89ed04cc46d060bfd11fc77c33a5f615d1b13b
Instruction ID: e5c193a8be6e18b913c016f231c9b957fb8706e5e71893854bd9b99652add971
Opcode Fuzzy Hash: 4e668faee3baf0bf314fe0a6ed89ed04cc46d060bfd11fc77c33a5f615d1b13b
Instruction Fuzzy Hash: 0E51F3796053919FC700EB74DD8882B7FA9EF88314F0548EDF845A73D1C6799418CBAA

Function 021B31F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,0000021C), ref: 021B33D1

Strings

p^sw, xrefs: 021B33C4
V<j[, xrefs: 021B33F7
12, xrefs: 021B3390

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: V<j[$p^sw$12
API String ID: 1279760036-1938916030
Opcode ID: 6cf95f13906b4579c286bf66353f6bfec094916cf2b2aed564709f9653e54b60
Instruction ID: e05b87bb6750d4e5d6e3018f7a7caacaf51db17037c57cb8ac003c189a4cb9c9
Opcode Fuzzy Hash: 6cf95f13906b4579c286bf66353f6bfec094916cf2b2aed564709f9653e54b60
Instruction Fuzzy Hash: 36512775A843018FC719DE2894945AFBBF2EFD4240F108CAEE461C7391DB71D96ACB82

Function 01FD002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,01FD0005), ref: 01FD00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,01FD0005), ref: 01FD0111

Memory Dump Source

Source File: 00000002.00000002.1322151004.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1fd0000_regedit.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 2bdd85d2618c85df02c5e6af34a5c100c6a39c69f978da67e16c943c8f6b9570
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 61D19B71A04306DBE714CF69C88477AB7E2BF84318F18852DF9958B242EB76E845CB91

Function 021B73C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,38CFF007,021B6F11), ref: 021B747A

Strings

12, xrefs: 021B7498

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 12
API String ID: 1029625771-2589614596
Opcode ID: b8d4251b7739b5a2e970ed218c6015da070bef7630a0aeafaaa3e494c194d858
Instruction ID: 09347536af9a8cfeaf37b67138aa2f4aa1f891a8e6c5ac13ec90980fed14f7cf
Opcode Fuzzy Hash: b8d4251b7739b5a2e970ed218c6015da070bef7630a0aeafaaa3e494c194d858
Instruction Fuzzy Hash: 01316326BC41048BDA2F657978A03FBD6B39FC1611F51487AE902CB3D5EB65C843CB92

Function 021B4EC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 021B4F41

Strings

D, xrefs: 021B4F00

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: d7aefdbd9d9850eb07bf67988251c834fef13713bbbceb103c76d92e8b661676
Instruction ID: df195f1c3cfdbbbf38c3f6d20a9017d2d19cf1bbd0d69156bcab21a0fbcd8d0e
Opcode Fuzzy Hash: d7aefdbd9d9850eb07bf67988251c834fef13713bbbceb103c76d92e8b661676
Instruction Fuzzy Hash: 88219135B842415FE716AB7CAC64BEB3BF69FC0600F50892CF944CB282EB74D8558B91

Function 021B37E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 021B38A7

Strings

12, xrefs: 021B383E

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: 12
API String ID: 4033686569-2589614596
Opcode ID: 46500da407e91f57304f1b3632c3df120b215d8cb61ba8495de67896d0797bad
Instruction ID: 5e57cc7a39167a87ee18944509741a1d64d9068d82156a9bf09833232baec153
Opcode Fuzzy Hash: 46500da407e91f57304f1b3632c3df120b215d8cb61ba8495de67896d0797bad
Instruction Fuzzy Hash: E1113370FC42014FDB1AB679A920BEB2AF69F85340B40497CE955CB282EF75D8218B91

Function 021B7320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000,?,38CFF007,021B7540,?,38CFF007,021B6F11), ref: 021B7350

Strings

12, xrefs: 021B736F

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 12
API String ID: 1029625771-2589614596
Opcode ID: 496a576e3d8d6d6d0629f781d878b72880eeffeb0ec1347dfbd9601a2295da76
Instruction ID: a630575af3c3a9e8cf2bca69ada5e854836b39e8acd8edd30502684c0951c5c9
Opcode Fuzzy Hash: 496a576e3d8d6d6d0629f781d878b72880eeffeb0ec1347dfbd9601a2295da76
Instruction Fuzzy Hash: 73014474BC42014FCB1ABB7978607AF6AF69FC12103008878E815CB381EB35D8528F91

Function 021B6060 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 021B608B

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1dc2de6eb9a6409fc4938d72f86069b54b8c05795739e79e6c4f1c0f952e667f
Instruction ID: e39f13a1e0efa28577c72cdc6c4425971598f3d6cb8688497456042565dff69e
Opcode Fuzzy Hash: 1dc2de6eb9a6409fc4938d72f86069b54b8c05795739e79e6c4f1c0f952e667f
Instruction Fuzzy Hash: CAD01230FC42448ED606BAB57825BAF25FA9F90705F40883DF5418F286DF6288229F91

Function 02151D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603be819e204da0518020e24da3af8baf26c7ac2b8ac7e80a5096bd84e4401d7
Instruction ID: c9a3b1081c9ad60dacdf063bb1398db097c94491148cbd02684aeddc98cb2a77
Opcode Fuzzy Hash: 603be819e204da0518020e24da3af8baf26c7ac2b8ac7e80a5096bd84e4401d7
Instruction Fuzzy Hash: C341B774A40219EFDB05CF44C494BAAB7B2FB88314F24C599EC295B355C775EA82CB80

Function 021B8449 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,000001C3,00000000,?,38CFF007,?,?), ref: 021B84C7
SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 021B853C

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID:
API String ID: 3667790775-0
Opcode ID: 61a27b58d4d84efce9cac1fbcbed8267f1fd200f017ae4c2fd9c54959c828da0
Instruction ID: 4ec0ce9dd3be8045b2cee496841371f223b73fd594458620f6669ceb461f3bcc
Opcode Fuzzy Hash: 61a27b58d4d84efce9cac1fbcbed8267f1fd200f017ae4c2fd9c54959c828da0
Instruction Fuzzy Hash: CCF086706882004BCA2ED96898A4BBE73FE5F88714F55091DF15ADB9D0D72198414792

Function 021527B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 021527D9

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0a7ec7145f440db6e1cddd4699c1e57eec5c16a172483f947b29b8306aa274e5
Instruction ID: 09a9b750e148cbdccbbfea69c6ebc9a26267605a3cadaf38892728f45c4acb17
Opcode Fuzzy Hash: 0a7ec7145f440db6e1cddd4699c1e57eec5c16a172483f947b29b8306aa274e5
Instruction Fuzzy Hash: 8FD017B4D80208FFD740EFA4D90AA9EBBB4AF04202F9080A4ED1467240E7B02A148B92

Function 02151820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0215182F

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a6a5e6ab66d06225ed6951826b560ecf56a6b02e8fd10b5e024f177a48fc8012
Instruction ID: ca941a37836181078f6c1c23947eb134308caef50f3275d1487849bf1f54ad64
Opcode Fuzzy Hash: a6a5e6ab66d06225ed6951826b560ecf56a6b02e8fd10b5e024f177a48fc8012
Instruction Fuzzy Hash: BAC04C7A55430CEB8B04DF98E884DAB77EDBB8C650B448548BA1D87200D630F9508BA4

Non-executed Functions

Function 021B91E0 Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

;r', xrefs: 021B9200
;r', xrefs: 021B9330
;r', xrefs: 021B92A4

Memory Dump Source

Source File: 00000002.00000002.1322392048.00000000021B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: true

Associated: 00000002.00000002.1322373634.00000000021B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322408538.00000000021BD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.00000000021C0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1322425692.0000000002203000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_21b0000_regedit.jbxd

Yara matches

Similarity

API ID:
String ID: ;r'$ ;r'$ ;r'
API String ID: 0-3796487830
Opcode ID: 8fe25a3b043681836c9a6f90290d4aea52d84e7de3629ca6ee361b93272dc601
Instruction ID: ba32ab3cdc8dbcd9b115355f372b76220ecb71db2e934674fd7455138bd5249f
Opcode Fuzzy Hash: 8fe25a3b043681836c9a6f90290d4aea52d84e7de3629ca6ee361b93272dc601
Instruction Fuzzy Hash: 2441A725FC42019BDB1B5ABDB8A07BB32F69F85310B144879EA16C7241EB61DC42CF51

Function 00401D70 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 147windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00401D96

Part of subcall function 00401F90: FindWindowA.USER32(WMPlayerApp,00000000), ref: 00401F97

DestroyWindow.USER32(?), ref: 00401D9D
GetSystemMenu.USER32(?,00000000), ref: 00401DA8
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00401DC0
AppendMenuA.USER32(00000000,00000000,00000005,About...), ref: 00401DCC
CreateWindowExA.USER32(00000000,Button,&Show Window,50000000,00000005,00000005,0000007D,00000019,?,00000002,00000000,00000000), ref: 00401DF8
CreateWindowExA.USER32(00000000,Button,&Hide Window,50000000,00000087,00000005,0000007D,00000019,?,00000003,00000000,00000000), ref: 00401E27
CreateWindowExA.USER32(00000000,Edit,Windows Media Player,50800000,0000000F,0000002D,000000EB,00000019,?,00000001,00000000,00000000), ref: 00401E56
CreateWindowExA.USER32(00000000,Button,&Change Caption,50000000,00000048,0000004E,0000007D,00000019,?,00000004,00000000,00000000), ref: 00401E81
ShowWindow.USER32(00000000,00000000), ref: 00401EFB
DefWindowProcA.USER32(?,?,?,?), ref: 00401F0D

Strings

Edit, xrefs: 00401E4A
Windows Media Player, xrefs: 00401E45
&Show Window, xrefs: 00401DEC
&Change Caption, xrefs: 00401E75
&Hide Window, xrefs: 00401E16
Button, xrefs: 00401DF1, 00401E1B, 00401E7A
About..., xrefs: 00401DC2

Memory Dump Source

Source File: 00000002.00000002.1321303843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1321284705.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321339220.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_regedit.jbxd

Similarity

API ID: Window$Create$Menu$Append$DestroyFindMessagePostProcQuitShowSystem
String ID: &Change Caption$&Hide Window$&Show Window$About...$Button$Edit$Windows Media Player
API String ID: 1675743168-3498740803
Opcode ID: 6fa5b30cb9d90c5671a906c00b49d1a349abe0e32d26c551bf39c42dfad87899
Instruction ID: d2c89a25cf38dd3cc98bce7da6c1abaab37f22b51a640bf9a67e858da95faab1
Opcode Fuzzy Hash: 6fa5b30cb9d90c5671a906c00b49d1a349abe0e32d26c551bf39c42dfad87899
Instruction Fuzzy Hash: 43416271384705BBF630A7649D4AF6B3698EB44F15F204437F701BA2E1D6F9A8408BAD

Function 004020EA Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00402117
__p__fmode.MSVCRT ref: 0040212C
__p__commode.MSVCRT ref: 0040213A
__setusermatherr.MSVCRT ref: 00402166
_initterm.MSVCRT ref: 0040217C
__getmainargs.MSVCRT ref: 0040219F
_initterm.MSVCRT ref: 004021AF
GetStartupInfoA.KERNEL32(?), ref: 004021EE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402212
exit.MSVCRT ref: 00402222
_XcptFilter.MSVCRT ref: 00402234

Memory Dump Source

Source File: 00000002.00000002.1321303843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1321284705.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321339220.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_regedit.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 6ec102433b06512b8c0474839b6dd368cc5f6bc9c2e1b5937cc38a74b614f200
Instruction ID: 87e11df5f4ae46379268185e5a3862cdd04542f6cf5212e8f2ca647c65b29d7f
Opcode Fuzzy Hash: 6ec102433b06512b8c0474839b6dd368cc5f6bc9c2e1b5937cc38a74b614f200
Instruction Fuzzy Hash: EB415DB19016449FDB249FA4DE49AAA7BB8FB09710F20017FE952B72E1C7B84940CF58

Function 021514A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 021514DB
SetLastError.KERNEL32(0000007F), ref: 02151507

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 38d59d98edf10e95d0040ecf6f75dc42b4bd876feba1705b95f5e4ba4daa6bc0
Instruction ID: 4229021a8659925bddf22ac13af3bafc9d05b8c8ff336f2b4fbcab3be19afa0b
Opcode Fuzzy Hash: 38d59d98edf10e95d0040ecf6f75dc42b4bd876feba1705b95f5e4ba4daa6bc0
Instruction Fuzzy Hash: 6A71D874E50219EFDB08DF94C580BADB7F2FF48304F648598D92AAB341D774AA91CB90

Function 00401070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0040108C
DestroyWindow.USER32(?), ref: 0040109C
SetDlgItemTextA.USER32(?,000003E8,This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window.), ref: 004010B6
DestroyWindow.USER32(?), ref: 004010E0

Strings

This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window., xrefs: 004010AB

Memory Dump Source

Source File: 00000002.00000002.1321303843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1321284705.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321339220.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_regedit.jbxd

Similarity

API ID: DestroyWindow$ItemText
String ID: This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window.
API String ID: 396529852-1331625695
Opcode ID: a61dc5f83ef90b811d585fcc311af718773135b45cb18a34e47a048bdf587a9a
Instruction ID: b100099e501738790042682215e8a6d7cad033c4a8bb43f03221d718276c4884
Opcode Fuzzy Hash: a61dc5f83ef90b811d585fcc311af718773135b45cb18a34e47a048bdf587a9a
Instruction Fuzzy Hash: 0DF0AF322142406FC7148B70DA8C92B72D4EBA9701F41CC3AF182E6AE4D73DCC90EB59

Function 02152430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02152468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 021524B2

Strings

@, xrefs: 02152453

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 6c2df5c8b49438196d5d3774c7a48a33bbf5bbd1db1b9e2142c462ce5d7016b8
Instruction ID: 2a6d660bf587a297ee938417ad6ad13f22ad7f4642dd627ed4fe214f99512c53
Opcode Fuzzy Hash: 6c2df5c8b49438196d5d3774c7a48a33bbf5bbd1db1b9e2142c462ce5d7016b8
Instruction Fuzzy Hash: 3621E7B1E44219EFDF14CF98C984BAEBBB5BF44304F2085D9ED25AB240C774AA80DB55

Function 00401005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll), ref: 004015A3
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00000000,kernel32.dll), ref: 004015BB

Strings

kernel32.dll, xrefs: 00401599

Memory Dump Source

Source File: 00000002.00000002.1321303843.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1321284705.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321339220.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1321369799.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_regedit.jbxd

Similarity

API ID: AllocHandleModuleVirtual
String ID: kernel32.dll
API String ID: 2270936652-1793498882
Opcode ID: 5bf35002c93f4facc3e081f7e865f0f685930981354593ef6d5b8ce1566f61f9
Instruction ID: bb32f66759e984ad9a82917001f02bd0d3e76ee526862dde03f538f9ec23572d
Opcode Fuzzy Hash: 5bf35002c93f4facc3e081f7e865f0f685930981354593ef6d5b8ce1566f61f9
Instruction Fuzzy Hash: BCF0A77230132427C614DA555C05BAF6699FBC4B61F14043EFA07F72C0CB749904D3A9

Function 021521A0 Relevance: 5.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 021521F9
SetLastError.KERNEL32(0000007E), ref: 0215223B

Memory Dump Source

Source File: 00000002.00000002.1322259807.0000000002151000.00000020.00001000.00020000.00000000.sdmp, Offset: 02151000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2151000_regedit.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: bb609784c086c6ce03699c1241c130f70ef7a40ddd124792f15c2918b8726793
Instruction ID: 275d7edb48337e0b0d25ad81b0e04cd21a47f69184a6ad65f05ef22e5afd084f
Opcode Fuzzy Hash: bb609784c086c6ce03699c1241c130f70ef7a40ddd124792f15c2918b8726793
Instruction Fuzzy Hash: FC81A975A40219EFDB48CF94C894BAEB7B1FF48314F148198ED19AB351D734AA91CF90

Analysis Process: wpnclient.exePID: 7580, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	93.1%
Signature Coverage:	2.7%
Total number of Nodes:	524
Total number of Limit Nodes:	49

Executed Functions

Function 00401600 Relevance: 121.2, APIs: 54, Strings: 15, Instructions: 458
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Advapi32.dll,EncryptFileA), ref: 0040161A
GetProcAddress.KERNEL32(00000000), ref: 00401623
EncryptFileA.ADVAPI32(C:\Windows\Setup\State\State.ini), ref: 0040162A
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60 ref: 0040167D
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(LdrFin), ref: 0040169F
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004016B2
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(dReso), ref: 004016D1
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 004016E4
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(urce_U), ref: 00401703
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?), ref: 00401723
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401731
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 00401742
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401755
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Ldr), ref: 00401774
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 00401787
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(Acces), ref: 004017A6

Strings

dReso, xrefs: 004016B8, 004016C8
EncryptFileA, xrefs: 00401610
C:\Windows\Setup\State\State.ini, xrefs: 00401625
sResource, xrefs: 004017BF, 004017CF
LdrAccessResource, xrefs: 0040182E
LdrFindResource_U, xrefs: 00401826
WMPlayerWindowEditor, xrefs: 00401939, 004019F5
Windows Media Player HWND Editor, xrefs: 004019F0
Acces, xrefs: 0040178D, 0040179D
Advapi32.dll, xrefs: 00401615
LdrFin, xrefs: 00401683, 00401693
GIh@36E#YEA1tFmFqw44wMs%bm^9R?qzDkkk^Ht+tywp2T&M8aVQ1wu#c<eCQglgS+m&KyvZQb_x!tLZTbzSj4!?m$5vwsutammbhRsGHUifpf, xrefs: 004018AC
Ldr, xrefs: 0040175B, 0040176B
urce_U, xrefs: 004016EA, 004016FA
ntdll.dll, xrefs: 0040181D

Memory Dump Source

Source File: 00000004.00000002.2541432357.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2541409691.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541456929.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wpnclient.jbxd

Similarity

API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$Tidy@?$basic_string@$?assign@?$basic_string@V12@$D@2@@0@Hstd@@V10@0@V?$basic_string@$AddressEncryptFileLibraryLoadProc
String ID: Acces$Advapi32.dll$C:\Windows\Setup\State\State.ini$EncryptFileA$GIh@36E#YEA1tFmFqw44wMs%bm^9R?qzDkkk^Ht+tywp2T&M8aVQ1wu#c<eCQglgS+m&KyvZQb_x!tLZTbzSj4!?m$5vwsutammbhRsGHUifpf$Ldr$LdrAccessResource$LdrFin$LdrFindResource_U$WMPlayerWindowEditor$Windows Media Player HWND Editor$dReso$ntdll.dll$sResource$urce_U
API String ID: 3516244591-712066751
Opcode ID: f8c8bf3419da7efc3c2f758ebdd38b7438056af9a9bfe9611bd3ddaf80b0cfcc
Instruction ID: dce9f58f7b180b880584391d3317b87618375bb0fe771e7de301abb772954e00
Opcode Fuzzy Hash: f8c8bf3419da7efc3c2f758ebdd38b7438056af9a9bfe9611bd3ddaf80b0cfcc
Instruction Fuzzy Hash: FDF1E4711183809FD324DF60CC49BAFBBA4EB84310F40493EF586632D1EBB99909CB5A

Function 02181030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02184054,02184040), ref: 02181047
GetProcAddress.KERNEL32(00000000), ref: 0218104E

Part of subcall function 02181B30: SetLastError.KERNEL32(0000000D,?,02181070,?,00000040), ref: 02181B3D

SetLastError.KERNEL32(000000C1), ref: 02181096

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: dcb111a544bbcc80dde65501c748eca218fb5c1b56776e604ffbccee93838c02
Instruction ID: 3e3d0a417fc0c1b8ea8fa4eba270c9e9a2c36b43b1d6aae6b46de56683157e40
Opcode Fuzzy Hash: dcb111a544bbcc80dde65501c748eca218fb5c1b56776e604ffbccee93838c02
Instruction Fuzzy Hash: C0F1E9B5E40209EFDB04DF94D984BAEB7B1BF48304F208598E919AB341D735EA52CF90

Function 021E3A20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 021E3B78
FindNextFileW.KERNELBASE(?,?), ref: 021E3BB9
FindClose.KERNELBASE(?), ref: 021E3CC5

Strings

HUE(, xrefs: 021E3BCE
12, xrefs: 021E3C53
HUE(, xrefs: 021E3BDC
., xrefs: 021E3A7D

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$HUE($HUE($12
API String ID: 3541575487-884143723
Opcode ID: 6926cca61d7fa12fbd994a60c5f49db8fc469c74c8b30cd2dbe281bf68e71a78
Instruction ID: 0fecd261d3f842c200cfc79b3455d43b7b34063b7525a58c3b64cfdbdb4f42a1
Opcode Fuzzy Hash: 6926cca61d7fa12fbd994a60c5f49db8fc469c74c8b30cd2dbe281bf68e71a78
Instruction Fuzzy Hash: B751F831BC4A048BCE24EBB8AC4477F76D69BD0610F0109ADE567CB240EB35C8918B92

Function 021E2680 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 249
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?), ref: 021E28C2

Strings

p^sw, xrefs: 021E2796, 021E27B5
U3", xrefs: 021E26A2
12, xrefs: 021E2781
U3", xrefs: 021E2687

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: U3"$U3"$p^sw$12
API String ID: 1207547050-1249047765
Opcode ID: 38e92e2958caddf68c3d21f677b68793719cc1094ab2ab47b376ce2161fe8c9d
Instruction ID: 5f3bafbf076d084b618a3c4952a4e69b53e01f5461fcada24fa595319bc05fcd
Opcode Fuzzy Hash: 38e92e2958caddf68c3d21f677b68793719cc1094ab2ab47b376ce2161fe8c9d
Instruction Fuzzy Hash: 5981F435FC06119BDF18AEA8AC60B6A23DA6B94300F05483DDD179F280EB719C948BD1

Function 021E86F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000), ref: 021E8908

Strings

V^!, xrefs: 021E875B
[i, xrefs: 021E871B
x*, xrefs: 021E86FE

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: [i$V^!$x*
API String ID: 823142352-1411442858
Opcode ID: 88bf14bc94d42dacc36249e872f8427ec2296cbcc04be38c06c7cb86d955681c
Instruction ID: 1aaa3635ebd61752b063fc9a59f9f0b95db7de1741a37462da24861d10dd12f0
Opcode Fuzzy Hash: 88bf14bc94d42dacc36249e872f8427ec2296cbcc04be38c06c7cb86d955681c
Instruction Fuzzy Hash: 8E71A471A487019FDB18DF68DC44A2FBBE5ABC4314F058D2DE8AA9B290D774D944CF82

Function 021E5720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(38CFF007,38CFF007), ref: 021E57E3

Strings

7y30, xrefs: 021E5789
7y30, xrefs: 021E57B3

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: 7y30$7y30
API String ID: 1721193555-1385743603
Opcode ID: 901c4e2774ad2de89eebee943ac28b4b297a53b1372f60b4c49624a0dadea799
Instruction ID: f72c64ef01277fca95c0d76f27d20ef1f873cf94c7c11940ea10149b08cfb449
Opcode Fuzzy Hash: 901c4e2774ad2de89eebee943ac28b4b297a53b1372f60b4c49624a0dadea799
Instruction Fuzzy Hash: 8A213A79ED0600EBDE3896289C9366B76C7978435CFC5092AE49BCB251E734C9618BC3

Function 021E4FD0 Relevance: 4.6, APIs: 3, Instructions: 102
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32FirstW.KERNEL32(00000000,0000022C), ref: 021E5044
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 021E50F4
CloseHandle.KERNELBASE(?,?,?,?), ref: 021E512C

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: cb5e00c6f7bbef7bd2a3b599f835e0112fe91b55ca9ef2d861faad0fee79165b
Instruction ID: 106e88690a087f98b99556c3929e02663ebba4f5634e0e0c44d1f0faa4c31868
Opcode Fuzzy Hash: cb5e00c6f7bbef7bd2a3b599f835e0112fe91b55ca9ef2d861faad0fee79165b
Instruction Fuzzy Hash: 0731E975BC09016F9E2866BCBC5473F17C69B90618B98093AF523CF345E768C9858BD2

Function 00401019 Relevance: 33.2, APIs: 22, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4,00000343,00582508), ref: 00401398
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040139B
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013AC
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013AF
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013C1
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013C4
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,6EA4A3D8,004059A4), ref: 004013D9
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 004013EA
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 004013F0
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401402
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401405
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000,6EA4A3D8,004059A4), ref: 0040141A
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 0040142B
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040142E
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401440
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401443
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401455
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401458
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 0040146C
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 0040146F
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(6EA4A3D8,004059A4), ref: 00401481
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z.MSVCP60(00000000), ref: 00401484

Memory Dump Source

Source File: 00000004.00000002.2541432357.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2541409691.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541456929.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wpnclient.jbxd

Similarity

API ID: U?$char_traits@V?$basic_ostream@$?endl@std@@D@std@@@1@V21@@$??6std@@D@std@@@0@V10@
String ID:
API String ID: 2803004057-0
Opcode ID: 4e668faee3baf0bf314fe0a6ed89ed04cc46d060bfd11fc77c33a5f615d1b13b
Instruction ID: e5c193a8be6e18b913c016f231c9b957fb8706e5e71893854bd9b99652add971
Opcode Fuzzy Hash: 4e668faee3baf0bf314fe0a6ed89ed04cc46d060bfd11fc77c33a5f615d1b13b
Instruction Fuzzy Hash: 0E51F3796053919FC700EB74DD8882B7FA9EF88314F0548EDF845A73D1C6799418CBAA

Function 021E2CA0 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 339
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 021E2D44
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 021E2E28
ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 021E301B
HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 021E30DF
InternetCloseHandle.WININET(?), ref: 021E311D

Strings

Y~?i, xrefs: 021E310B
12, xrefs: 021E3045
12, xrefs: 021E2FA2
p^sw, xrefs: 021E2FB7, 021E2FD6
Y~?i, xrefs: 021E313C
12, xrefs: 021E2EAC
Y~?i, xrefs: 021E2F16

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
String ID: Y~?i$Y~?i$Y~?i$p^sw$12$12$12
API String ID: 1741791824-70384390
Opcode ID: 221c78706eb2cb9f590fbee042aaea8fa84bf4d2d1f6f37ff77856a1f21f5638
Instruction ID: 3966837d28a7fbee7a65c4be0536df071be72ff3adcf9a07a7812ad4a3a9f1a3
Opcode Fuzzy Hash: 221c78706eb2cb9f590fbee042aaea8fa84bf4d2d1f6f37ff77856a1f21f5638
Instruction Fuzzy Hash: 30B1B231F847019FDF24ABB8AC5476B76DAAB94650F04092DED57DB380EB71DD408B82

Function 021E5F80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 021E5FDB
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 021E604A

Strings

p^sw, xrefs: 021E5FAF, 021E5FCE
12, xrefs: 021E5F9A
12, xrefs: 021E600D

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: p^sw$12$12
API String ID: 2488874121-2300862904
Opcode ID: ce418e97d8ccc362fb693106042aa32ff88d61af82ace8ab0afee4eb1d6eb3c8
Instruction ID: e6ebb5d792f3dd29e991d6caa6f3db5bcaa6833111e69694530fd4a04fac6d02
Opcode Fuzzy Hash: ce418e97d8ccc362fb693106042aa32ff88d61af82ace8ab0afee4eb1d6eb3c8
Instruction Fuzzy Hash: E5119070BC46119FCF20AAB97C50B6B6ADBAFD5250B00483DE506DF381EB65DC614BD1

Function 021E31F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,0000021C), ref: 021E33D1

Strings

12, xrefs: 021E3390
V<j[, xrefs: 021E33F7
p^sw, xrefs: 021E33C4

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: V<j[$p^sw$12
API String ID: 1279760036-1938916030
Opcode ID: 5f6cb0a7dcd273cbdaff1b0331bd4862022ecc19c79a73aa0c4dfc090dc7bca6
Instruction ID: c3d21e775791ee9b632d739d8adf4f3668a19fd259a1dee3fa96e19a764e7d1d
Opcode Fuzzy Hash: 5f6cb0a7dcd273cbdaff1b0331bd4862022ecc19c79a73aa0c4dfc090dc7bca6
Instruction Fuzzy Hash: 4D51C471A847028FCF18DE68988452BBBE6EBD4350F104D6EE463CB391DB71D949CB92

Function 021EA230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,021E9EA0,00000000,00000000,00000000), ref: 021EA343

Strings

p^sw, xrefs: 021EA2CF, 021EA2EE
12, xrefs: 021EA2BA

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: p^sw$12
API String ID: 2422867632-1302981717
Opcode ID: 386bcb630f2881000b3a376ca34e54b9575030ec6668807a4b3a35c58b6a636a
Instruction ID: 62aedb79f2d84ed00f74fb9ddb5b1a8e2bdb999a9a4dc28ddf64ac18b233511f
Opcode Fuzzy Hash: 386bcb630f2881000b3a376ca34e54b9575030ec6668807a4b3a35c58b6a636a
Instruction Fuzzy Hash: BA21A674BC46018FDF14ABB86D51B6F26D6AF41650F204C39E907DF3C0DBA6D8908B82

Function 0059002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,00590005), ref: 005900E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00590005), ref: 00590111

Memory Dump Source

Source File: 00000004.00000002.2541675452.0000000000590000.00000040.00001000.00020000.00000000.sdmp, Offset: 00590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_590000_wpnclient.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 2310e154d330a495706e16b0cc2f51a82d237a0ccb4a2f3a620a60fc160fb567
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 0FD1CD71A043068FDF24CF69C88476ABBE0FF94318F185D2DE9998B281E774E855CB91

Function 021EA0D0 Relevance: 4.6, APIs: 3, Instructions: 95stringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 021EA1A3
QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 021EA1A6
lstrcmpiW.KERNELBASE(?,?,3A5A3511,?), ref: 021EA20B

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: Process$CurrentFullImageNameQuerylstrcmpi
String ID:
API String ID: 3605714105-0
Opcode ID: 358f814d937b2337a5bebd78a7107f062f15f7b213aad6b11331da322187ee5e
Instruction ID: e0a6076f0960d60a6f037a9ef8338258941856e1af7ecf3cb59a15144f1c3f94
Opcode Fuzzy Hash: 358f814d937b2337a5bebd78a7107f062f15f7b213aad6b11331da322187ee5e
Instruction Fuzzy Hash: 26310574BC46408FDF38ABB8AC507AB66DAAF84350F01483EE547CF240EB74D8548B91

Function 021E9EA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 021E9F91

Strings

T$_?, xrefs: 021E9F33

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: T$_?
API String ID: 1065410024-3509241203
Opcode ID: ff8032ed878188886a2121dab1906b709859e4f389478ad0b23358340293ffac
Instruction ID: 2e6b5aafc4b7aaf13de8f580a36d6a5e15b6ba5fc19368e77df46a75b16d4af4
Opcode Fuzzy Hash: ff8032ed878188886a2121dab1906b709859e4f389478ad0b23358340293ffac
Instruction Fuzzy Hash: 1C4191707C4A408FDF18ABB8AD90A7F26D6AF95310B140C29E957CF281EB75D9508B92

Function 021E73C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,38CFF007,021E6F11), ref: 021E747A

Strings

12, xrefs: 021E7498

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 12
API String ID: 1029625771-2589614596
Opcode ID: 1ad25423882dc010084e7f280141ead48bd6ffb0784380b8838869c36cb3781b
Instruction ID: 9e9306c1565348b13c1c78a6616432a0f72f184e126390338283a96e4afe53ee
Opcode Fuzzy Hash: 1ad25423882dc010084e7f280141ead48bd6ffb0784380b8838869c36cb3781b
Instruction Fuzzy Hash: 8C316664BC4D548AFD78A6A97C5073BD6879F80610F514C6AEA13CF3C5EB64C883C752

Function 021E7320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,38CFF007,021E7540,?,38CFF007,021E6F11), ref: 021E7350

Strings

12, xrefs: 021E736F

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 12
API String ID: 1029625771-2589614596
Opcode ID: c0cef8acdd99ad3e317e805ecc7e7ea5e96709d6580bb3d513d588c96f38da49
Instruction ID: ad10185616009c3541c276a62799f42d068aff3b0c95dbf8079c0423fd9a3f58
Opcode Fuzzy Hash: c0cef8acdd99ad3e317e805ecc7e7ea5e96709d6580bb3d513d588c96f38da49
Instruction Fuzzy Hash: A9014F74BC46018FDF54ABB9BC50B6B6ADA9FC1210304487CA916CF381EB35D8918F91

Function 02181D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484c103867eddf166a79845ba69795374893d8e4885a3ecd88cf553068bb42f1
Instruction ID: 34ed492a715408222c1e38e69abfd34f64f27586ec9e0dbf5c74c86c20e99a93
Opcode Fuzzy Hash: 484c103867eddf166a79845ba69795374893d8e4885a3ecd88cf553068bb42f1
Instruction Fuzzy Hash: 5F41E576A40109AFDB04DF44C4D4BAAB7B2FB88314F24C699E8195B355D772EA82CF80

Function 021E5850 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 021E58F1

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: d6dde5df1d0d7b5f76248fd510682528fff49ff91e85ae5f9bc5c9de0dca50c8
Instruction ID: 4586b621a931d6864eff8072432522ce2b435270daacb3bbdc701b437bbd1ac3
Opcode Fuzzy Hash: d6dde5df1d0d7b5f76248fd510682528fff49ff91e85ae5f9bc5c9de0dca50c8
Instruction Fuzzy Hash: D4117070A80700ABEB24DBA5DC41F6A77E6BF94704F84482CA5568F1C0EBB4D584CB52

Function 021E4FE8 Relevance: 1.5, APIs: 1, Instructions: 29processCOMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(00000000,0000022C), ref: 021E5044
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 021E50F4
CloseHandle.KERNELBASE(?,?,?,?), ref: 021E512C

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: c10f97560d84e4cdf419f1fb7d3b450cc9ffa29c5b594d7b4b1f49212bb162d9
Instruction ID: 8fd64805afd140311edd7002b1512332f6b8f9a0a2c8290dbd8c2f2aef1c0292
Opcode Fuzzy Hash: c10f97560d84e4cdf419f1fb7d3b450cc9ffa29c5b594d7b4b1f49212bb162d9
Instruction Fuzzy Hash: 3FF0E5716D0D416E8E385A7C9C4573F26969BA120CF9C4D2AE113CA244EB25C5804BD3

Function 021827B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 021827D9

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 061a936fa3d45b50554c797a4fa40612d35db7f8d1273f73d040243af2e83836
Instruction ID: b19573b7d9535dd06d3f886f09eb078d8e5a53960b6b468e8fb61b8895a6860b
Opcode Fuzzy Hash: 061a936fa3d45b50554c797a4fa40612d35db7f8d1273f73d040243af2e83836
Instruction Fuzzy Hash: 28D09EB5D80208BFD744EFA4DD8AA9EBBB5EB04702F508165E9156B240F7B06B148F92

Function 02181820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0218182F

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 179d62c6664bd134bad8de311bd4d8ba7f1022aaa7819590173fbb40ed012723
Instruction ID: b37f910df6b560927f97fa153fec11c0b96d9db2365c6ba30fc8e931abfcdbeb
Opcode Fuzzy Hash: 179d62c6664bd134bad8de311bd4d8ba7f1022aaa7819590173fbb40ed012723
Instruction Fuzzy Hash: 8DC04C7A55420CAB8B04DF98EC94DAB77EDBB8CA10B148548FA1D87200C630F9508BA4

Non-executed Functions

Function 00401D70 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 147windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00401D96

Part of subcall function 00401F90: FindWindowA.USER32(WMPlayerApp,00000000), ref: 00401F97

DestroyWindow.USER32(?), ref: 00401D9D
GetSystemMenu.USER32(?,00000000), ref: 00401DA8
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00401DC0
AppendMenuA.USER32(00000000,00000000,00000005,About...), ref: 00401DCC
CreateWindowExA.USER32(00000000,Button,&Show Window,50000000,00000005,00000005,0000007D,00000019,?,00000002,00000000,00000000), ref: 00401DF8
CreateWindowExA.USER32(00000000,Button,&Hide Window,50000000,00000087,00000005,0000007D,00000019,?,00000003,00000000,00000000), ref: 00401E27
CreateWindowExA.USER32(00000000,Edit,Windows Media Player,50800000,0000000F,0000002D,000000EB,00000019,?,00000001,00000000,00000000), ref: 00401E56
CreateWindowExA.USER32(00000000,Button,&Change Caption,50000000,00000048,0000004E,0000007D,00000019,?,00000004,00000000,00000000), ref: 00401E81
ShowWindow.USER32(00000000,00000000), ref: 00401EFB
DefWindowProcA.USER32(?,?,?,?), ref: 00401F0D

Strings

About..., xrefs: 00401DC2
&Hide Window, xrefs: 00401E16
Button, xrefs: 00401DF1, 00401E1B, 00401E7A
Windows Media Player, xrefs: 00401E45
&Change Caption, xrefs: 00401E75
&Show Window, xrefs: 00401DEC
Edit, xrefs: 00401E4A

Memory Dump Source

Source File: 00000004.00000002.2541432357.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2541409691.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541456929.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wpnclient.jbxd

Similarity

API ID: Window$Create$Menu$Append$DestroyFindMessagePostProcQuitShowSystem
String ID: &Change Caption$&Hide Window$&Show Window$About...$Button$Edit$Windows Media Player
API String ID: 1675743168-3498740803
Opcode ID: 6fa5b30cb9d90c5671a906c00b49d1a349abe0e32d26c551bf39c42dfad87899
Instruction ID: d2c89a25cf38dd3cc98bce7da6c1abaab37f22b51a640bf9a67e858da95faab1
Opcode Fuzzy Hash: 6fa5b30cb9d90c5671a906c00b49d1a349abe0e32d26c551bf39c42dfad87899
Instruction Fuzzy Hash: 43416271384705BBF630A7649D4AF6B3698EB44F15F204437F701BA2E1D6F9A8408BAD

Function 004020EA Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00402117
__p__fmode.MSVCRT ref: 0040212C
__p__commode.MSVCRT ref: 0040213A
__setusermatherr.MSVCRT ref: 00402166
_initterm.MSVCRT ref: 0040217C
__getmainargs.MSVCRT ref: 0040219F
_initterm.MSVCRT ref: 004021AF
GetStartupInfoA.KERNEL32(?), ref: 004021EE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402212
exit.MSVCRT ref: 00402222
_XcptFilter.MSVCRT ref: 00402234

Memory Dump Source

Source File: 00000004.00000002.2541432357.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2541409691.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541456929.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wpnclient.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 6ec102433b06512b8c0474839b6dd368cc5f6bc9c2e1b5937cc38a74b614f200
Instruction ID: 87e11df5f4ae46379268185e5a3862cdd04542f6cf5212e8f2ca647c65b29d7f
Opcode Fuzzy Hash: 6ec102433b06512b8c0474839b6dd368cc5f6bc9c2e1b5937cc38a74b614f200
Instruction Fuzzy Hash: EB415DB19016449FDB249FA4DE49AAA7BB8FB09710F20017FE952B72E1C7B84940CF58

Function 021EA460 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 337COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 021EA5D9
GetCurrentProcess.KERNEL32(00000000), ref: 021EA5DC
GetCurrentProcess.KERNEL32(00000000), ref: 021EA5DF

Strings

12, xrefs: 021EA785
p^sw, xrefs: 021EA64F, 021EA66E
12, xrefs: 021EA8BC
12, xrefs: 021EA721
12, xrefs: 021EA63A

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: p^sw$12$12$12$12
API String ID: 2050909247-1227802654
Opcode ID: ac3f5c88cd0e0bbe0305cf6bf66e12e0b839a3c5f3bc9f8abbeaf48883918b5d
Instruction ID: 9220c7fc66ba15ca7dce2e57800561afaf511b81bf22d02aed6eaee060359692
Opcode Fuzzy Hash: ac3f5c88cd0e0bbe0305cf6bf66e12e0b839a3c5f3bc9f8abbeaf48883918b5d
Instruction Fuzzy Hash: 2CB1C070BC46018FCE24EBA8AC90A2B7BD6AFC4654F044D2DE947DB341EB34D9518BD2

Function 021814A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 021814DB
SetLastError.KERNEL32(0000007F), ref: 02181507

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 10e013deadb1f9bf229c52a74ed6805df9d322b444bd7aee096c7110de159fa8
Instruction ID: 1f06810acf53ee7713a07b26d6f219a288d0baa56d80d311e4d58cc4a66f70dd
Opcode Fuzzy Hash: 10e013deadb1f9bf229c52a74ed6805df9d322b444bd7aee096c7110de159fa8
Instruction Fuzzy Hash: 3671D775E40109EFDB08DF94C590BAEB7B2FF48304F648598D55AAB341D774AA82CF90

Function 021EAB40 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 276COMMON

Download Yara Rule

APIs

ProcessIdToSessionId.KERNEL32(00000000), ref: 021EAD50

Strings

12, xrefs: 021EAE5B
bn|4, xrefs: 021EADA4
p^sw, xrefs: 021EAE70, 021EAE8F
12, xrefs: 021EAEDE
bn|4, xrefs: 021EAB4B

Memory Dump Source

Source File: 00000004.00000002.2542043862.00000000021E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 021E0000, based on PE: true

Associated: 00000004.00000002.2542028563.00000000021E0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542064560.00000000021ED000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.00000000021F0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2542080177.0000000002233000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_21e0000_wpnclient.jbxd

Yara matches

Similarity

API ID: ProcessSession
String ID: bn|4$bn|4$p^sw$12$12
API String ID: 3779259828-1273418396
Opcode ID: b4aa0881f1347cbe60282b7e36c94e1c7871bca9b886dc5a543c50211976a485
Instruction ID: 5ada94302d9e551c9bb03677ce4495d87aa753c486fcbf82d39205023b9939ca
Opcode Fuzzy Hash: b4aa0881f1347cbe60282b7e36c94e1c7871bca9b886dc5a543c50211976a485
Instruction Fuzzy Hash: AF91CD74BC46048FCF14EBB8AC90B2F7BD6AF84610B540D29E856CF241EB35DD588B92

Function 00401070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0040108C
DestroyWindow.USER32(?), ref: 0040109C
SetDlgItemTextA.USER32(?,000003E8,This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window.), ref: 004010B6
DestroyWindow.USER32(?), ref: 004010E0

Strings

This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window., xrefs: 004010AB

Memory Dump Source

Source File: 00000004.00000002.2541432357.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2541409691.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541456929.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wpnclient.jbxd

Similarity

API ID: DestroyWindow$ItemText
String ID: This program was created in using pure Win32 API (in C++). The purpose of this program is to save both screen memory and taskbar space by hiding the Windows Media Player Window.
API String ID: 396529852-1331625695
Opcode ID: a61dc5f83ef90b811d585fcc311af718773135b45cb18a34e47a048bdf587a9a
Instruction ID: b100099e501738790042682215e8a6d7cad033c4a8bb43f03221d718276c4884
Opcode Fuzzy Hash: a61dc5f83ef90b811d585fcc311af718773135b45cb18a34e47a048bdf587a9a
Instruction Fuzzy Hash: 0DF0AF322142406FC7148B70DA8C92B72D4EBA9701F41CC3AF182E6AE4D73DCC90EB59

Function 02182430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02182468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 021824B2

Strings

@, xrefs: 02182453

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: b903d8a8424009bf0318f3dcf00d0873bf5c09273585d8d45b1b7f959a0b44c3
Instruction ID: 6510afc0883a7d2b6d6adec1fa208311483ff8cbb217acceb798b85c76c748fe
Opcode Fuzzy Hash: b903d8a8424009bf0318f3dcf00d0873bf5c09273585d8d45b1b7f959a0b44c3
Instruction Fuzzy Hash: 0021F5B4E44248EFDB05DF98C8C0BADBBB5BF44304F208589D916AB240C374AA80DF61

Function 00401005 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32(00000000,kernel32.dll), ref: 004015A3
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?,00000000,kernel32.dll), ref: 004015BB

Strings

kernel32.dll, xrefs: 00401599

Memory Dump Source

Source File: 00000004.00000002.2541432357.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2541409691.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541456929.0000000000405000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000407000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2541479704.0000000000474000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_wpnclient.jbxd

Similarity

API ID: AllocHandleModuleVirtual
String ID: kernel32.dll
API String ID: 2270936652-1793498882
Opcode ID: 5bf35002c93f4facc3e081f7e865f0f685930981354593ef6d5b8ce1566f61f9
Instruction ID: bb32f66759e984ad9a82917001f02bd0d3e76ee526862dde03f538f9ec23572d
Opcode Fuzzy Hash: 5bf35002c93f4facc3e081f7e865f0f685930981354593ef6d5b8ce1566f61f9
Instruction Fuzzy Hash: BCF0A77230132427C614DA555C05BAF6699FBC4B61F14043EFA07F72C0CB749904D3A9

Function 021821A0 Relevance: 5.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 021821F9
SetLastError.KERNEL32(0000007E), ref: 0218223B

Memory Dump Source

Source File: 00000004.00000002.2541930678.0000000002181000.00000020.00001000.00020000.00000000.sdmp, Offset: 02181000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2181000_wpnclient.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: f0adc8521f86814f0ca6d638a525b9028a966fe21119df7ca3b3d049a29904ae
Instruction ID: 6f267b3e90a8f3ee02276ead7f0d299c1eb63409e3b209ec8c0dc0498b4be083
Opcode Fuzzy Hash: f0adc8521f86814f0ca6d638a525b9028a966fe21119df7ca3b3d049a29904ae
Instruction Fuzzy Hash: 6D81BA74A40249EFDB08DF94C994BAEB7B1FF48314F248198E919AB351C734EA81CF91

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mNtu4X8ZyE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
mNtu4X8ZyE.exe

Function 00401600 Relevance: 121.2, APIs: 54, Strings: 15, Instructions: 458
libraryfileloaderCOMMON

Function 02611030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Function 02675390 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 248
memoryCOMMON

Function 02678330 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 236
fileCOMMON

Function 02673A20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 189
fileCOMMON

Function 026786F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187
fileCOMMON

Function 00401019 Relevance: 33.2, APIs: 22, Instructions: 157
COMMON

Function 026731F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162
memoryCOMMON

Function 0221002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Function 026773C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
libraryCOMMON

Function 02674EC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Function 026737E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Function 02677320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
libraryCOMMON

Function 02676060 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre